I have two different web portals that use the same Database.
The first one is a legacy web portal built in asp .net and the second one is made using Angular which consumes API's on the backend and uses JWT token based authentication.
Now I want to implement SSO in such a way that a user logs in to the ASP .NET portal and clicks on a button which takes the user to the Angular web portal without having to login on the Angular App again.
Similarly when the user logs out from the ASP .NET he should be automatically logged out from the Angular app too.
Any ideas how to implement this custom SSO?
It's very easy as both portal sharing same DB.
Just pass any unique token or identifier with button click to another portal.
then you can identify user based on token/identifier and sign-in directly.
Just need to make sure identifier is unique for each user.
Example:
In DB you have user record like:
User Id: 1, name: xyz, UUID: 123-123-456
User Id: 2, name: abc, UUID: 123-123-455
now while link will have something like this:
https://somedomain.com/page-path?token=123-123-456
Related
We are using Azure B2C for login/authentication of our users. This works fine on our website (social and email login etc).
Our mobile app is built in Xamarin forms and we are trying to build a native login experience (using native app controls vs. a web view within the app that B2C presents) that integrates natively with the device biometrics for login (FaceId, TouchId, fingerprint login).
As you can imagine, doing this in the webview that Azure B2C requires doesn't allow a native login experience.
The overall goal here is 2 fold:
Build a native login experience
Integrate with biometrics.
Question:
Does Azure B2C have an API that enables this, especially so we can use authorization code flow without a UI. ROPC exists but does it integrate with social accounts too?
If not, is there a way to integrate biometric login with Azure B2C on mobile when the login screen is presented in a webview? So that when the B2C login page in the webview is presented, a user can login with touch/faceId and save that information to they keychain (on iOS and the equivalent on Android)
You need to use Webviews, and you can enable Biometric integration with webview type experience.
You cannot integrate any service with Social Accounts and ROPC. Any integration with Social IdPs will need a webview.
Yes, enable Keep Me Signed In for long lived sessions. Wrap the biometric code around the acquireTokenSilent() methods.
Then you have two options:
You can hide the KMSI button, and use JavaScript to force select the KMSI checkbox in the login page using page customisation.
You can rename the KMSI label on the login page to ask the user if they want to enrol in to biometric. Then after the login, your app will receive a claim in the token whether the user opted in, use claim resolver to achieve that.
Now you have a user logged into the App, with:
1 hour access token
Potentially up to infinity long refresh token
Multi day/year Azure AD B2C session cookie
Then, when the user re-attempts to open the app, or perform some action in the app, you will need to call acquireTokenSilent(). This MSAL method obtains a fresh access token for the required API resource/scope.
If the token is expired, or requires a different scope, the a new token is fetched.
You can wrap any action in your application with the biometric SDK.
if (performingSomeAction && requiresBiometric)
if (challengeBiometric succeeds)
acquireTokenSilent()
//do someAction
Now if the refresh token has expired, then the web view will pop up, the long lived session cookie will be used to get new tokens. The acquireTokenSilent() method handles all of that already.
I have created a project scaffolded by Visual Studio 2019 using Angular and MVC Rest API using C# and .NET Core with Entity Framework.
I selected to use IdentityServer4 to register and confirm user emails. With this you also get password reset functionality, a login screen etc... I have configured SendGrid to send emails and have also hooked into Facebook as a authentication provider.
I wish to create user specific data after a user confirms their account on clicking the confirm link that was emailed to them. The user specific data is in the form of other tables and needs to be populated on confirmation.
I am at the point thinking that I have to write the code I have gotten for free (IdentityServer4) to get what I want done.
My question is how do I hook into the confirmation of the email\user to populate the tables with the users individual data? Is there an event\hook or interface that I should be providing.
I have a scenario and looking solution for that. I am working on an application and Using Firebase to create and authenticate the User. In my app, basically two types of users (1.User & 2. Vender) and User can signIn on app but vender need to login on web panel. We are using firebase default method (.createUser) to create user and it's already working.
Now I wants to create Vender profile too in same app but Vender can login only on web app and user can login on Mobile app.
Is it possible ? If yes then please guide me that how it's possible ?
Thanks in advance.
This is a fairly open-ended question but I think it comes down to two things: determining the user type (vendor or user) and detecting what platform they are signing up on.
Both are pretty easy.
Heres's the structure which leverages a /users node to store additional info about the user. From Storing User Data
users
uid_0
name: "William:
type: "vendor"
uid_1
name: "Leonard"
type: "user"
and then when the user attempts to log in, the app checks their user authentication, which will result with authData.uid being populated.
Then it would look up the user via authData.uid and check the user type. If it's a Vendor, display a message to the user that they must log in via the web portal, and don't proceed into the app.
There's a 100 other ways to handle this - setting up a Vendors Node and a Users node for the app to auth against to having them select Vendor Or User before entering their authentication credentials.
I'm using .NET backend on Azure Mobile Service. It's easy to set up authentication with social identity provider, so that the client can use e.g. Facebook iOS SDK to login, as illustrated in the official tutorial
In custom authentication, as I need to maintain my own Account table according to the official tutorial, I have full control over the registration & login.
I'd like to have a centralized User table to store information about all users, no matter which channel they used to authenticate.
My question is, is there a way for the .NET backend to be notified when a user register or login with a Facebook token? So that a new row can be added to the centralized User table even when the user is using Facebook to authenticate?
Thank you!
Yes - the User.GetIdentities() method contains the token and mechanism that was used to authenticate the user. You can use this to update your table. For an overview of how to use this token, see this blog post by the team: https://azure.microsoft.com/en-us/blog/custom-login-scopes-single-sign-on-new-asp-net-web-api-updates-to-the-azure-mobile-services-net-backend/
Background: I'm using Open ID authentication in my asp.net website. Here is how it works currently - User would pick an Open ID provider from dropdown (google/yahoo/myopenid/etc..) and then click on Login button. The application would then pass the user to the provider authentication page. On successful authentication and authorization on the open ID provider site, user is directed to my application. So far, so good.
Problem: On the Open ID provider authentication page, if the user chooses/clicks Sign Up, then the provider is following its own workflow and the control never returns to my application.
Question: Is there a way where I can disable the dynamic registration on provider (i.e., the Sign Up)?, so that, the user would then be required to register with the provider and then use my application? Or
Is there a way that I can get the control back once the dynamic registration is done?
No. The OpenID protocol has no such provision and while it would be courteous of a Provider to remember to ultimately redirect their new user back to your site, not all do.