We're building a mobile application that uses Facebook login and attempts to show users their friends that are also using the application.
We generate an access token as part of the login process and pass this up to our server hosted in Azure.
When we request the users friends using:
https://graph.facebook.com/me/friends?access_token=[access_token]&fields=id%2Cname&limit=5
We get the following response on our Azure servers:
{"data":[]}
However requesting the URL directly from my local browser returns a number of records - regardless of whether I'm logged into Facebook or not.
The Facebook App that the user logged in via is published to live (otherwise they wouldn't be able to log in at all).
The only users that return results when called from within Azure are users configured as testers or developers in the Facebook app - is there a setting I've missed?
Looks like the "Country Restricted" setting was causing the problem - we'd limited this to users in the UK which meant requests from the Azure servers in Dublin where returning empty.
Removing this restriction (or possibly increasing to include Ireland) resolved the issue.
Note that this restriction doesn't impact test users, developers or administrators, all of whom work throughout testing and into release.
Related
So I have been using docusign developer account for performing in-person and remote signing using docusign APIs. I am interesting in knowing 2 things:
The developer account (with the base url account-d.docusign.com) seems to be working fine for me. Why can't I use it for production as well. What difference/advantage does the paid account(with API access) has? What changes exactly when the integration app that I am using for docusigning goes live from "demo", other than the base url (i.e., account.docusign.com)?
When I login to my account, and go to Settings > Integrations > Apps & Keys, I can see a value "baseUrl" under "API Username" and "API Account ID", this value is either "https://na3.docusign.net" or "https://demo.docusign.net". However, when I use either of these values in my code to perform in-person or remote signing, it gives error. I have to use url account-d.docusign.com, then the API calls work correctly. What is the use of baseUrl mentioned in the portal then? Does it change when the integration app goes live? In our old app we just changed the url in code from account-d.docusign.com to just account.docusign.com when app went live and it worked.
Production accounts are the only ones you can use for "real" i.e. valid signatures for legal purposes. Developer account (demo) is for developing, testing, showing what can be done to customers etc. You need to follow the Go-Live process to enable your integration in production.
the baseURL is for API calls, not for authentication. And like you indicated, it's different in each env. If your code already handles this - you don't need to worry about it, but this is not the URL for the web app, rather the URL to make API calls.
I've built an API-based integration with DocuSign (using their PHP SDK), and am now at the point of deploying to the production server. I have reconfigured everything with the production integration key, public/private key pair, user and account IDs, endpoint URL, etc. replacing the demo ones. The OAuth portion of the conversation is working fine, and I get a valid token back. When I then try to send an envelope, I hit a USER_LACKS_MEMBERSHIP error, and cannot figure out why. As far as I can see, everything about the API user is the same between the demo and production systems.
I've authorized the application and made sure that it's in the list of "Applications with Access to DocuSign".
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Most of the documentation that I can find on this simply repeats the generic error text: "The UserID does not have a valid membership in this Account." If I go to the account admin and look at the list of users, the one I'm expecting is right there, with DS Admin permission; not sure what else might be done to give them "membership". One mentioned not using SendOnBehalfOf, but I'm not, so I can't really remove that.
All the code is identical, just configuration that's changed. Not sure where else to look. Anybody have any suggestions for what to try?
FURTHER INFORMATION
I've tried the getUserInfo call in the SDK, passing the same access token I use for the other call. It returns successfully, showing that it is for the user I'm expecting, in the one group we have, on the production server. And yet, when I enable logging again, as this same user, there is still zero record in the resulting logs of any of this API activity.
Attempts to do things like list templates with the SDK fail with the same USER_LACKS_MEMBERSHIP error.
Using the Diagnostics API (again, through the SDK) to check logging status shows that it is NOT enabled (despite my enabling it in the UI), but can be enabled with a separate call. Subsequently attempting to use listRequestLogs in the SDK generates a 404 error, though the URL matches what's listed in the API documentation (/v2/diagnostics/request_logs). Not sure whether these findings confirm that I'm somehow logging onto the API and the UI with different users (even though the user name and internal ID match), or that there's some problem with the logging facility in DocuSign.
