Say you have a website www.site.come and you click 'Log in with Google', the google log in page shows up, you sign in and then directed back to www.site.com but now logged in as the proper user.
What protocol would you use if you started at Google? So for instance you start at google.com, log directly into google and as a logged in user, there exists a button which goes to www.site.com which when you click it will bring you to the www.site.com but signed in based on some information that is passed when the button is clicked. Would this be equivalent to SAML? Or more to OpenId?
It's OAuth 2.0. You can test it with https://developers.google.com/oauthplayground/
Related
Can anyone help me in resolving the error like why i am getting 400 BadRequest when i click on SignUp button which uses a SignInSignUp userflow.
Steps to produce this issue:
Open two same login pages in two different tabs.
After that enter credentials on first tab and clicked on signin button which uses the same
SignInSignUp userflow.
At the same time i clicked on SignUp button on second tab which leads to 400 BadRequest.
UserFlow Example
Screenshot Attached Below:
if you are using the same browser twice, once you sign in to the site, I'm pretty sure you get an auth token, with the associated cookie. your browser is now "logged in" so if you open a second same browser window or tab, and click sign up, it probably sees that you already have a logged in session cookie for that url and sends that and the server side is confused. I'm not quite sure why you would want to do that though.
if you need to I would probably open an incognito window when starting the browser for the second "load" of the site to ensure you're not sending the same cookie to the signup page.
In azure b2c, I have a standard "Sign up v2" user flow with multiple providers including local accounts.
When I navigate to the signup page and click on "email address" (meaning signup with a new local account) it redirects me to the correct local signup page but the standard fields (email, password, etc) do not get added to the page. There are no errors in the javascript console or network access failures.
The setup in question has a custom "idp selection page", a custom "local account signup page" and javascript layout turned on in the user flow. Neither custom page has any javascript so nothing gets altered on the page (although I do need to add some). It works as expected when I turn javascript off, use a standard idp selection page or use a standard local account signup page.
The most interesting observation I have is in the fail case the url used when "email" is clicked is in the form:
https://<custom page domain name>/tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange
In the cases that succeed the url is in the form:
https://<tenant name>.b2clogin.com/<tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange
The navigation that occurs when the user clicks on the "email" button seems outside of the control of the configuration options, it seems to be completely internal.
To be clear, in the case where I have a custom idp selection page and standard local signup page and the case where I have a standard idp selection age and custom local signup page the url is in the form
https://<tenant name>.b2clogin.com/<tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange
Its only when both are custom and javascript is on that it uses the custom page domain.
Any idea where I can look to fix or get more details on this?
I am using oidc-token-manager with OAuth and identity server to setup authorization/authentication on my site. All the functionality is working fine . I am just wondering what the id parameter is that is being sent to identity server
https://foobar.net/identity/ui/login?id=216257a45dbd3041eee88fa8aa5d3b0cidc
and more specifically can i use that, in some form, to add a button on identity server to send the user back to the page that they came from. To be clear the post login redirect is working fine . once the user logs in with his/her credentials it automatically sends them back to the website. However there are 2 senarios that i want to take into account to extend the redirection.
case 1 : If the user clicks login from the website and then is like "nah dont really want to log in anymore have to afk and deal with some stuff just get me out of here will come back to it later"
case 2 : The user is not registered yet and clicks the login button from the website instead of the register button . On the login in page there is a "dont have an account? create one now" button. But in its current form it redirects to the registration with no way to set the same flow as the login where there is an automatic redirect back to the website, which will actually be a specific page that tells the user that he has registered and has a time period to check his email to authenticate himself to the site.
This is using an angular app with the set configuration for the OidcTokenManager as
var config ={
authorization_url:'https://foobar.net/identity/connect/authorize',
client_id:'foobar_id',
redirect_uri:'http://localhost:5060/callback.html', // for testing
response_type:'token token_id',
scope:'fooscopes',
authority:'https://foobar.net/identity',
popup_redirect_uri:'http://localhost:5060/login-dialog.html',
silent_renew: true
};
Any help would be awesome . thanks
The id parameter that is passed to the login page is part of how IdentityServer manages the state for pending authorization requests. It's the id of the cookie that holds the SignInMessage that IdentityServer uses internally.
For case 2 if you click one of the additional links the id is passed along. It is then the responsibility of the custom page to get the user back to the login page with that id. I believe we have samples showing this.
I'm using Passport and Facebook Strategy for authentication. It works fine from within my website. Clicking the login button makes a get request to auth/facebook/ and I succesfully log in the user.
I have the same url in the app details:
However the App Center Visit Website button adds this to the query:
{ fb_source: 'appcenter',
fb_appcenter: '1',
code:xxxxx...., // this is what i want
}
And upon clicking i get this error:
"Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request"
What i don't get is that this works AT THE SAME time on my website. How do I handle this extra parameters and log in the user upon clicking on the visit website button?
I also posted another question. I've been dealing with this for a while now and can't get my head around it...
note:
As far as I know, it is required for app approval that the Visit Button authenticates the user upon clicking and doesn't prompt them with another login message.
I have a webapp that saves the credentials (user & pass) for a website B. Is it possible to click on a link in A and have that sign me into site B in a new browser window?
For example: say A has my pinterest user & pass. If I click on a link in A that says "sign into pinterest" can that open a new windows and let me start browsing pinterest as if I signed in?
This is possible if the site in question gives you some sort of interface (like OAuth) to do that. You cannot just submit data for the user in the other website's regular login form. (assuming they have some CSRF protection, which they should.)