I make users login to my chrome extension through my own OAuth2 API which uses google signin, through chrome.identity.launchWebAuthFlow with interactive set to true, and it works fine, user is prompted to sign in with google account, I get redirect url in my extension's background script, parse access token from it and everything is fine until I need to logout this user and make it possible to sign with other account.
When I try running chrome.identity.launchWebAuthFlow with interactive set to true again, nothing pops up, but redirect url is returned in background and access token is picked up for previously logged in user, so I'm unable to make my users switch account.
Is there any solution for this?
I haven't used chrome.identity.launchWebAuthFlow, but I think your question is similar to "How do I log out of a chrome.identity oauth provider".
Among the answers:
use launchWebAuthFlow with the logout url https://accounts.google.com/logout
revoking the token with https://accounts.google.com/o/oauth2/revoke?token=TOKEN
Adding &prompt=select_account into the url
As I said, I haven't used launchWebAuthFlow yet, but I wanted to help by showing you an already answered question
Related
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
I'm using Python and trying to login to basecamp to consume their API but i'm having some trouble with OAuth2 authentication...
How do I login without interacting with browser? I'm making a post request but it returns a 422 message...
I checked out the headers and they seem ok. I'm confused and dont know where the mistake is.
OAuth2 requires that the user authorizes the integration to access her/his account. This is done through a web page in which basecamp.com will display some HTML including a button. For this to work, the user must be logged in using the web form at https://launchpad.37signals.com/signin.
I've implemented that in Javascript: https://gitlab.petton.fr/basecampel/libbasecampel/blob/v0.2.0/proxy/src/oauth.js. The function at line 20 opens the system's default web browser in which the user is supposed to login if he/she is not logged in already.
Requesting an access-token for Instagram App needs user to hit some url, and then log-in and then click on Authorize button. Is there any way to get this done without anyone intervening?
No, its not possible without redirecting to Instagram login page.
Here is documentation for authentication:
https://www.instagram.com/developer/authentication/
I'm in the process of building a Google Chrome extension, and have some questions about how to implement security into the application.
I need to access a couple of Google API's so am going to be using OAuth 2.0 for that. So basically from the extension I know which user is logged into the browser.
My extension then needs to get and post data to my (nodejs) API service. I want to ensure that the user requesting data is the same user that is logged into the browser. Is there any way of using the previous Google authentication process to also authenticate communications between the extension and my API? I dont really want the user to have to log in again, to access my API.
I'm sure I'm missing something simple, and I've not been able to find anything that fits this scenario
Follow the OpenID Connect auth flow and you will get an access_token and an id_token. The acess_token you will use to use to make authenticated requests to Google APIs as usual. The id_token will be used as authentication with requests to your server.
When the requests hit your server you will need to validate the token and you can then use the contents of the id_token to identify the user.
User wouldn't have to login on auth process provided if user is already logged in and you are using a web application flow (not chrome.identity APIs) but user would see the consent screen atleast the first time. However you can skip the account selector screen if you already know the email address by providing &login_hint= parameter.
I am building a web application which makes use of the Instagram API. I use Instagram OAuth as a sign in to the application.
Currently my logout feature only invalidates the session, which works well for a logout. However, I run into another issue which is more closely related to browsers. Only one user, from one browser, can log in to the application. Meaning, I sign in to the app using Instagram OAuth, and each consecutive sign in will be authorized only to that user.
Is it possible to implement an Instagram OAuth login as another user? Setting up a kind of "remember me" feature? I do not see anything from the Instagram API to achieve this, so maybe I can do so with javascript? Or did I not sift through the Instagram API well enough?
So far the only solution I see is to implement a username and password for my web application, and only then having instagram OAuth grant access. However, this defeats one of my development goals, which is a one click sign on (after the initial OAuth). I could put some more work into that one click sign in, but that leads to an intial stage of 2 logins (still not the worst).
opening https://instagram.com/accounts/logout/ will log out of Instagram.
you can have a logout button and open the above url in hidden iframe, that will logout of instagram
Not sure if Instagram supports this, but OIDC defines a special parameter "prompt=login" which forces login to be displayed even for authenticated users or "prompt=select_account" which forces an account-selection dialog to be presented.
See Chapter 3.1.2.1 of http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest