We are using the Microsoft MSAL library to authenticate our users. When a user needs to login, they are shown this dialog each time. Is there a way to disable this prompt so the login experience is more seamless?
This pop-up occurs anytime the app uses SFAuthenticationSession or ASWebAuthenticationSession, MSAL.NET does not control what is displayed there, as that is the point of the pop up, it is to initialize a private dialog with the user, outside of the app. From Apple's developer site: " users are prompted by a dialog to give explicit consent, allowing the application to access the website’s data in Safari. When the webpage is presented, it runs in a separate process, so the user and web service are guaranteed that the app has no way to gain access to the user’s credentials. "
#Jenny has the correct response. However, for using MSAL against Azure AD, using an embedded webview prevents the prompt from displaying.
The key is this line...
.WithUseEmbeddedWebView(true)
Here is a more complete example when acquiring the token interactively.
var authResult = await PCA.AcquireTokenInteractive(Constants.B2CConstants.Scopes)
.WithAccount(GetAccountByUsername(accounts, username))
.WithUseEmbeddedWebView(true)
.ExecuteAsync();
Related
I am currently trying to implement an oauth flow within a Teams Messaging Extension. I use ASP.NET and I managed to make the sign in process work, by using the sign in card recommended by Teams.
ComposeExtension = new MessagingExtensionResult
{
Type = "auth",
SuggestedActions = new MessagingExtensionSuggestedAction
{
Actions = new List<CardAction>
{
new CardAction
{
Type = ActionTypes.OpenUrl,
Value = authUrl,
Title = "OAuth"
}
}
}
}
This card has a button that opens a specific popup window (a Teams webview) which I can relocate to the oauth authentication page of a third party site.
All this goes very well, but when the user tries to log out, in my case it is not enough to just revert the tokens I got from the server, I also need to navigate the user to the third party site's /forcelogout subpage in the exact same webview which I used in the sign in process, to make sure the cookies related to the previous login session are getting deleted. By this I can prevent the login form getting auto filled and submitted when the user tries to sign in the next time they use my Messaging Extension.
My problem is that I can not find any way to open that exact webview from the Messaging Extension (this problem only occurs on the Teams Desktop Client, since the web version of Teams uses browser tabs instead of webviews and iframes). I tried using Task Modules, the dialog module, adaptive cards but none of them could open that specific webview that has the cookies for the login form.
Do you have any solution for this?
Authentication provider could receive an optional parameter to always prompt the auth-form by neglecting the cookies.
Using this way there is no need to open any webview when the user logs out.
I am trying to use email verification in my Xamarin/Firebase app.
I currently have:
using (var actionCode = ActionCodeSettings.NewBuilder()
.SetHandleCodeInApp(true).Build()) {
await user.SendEmailVerification(actionCode);
}
This properly sends a verification email.
What I don't know is how to specify a callback in the app to catch user clicking on the verification link.
Any advice/guidance will be appreciated.
It's still unclear to me what's the point of the SetHandleCodeInnApp option. It seems to indicate that there is a way of handling the verification event in the app
Whether the email action link will be opened in a mobile app or a web link first. The default is false. When set to true, the action code link will be be sent as a Universal Link or Android App Link and will be opened by the app if installed. In the false case, the code will be sent to the web widget first and then on continue will redirect to the app if installed.
For more details, you could check the document. https://firebase.google.com/docs/auth/android/passing-state-in-email-actions
I'm trying to migrate to the new Sign In With Google and I'm missing one crucial functionality I was using previously.
Basicly my application is working with locally created application users. At one point in the application, the user is prompted to login with Google Account to confirm that he's the correct user that will do some Google API action. I was able to achieve that with following code from the soon deprecated Google Sign-In library:
const auth = gapi.auth2.getAuthInstance();
if (!auth.isSignedIn.get())
await auth.signIn({
prompt: "select_account",
login_hint: employeeEmail
});
...
And it worked just fine. Now all the above methods are being deprecated and there are no direct replacements, or at least I don't understand how to achieve the same result. I am able to confirm the user identity by checking the id token received by using:
google.accounts.id.initialize({/*options*/);
...
google.accounts.id.prompt();
But if there's no google session active for the user, nothing happens.
The only way to actually trigger the Sign In is to click the Google Sign In Button, rendered using:
google.accounts.id.renderButton(htmlElement, {/*options*/});
After the button is clicked, the sign in popup is shown and everything is fine, the callback of the initialize configuration is called and the flow is resumed.
The problem is, how do I trigger the Sign In popup programatically? All of the above starts with a specific button click on my website.
FYI
I actually managed to reproduce almost the same behavior with the new API. It might not be the most elegant way of doing this, but I replaced the signIn method from my post above with google.accounts.oauth2.initTokenClient. Even though it should be used to only receive the tokens, it will also create a valid Google session that then can be detected by using silent auth (prompt: "none");
We are using Azure B2C for login/authentication of our users. This works fine on our website (social and email login etc).
Our mobile app is built in Xamarin forms and we are trying to build a native login experience (using native app controls vs. a web view within the app that B2C presents) that integrates natively with the device biometrics for login (FaceId, TouchId, fingerprint login).
As you can imagine, doing this in the webview that Azure B2C requires doesn't allow a native login experience.
The overall goal here is 2 fold:
Build a native login experience
Integrate with biometrics.
Question:
Does Azure B2C have an API that enables this, especially so we can use authorization code flow without a UI. ROPC exists but does it integrate with social accounts too?
If not, is there a way to integrate biometric login with Azure B2C on mobile when the login screen is presented in a webview? So that when the B2C login page in the webview is presented, a user can login with touch/faceId and save that information to they keychain (on iOS and the equivalent on Android)
You need to use Webviews, and you can enable Biometric integration with webview type experience.
You cannot integrate any service with Social Accounts and ROPC. Any integration with Social IdPs will need a webview.
Yes, enable Keep Me Signed In for long lived sessions. Wrap the biometric code around the acquireTokenSilent() methods.
Then you have two options:
You can hide the KMSI button, and use JavaScript to force select the KMSI checkbox in the login page using page customisation.
You can rename the KMSI label on the login page to ask the user if they want to enrol in to biometric. Then after the login, your app will receive a claim in the token whether the user opted in, use claim resolver to achieve that.
Now you have a user logged into the App, with:
1 hour access token
Potentially up to infinity long refresh token
Multi day/year Azure AD B2C session cookie
Then, when the user re-attempts to open the app, or perform some action in the app, you will need to call acquireTokenSilent(). This MSAL method obtains a fresh access token for the required API resource/scope.
If the token is expired, or requires a different scope, the a new token is fetched.
You can wrap any action in your application with the biometric SDK.
if (performingSomeAction && requiresBiometric)
if (challengeBiometric succeeds)
acquireTokenSilent()
//do someAction
Now if the refresh token has expired, then the web view will pop up, the long lived session cookie will be used to get new tokens. The acquireTokenSilent() method handles all of that already.
I can’t seem to be able to force the user consent dialog to appear.
The first time user logs in, the consent dialog properly comes up.
However, after we change the app permissions or the user manually removes the app consent (from portal.office.com/myapps) then we can no longer cause the consent dialog to re appear.
Details:
UWP Windows 10 native client connecting to WebApp (ASP.NET) which calls downstream WebApi (O365) using the “on-behalf” oath2 pattern (using latest 3+ ADAL libraries)
Single tenant WebApp (no special admin perms)
After changing WebApp permissions (eg adding more o365 apis) or the user removing the WebApp consent, the WebApp’s AcquireToken returns AADSTS65001
Using wtr.Properties.add(“prompt”, “consent”) in the UWP client app does not cause consent dialog to re-appear
Re-cycling WebApp (to clear the built-in AAD token cache – it doesn’t use its own token cache) or clearing the client’s token cache (by login out) does not help
What is the proper way to having the user re-consent?