Facebook: Adding Facebook OAuth to existing user accounts -- security issues - security

I have an existing application that has standard user accounts, and we've just finished integrating Facebook login as an option. It works quite well, but if someone tries to login using Facebook for an email address that already exists as a user of the system, I'd like to associate them with the existing user account.
Before I go ahead and do that, though, is it safe to just do it, without requiring that the user login first? If Facebook says a user has a certain email address, how confident can I be that it's not fake?
I could, if required, set it so that the user needs to login to my app, then associate the Facebook account manually, but I'd prefer to keep it as simple as possible for them, without adding all kinds of steps.
Thoughts?

I think the best option would be having the user login into their account on your site before associating the Facebook account.
Assume a condition that a user on your site does not have a Facebook account associated with the email address they use to identify themselves on your site. A malicious user creates one using their email address, goes to your site to associate accounts, and takes over the original users account.
I believe Facebook does not require email address authentication to use the account.

Related

Azure Active Directory B2C new user invite to set their initial password

In short: how to set up Azure B2C to pre-create users and invite them to set their initial password (rather than reset it).
We have public facing website that an organisation can pay for and it gives them access to their own area. We add one or more user's email addresses to our database to grant them a login. Privileged users at the organisation can invite other users to grant them access to their organisation's area.
We wish to move our authentication, session and password management from a home grown solution to Azure AD B2C.
A new user currently receives a friendly invitation email with a hyperlink that contains a token that gives them permission to set their password.
We could create a custom policy to handle this but I really don't want to go down that route due to their complexity and shelf life.
The only way that I've found "out of the box" is to create the user in Azure AD (not problem with that), set a temporary password and email them an invite asking them to "reset" their password. The reset part is very unclean as they are not resetting their password, they are setting their initial password and this will be confusing.
Also note that we do not want the user to be able to change their email to something like a hotmail account, as the admin must be in charge of this to ensure they use their work email.
All help appreciated.
Andy
• In your scenario, I would suggest you configure an application registration in Azure AD B2C and configure user flows in it for resetting the password for every user logging in it. Also, while registering an application in Azure AD B2C, you can select the option for ‘Accounts in this organizational directory only (Default Directory only - Single tenant)’ and integrate it with your website in the frontend API such that the user flow to reset the password after verifying the email address comes up for every user.
For the above said configuration, kindly refer to the below documentation link for more details as it describes the configuration for registering users of a single tenant/organization: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
Also, refer to the below documentation link for resetting the initial temporary password using the user flow section as setting up a user flow is a very simple process as described below: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow

Detect social account existence flow using custom policies on Azure AD B2C

I am struggling to get my head around how to implement a custom policy for the following flow:
User lands on the login page and that login page only contains an email input.
User enters email address and clicks continue
if user has already registered
Redirected to their selected login provider (Google, Microsoft Account or Local Account)
if user has not registered before
Check google provider if a user account exists for that email address
if Google account exists
Redirect to Google login
Check Microsoft provider if a user account exists for that email address
if Microsoft account exists
Redirect to Microsoft login
else
Redirect to registration screen
User completes registration screen
User is automatically logged in
The user
I've investigated whether this can in fact be done and I've found a "digital workspace for visual collaboration" (a.k.a Mural.co) that does in fact implement a similar flow, so this has to be possible. See the pictures below.
I'm, however, unable to find information on
how to query the social providers for account existence
how to go about creating this complex type of flow in Azure AD B2C custom policies.
Any pointers in the right direction would be greatly appreciated
Not possible. Nobody would allow you to probe a social IdP for an email. Data protection etc.
Reference our samples and wiki
Your sign up would be from our default sign up journey.
Your sign in flow could work like this:
Request for email
Read the directory to see if an email exists
If email exists, send the user to the IdP they used to sign up. You can do that by looking at the “issuers” registered on the userIdentity object,
If email doesn’t exist, send the user to the combined sign in and sign up page (technical profile) where they can sign in with social or sign up with a local account. Hide the sign in elements with CSS.

Sync with Azure Active Directory with a multi-tenant app (receiving user notifications)

I've developed a feature on my web-site that allow to log-in using Azure.
So users in my web-site can sign-in using:
Azure (OAuth2). We're using a multi-tenant app. We're just using the application to log in users. So we don't really use the Access-Token to make requests. We just use the access-token to obtain the user email (decoding it with JWT).
Their own email-password they can set on my site.
This creates a problem:
Imagine an person that starts working in a company. The IT team give him an email that belongs to their azure account (with their account domain). This team also have an account on my site (configured with the same domains they use on Azure). So this user will try to log in my site using his credentials. We'll create his profile on their company account (due to the email domain). He sets his password. Sometimes he use Azure to log-in and sometimes he use his email-password to log-in.
The next month and, this person get fired. The IT team delete him from Azure. Although, the IT team forget about deleting him also on my site. So this user has permissions to sign-in with his email-password credentials and still be able to see private information (he can even delete private files).
I would like to know if there is a way to sync my app with every Directory that is using it. So I would be able to receive user action notifications (like user deletions). It would be great to receive a call to an endpoint with information about users important actions. This way we'll be able to delete the user also from our platform. So the company can forget about deleting an user on my site without having the stolen-information problem.
PS: I've seen you have a logout sync using SAML, but I wonder if we would be able to receive other kind of notifications, because we don't want to log-out the user when this logs-out from Azure.
If you have permission from the ex-user tenant administrator to access their directory, you can check if the user is listed or not by using Microsoft Graph API
I've been talking with microsoft support and there is no way of having microsoft calling our endpoint to receive some notifications.
So the only solution is ask for admin permission or, having the refresh_token from Oauth2, check the user still appears on Graph (https://graph.microsoft.com/v1.0/me).

Checking account registration details

Within the InfoQ or IBM CodeRally pages, is there a way to check / reconfirm the account details entered during registration process? Having used Google OAUTH, can one also provide twitter OAUTH details?
The only way to confirm which social media account is linked to a username is to try and login with them.
You cannot link more than one OAuth login to the same username, but one OAuth login can be linked to as many usernames as you like. If you want to use a different OAuth to the one you registered with you will need to go back to InfoQ's page and register again with a different username and your preferred social media account login.

Is it possible to allow login only (no registration) with external providers in Identity 2?

I have a closed-registration site (set up as a resellers control panel).
There is no way to sign up externally as the admin creates the accounts and dishes them out to users.
I wanted to allow the user to attach their social accounts (fb/twitter/etc) to their logins after they have been created to make it easier for them to sign in to the website in the future.
The problem I'm seeing is that there doesn't appear to be a way to modify the third party providers to only allow login if the account already exists?
I've looked around the documentation and can't find anything eg,:
http://msdn.microsoft.com/en-us/library/microsoft.owin.security.twitter.twitterauthenticationoptions_properties(v=vs.113).aspx
So the question is - can you setup asp.net identity 2.0 so that external login providers can be used to login but are rejected if they aren't already registered to an account on the site?
I'm using the default MVC 5 template. I have a list of authorized users in a separate table from the Identity users table. When a user attempts to log in via Google, I check the user against that table in the AccountController's ExternalLoginCallback method prior to the SignInManager.ExternalSignInAsync() call. If they exist in the authorized users table, it continues the login process. If not, it redirects them back to the Login page. This of course requires knowing what their social login username or email address is in order to compare it, which in our case is not a problem because we are limiting login to specific users within our Google Apps domain.

Resources