The problem turns out to be the URL I was using for API calls. I switched from demo.docusign.net in testing to www.docusign.net in live, but being in Canada we need to use ca.docusign.net. For those who find this later, you can get the correct base path to use from the oauth/userinfo endpoint, or the getUserInfo() call through the SDK (PHP SDK, at least; don't know what the analogous call would be in others).
There are 3 things to consider:
API calls are made to an endpoint (URL) that contains the account # (either GUID or short form) in the url. Take a note of that number in the url.
Auth Token is a token for a specific user in a specific account.
UserId for the specific call. That is a specific user in the account.
If the user is not in the account, or there's a mismatch between #1 and #2 - you'll get this error. You must work with a single account and have it in all places as well as the user must be a member of this account.
Re:
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Since the request logging is not showing your API activity, the problem is that the person you've logged in as on the web tool is not the same as the person (user id) that you've logged in as on your application.
Solution for OAuth Authorization Code authentication: double check that when your app is logging into DocuSign, you're using the account.docusign.com authentication server, not the account-d.docusign.com auth server. (Look at the URL in your browser during the login sequence.)
Solution for OAuth JWT authentication: re-check that the impersonated user id is from the production system and you're using the right authentication server
I'm building a Windows 8.1 store app and need to incorporate authentication. This is an enterprise app used in house. We load the app onto a tablet and a team may check that tablet out for weeks at a time, go out to the field to collect data and then we put in on a shelf until another team needs to use it. Now different teams may work for difference clients so when we authenticate users not only do they get access to the app but we also check what groups they are in to determine what clients they can work on or what previous records they can search for.
I've followed various ADAL tutorials and am able to setup everything in Azure and in my app I am able to authenticate a user successfully and get their groups. This relies on ADAL handling the username/password. What happens when the app shuts down and the user in a place where there is no internet (or even a reliable cell connection)? Specifically how can I have the user type a username/password to re-authenticate and get the same groups they were in when they can't access Azure services?
It appears they isn't available as the guidance always points to that is a risky proposition to have the app handle username/passwords. I understand that stance and can appreciate the caution behind it. However, in all of the ADAL documentation that I find that says this, none of them tell me how to handle an offline authentication scenario.
I have found links such as ADAL v3: How to authenticate using UserPasswordCredential? that tell me how to bypass the ADAL login page. I may have to move to that route and handle all of the username/passwords securely within the app, but first I would like to reach out and see how others tackle this scenario. Is it really as simple as avoiding best practices and just handle the username/password within the app?
If anyone has some guidance, ADAL (or other oauth providers) documentation, or other articles/advice I can follow up on to help achieve offline authentication I would greatly appreciate it!
Additional Information:
My scenario that I'm trying to cover is what happens when I have 1 device, 1 app, and many different users? These users will be in different groups that will determine how data fields get populated (filter data in combo boxes) and what previously submitted forms they can query for. All users would need to login when online to cache their information (say on Day 0) before they can ever use the app. On Day 1 user 1 uses the app and doesn't log out. I would expect the app to have a timeout timer to log that user out after 2 hours of no activity. On Day 2, user 2 just grabs the device off the shelf and takes it out into the field. He has no internet and needs to log in to determine who they are and what group they are in. I would expect since he has logged in once and verified his credentials already that we can enable this sort of scenario.
What I'm looking for is guidance if ADAL as a library can handle this or is it truly up to me the app developer to handle this sort of scenario. As I see it currently I need to store all user credentials, but at the same time it seems like everyone advises against that. I feel like I'm in a situation where I need to create a custom login screen and store the user data, SECURELY of course, even though its not recommended. It seems like all articles on how to use ADAL are written from a consumer app standpoint (or a BYOD) and don't take into account how a mobile app would be written for the enterprise.
