We have custom policies with KMSi support. We have a requirement to store username/password to on client's browser so that once KMSI is expired, user dont have enter username/pass.
Is there a way to support this?
Thanks
Only the user can choose to do that if their browser supports it.
Related
Scenario:
I am working on a corporate site, on which you may log in, but it is not a forced requirement.
We have enabled the KeepMeSignedIn / Remember me functionality on the aadb2c login page, but i cannot seem to figure out how to notify my website, if a user has selected to KMSI.
My Question:
How can I signal back to my website, if the user has chosen to use the KMSI / Remember Me functionality on AADB2C.
I can't seem to find any information solving this challenge and I would very much appreciate your help and input.
Kr Ole
You can use the KMSI Claim Resolver to detect if the user selected KMSI check box and issue the claim into the token.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview#context
I am using Microsoft Azure authentication for user Login ,
After login of user there is change password section in my application where user provide his current password and new password so my query is
Is there is any Api(Graph) to GET Current Password for that user OR Any API(Graph) through which we authenticate current Password which provided by user
Is there any other scenario which help me to authenticate current password which was given by user while changing password
Or any other way to get current password for that user
thanks
There is no way to get the current password for users.
It would be a massive security vulnerability and imply they store them insecurely.
There is a way to authenticate a user like that, but it won't work if the user has e.g. MFA.
I would suggest a different approach.
Check how old the authentication is (id token has the time it was issued).
If it is older than, say, 15 minutes, require the user to authenticate with AAD (prompt=login).
You can also require MFA for the login if you know all your users use it.
Then they should be able to give a new password, which you can then set with Graph API.
So instead of making a call to check the current password, require a fresh ID token and rely on AAD to check the user credentials.
Also, the users should be able to change it themselves already as written in docs: https://learn.microsoft.com/en-us/azure/active-directory/user-help/active-directory-passwords-update-your-own-password
I would like to customize the password policy for my B2C Custom Login Flow. I can see how to change things like password length etc (see Password Polices)
But I also want to prevent the user from using any of the last 8 passwords. How would I do this?
This capability is currently not supported in Azure AD B2C.
Here is the feedback, please go and upvote this.
The best you can do with built in functions is: https://github.com/azure-ad-b2c/samples/tree/master/policies/password-reset-not-last-password
For more than last password history, the only workaround is to store the hashes yourself and use a REST API to examine the hash against the new password being provided. Something that we dont recommend doing, and rather using better techniques such as MFA.
I have written a script for refreshing access token in nodejs. But I am facing an issue, If I change my google password then also I can generate new access token using refresh token. Is there any way I can get some kind of flag saying this user has changed the password. In NODEJS.
I just need flow, no need of code. I can code myself.
Thanks,
Ajinkya
No.
The whole point of Open authentication is that you the user are granting an application access to your data. This is independent of your login and password.
The only way for an application to loose access is if the user revokes said access. Changing the password will not effect access.
No, there is no way of asking Google when the user last changed their password.
How to revoke a refresh token:
https://accounts.google.com/o/oauth2/revoke?token={token}
Apps Connected to your account
A bit of background may help. I'm looking to authenticate a user using SAML, but I want to maintain the look-and-feel of the login experience to the best of my ability. I've looked into OpenSAML a bit, but not extensively since I'm not sure this can be done yet. So, if I have a login service that can retrieve the username/password from the user, can I programmatically issue a SAML request to an IdP to authenticate said user without having to go through the entire XHTML form processing steps?
Your question is more about how to Authenticate the user and less about SAML. SAML doesn't really dictate how a user gets authenticated at the IDP and it definitely doesn't handle your use case. As a 3rd Party SAM SP, it is not recommended you ever prompt a user for their credentials for security reasons since Enterprises only want users entering credentials into "Corporate branded" login pages to reduce phishing and other password based vulnerabilities. Besides, how can your customer trust that you are not storing users passwords if they are entering them on your site? Let the IDP handle the user login, it is just one of the many benefits of using SAML. HTH- Ian