I am using Microsoft Azure authentication for user Login ,
After login of user there is change password section in my application where user provide his current password and new password so my query is
Is there is any Api(Graph) to GET Current Password for that user OR Any API(Graph) through which we authenticate current Password which provided by user
Is there any other scenario which help me to authenticate current password which was given by user while changing password
Or any other way to get current password for that user
thanks
There is no way to get the current password for users.
It would be a massive security vulnerability and imply they store them insecurely.
There is a way to authenticate a user like that, but it won't work if the user has e.g. MFA.
I would suggest a different approach.
Check how old the authentication is (id token has the time it was issued).
If it is older than, say, 15 minutes, require the user to authenticate with AAD (prompt=login).
You can also require MFA for the login if you know all your users use it.
Then they should be able to give a new password, which you can then set with Graph API.
So instead of making a call to check the current password, require a fresh ID token and rely on AAD to check the user credentials.
Also, the users should be able to change it themselves already as written in docs: https://learn.microsoft.com/en-us/azure/active-directory/user-help/active-directory-passwords-update-your-own-password
Related
In Cognito, is there any way where I can allow a user (Account status: External provider) to create a password for their account and do login using username and password.
I am using a Hosted UI.
Consider a case where a user logged in using the Google sign-in method and the user pool has a user entry. I have given the user a preferred username and email options to sign in. but since it does not have a password yet, the user should be able to reset their password using forgot password method.
But I get the error "User password cannot be reset in the current state."
Can you please suggest if there is any method or workaround for this.
Thanks.
You cannot create a password for an EXTERNAL_PROVIDER user.
The password is handled directly by your provider and Cognito Hosted UI only retrieve the user fields you previously mapped in the configuration.
If you try to change the password of your user connected by Google, you will get the following error :
User is not authorized to change password.
Because the password can only be changed with the provider.
From our native code, when attempting to change a user's password in a password reset flow, the password's complexity is not applied when we use an Admin account to change that password.
We are using the procedure as explained here: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations#ResetUserPassword
In other words, when we attempt to change a password of a user using the user's identity token, the conditions for a password are applied.
But if we attempt to change that password by an Admin instead of the user's JWT, in a password reset situation, the minimum password requirements are not applied.
I suspect that maybe this has something to do with User Flows, but I am not certain.
Any ideas ?
Using admin to reset the user password with the AAD graph API, when the new password not complied with the complexity policy, it prompts an error.
Using admin to reset the user password with the Microsoft graph API, when the new password not complied with the complexity policy, it also prompts an error.
I have written a script for refreshing access token in nodejs. But I am facing an issue, If I change my google password then also I can generate new access token using refresh token. Is there any way I can get some kind of flag saying this user has changed the password. In NODEJS.
I just need flow, no need of code. I can code myself.
Thanks,
Ajinkya
No.
The whole point of Open authentication is that you the user are granting an application access to your data. This is independent of your login and password.
The only way for an application to loose access is if the user revokes said access. Changing the password will not effect access.
No, there is no way of asking Google when the user last changed their password.
How to revoke a refresh token:
https://accounts.google.com/o/oauth2/revoke?token={token}
Apps Connected to your account
I have a chrome extension which allows users to exclusively login with google and no other provider.
In my (node + couchdb) backend I need to construct a user account from the auth Response provided by google's oauth2 api. I was thinking about using a hash of the id_token as a password after verifying the token using the tokeninfo api
I realize that the id_token changes from time to time. In that case I was hoping to update the user's password automatically.
Here is the flow I had in mind:
1) User signs in on the front-end and gets an id_token from google
2) Id token is sent to the server and verified using the tokeninfo api
3) If verified, a user account is created with a password being the hash of the id_token.
Do you see any security holes with this flow? If so, what are the alternatives?
It is probably annoying to change user passwords all the time, and this ties your authentication too much to google. What if you want to implement password logins in the future, etc.
I would recommend to use something like proxy authentication instead.
http://docs.couchdb.org/en/latest/api/server/authn.html#api-auth-proxy
make sure to set
[couch_httpd_auth]
proxy_use_secret = true
in the config.
On a side note: if you sync the couchdb password with external secrets like in the question, you should sign the password with a hashed secret that you control completely.
I have a JSF application I have configured with a JPASecurityRealm I use to log users in. This works fine with native user accounts. I now added a login with facebook functionality. When users login with facebook for the first time, I create them a new native user account for our website with the data returned by facebook. Which works fine, but I have problems authenticating the user on our server now. Usually I use request.login(userID,userPassword); but because users don't have a password with their native account now, I don't know how to authenticate them? Is there something like request.login(userID), which logs the user in without needing a password?
but because users don't have a password with their native account now,
I don't know how to authenticate them? Is there something like
request.login(userID), which logs the user in without needing a
password?
You could generate a random password, persist it and notify them. Then just also give them the possibility to change it later .