That depends on your app design, if the first time(app online) , user login and app store all groups ,user information .After that user doesn't need to use token to get related information again(send request to server to acquire groups/user info). If app is offline , user doesn't need to re-authenticate(app controls the user session) , just get group/user information from cache . When using resource owner flow , you still need to send authenticate request to Azure AD server which need internet.
I'm new to azure (used to "default" ASP.NET apps) and giving it some tries I learned that:
a.) it is very easy to add mobile logins (using FaceBook, Twitter, MS-Account...)
b.) that I can't see any database storing this data (user IDs an so)
My needs are the following:
Enable users of a Win10 Universal / Mobile app to login with FB,... (works so far)
use these users (via ID or so) to assign custom database entries to them (profile or so)
assign (via some kind of management interface) the user to a role (for permissions)
merge different logins (let the same user login with different providers=
To explain this imagine a forum (driven by apps (UWP, Android, ...)):
The user logs in via Facebook.
After (example) 10 moderated posts he will be able to write posts without moderation. (assign to role)
Users can be manually added to roles (moderators)
Last not least if the preferred service is not available (some corporate networks for an example restrict Facebook access) - the user shall be able to use (for an example) Google to login with "HIS account".
I understand that "merging" may need to be done while both providers are available.
Something like - "you are logged in with FB - to you want to add Google login to your account - if yes pleas additionally login with Google now while your are logged in with FB...
Two extra points:
1. I don't want to have "username / password" (only social logins)
2. I want to store the users email (for notification purposes)
--used from the social provider if available - or manually entered
Is this possible with "Azure Mobile" or would it be better to create a "Web App" and add (somehow) add "Mobile capabilities" (login, push notifications..) to it?
Yes, you can absolutely do this. The token information (which is equivalent to the claims that you request when you set up the authentication within the Authentication / Authorization Settings blade in the Azure Portal) is available on the /.auth/me endpoint of your app. It's also available internally - for ASP.NET, that would be the MobileAppUser class. This is the IPrincipal for the request given an ASP.NET TableController decorated with the [Authorize] decorator.
You can adjust the information stored by the table controller. There is some sample code commented out of the FieldEngineer sample on GitHub for this.
I wish to add Social Login feature to a Shopify store that I am building. (I'm using the professional plan.)
I explored a few of the available social-login apps on the Shopify App Store. Upon studying closely as to how they actually work - I have come to the following understanding of the general scheme being followed by all of them.
The Shopify shop owner sets up a social app (e.g. Facebook app) with their store identity, but configures the Callback-URL/Redirect-URL to one supplied by the App author (i.e. pointing to their infrastructure).
Upon successful login by a shop customer on the social platform (via a link/button inserted on the shop login page), the request gets redirected to the App.
The App retrieves the user's email address from the their social profile (that they now have access to).
They then lookup their own database to see if this is an existing customer. If so they go directly to step 7 below.
If it's a new customer, they use Shopify API to create a new 'customer' on the target Shopify store. They set the customer up with a randomly generated password.
At the same time they also make an entry of this customer account (email + generated password) in their own database.
They then redirect the request back to the Shopify store's login page but this time with the customer's email address (retrieved from social platform) and their password (from the App's own database) included as part of the data that comes back to the users browser as part of loading the login page.
Then the App's javascript embedded on the shop login page uses the customer email address and password to programmatically submit the login form - thus establishing a valid customer session on the Shopify shop.
My questions are as follows:
Has someone else also looked closely in to this, and thus can validate if my above understanding is correct or not?
If it is correct - is this the only way to achieve social login on Shopify (without using Shopify Plus/Enterprise plan)?
I am trying to understand if this indeed is the only way, because I strongly feel that this method is not at all secure. And thus I'd rather not use this method; or if I just have to - then I'd rather write my own (private) app for this so that at least I am in control of the security of the app/database that holds sensitive users credentials.
Would appreciate any help/thoughts I can get with this, please.
If you are rolling your own you probably want to look at Multipass. It would be the thing to use if you can set up another web service that handles the trusted partner registration process.