My application uses user's email address as the user id. Currently it does not allow users to change their email address. They can create a new account if they need to use a different email address. I'm implementing Google Identity Toolkit (GIT) on my site. For users who use Email/Password for login, the Manage Account page of GIT allows users to change their email address and password. I would like to block changing of email address while keeping the change password option.
Is it possible, and if yes, how?
We do not support this option but if you want to do this at your own risk, you can add the following callback in the widget callbacks config field:
callbacks: {
'uiChanged': function(from, to) {
if (to == 'passwordAccountManage' && document.getElementsByClassName('gitkit-id-email-info-container').length) {
document.getElementsByClassName('gitkit-id-email-info-container')[0].style.display = 'none';
}
}
}
Related
I want to provide users multiple authentification providers with phone, facebook and a simple email and password.
the thing is, i want the same account to be provided (same user id, same display name) if the account is linked with the same Email address.
as i got to understand it through the documentation, you can do it if the user connects and link an account when already connected with another provider.
so my question is : is there anyway to do it automatically, when let's say, the user connects with another provider next time, without having to tell him to link it himself.
[Edit - after further investigation, I found a better answer]
It turns out that only allowing the email address once comes with some caveats - that are really well laid out in this GitHub issue but I'll try to summarize.
You can have an unverified account, which may allow you to register over it (the user hasn't proved that they own the account).
Next are kind of the social identity providers. Facebook is assumed to have verified your email once (for example), so you may get a duplicate account exception.
Finally, there are email identity providers - these are seen as authoritative for all email addresses that they're associated with and will overwrite any account with the same address for the domains that they're authoritative over. Both Google and Apple sign ins have this control over their respective domains for example.
See this section of the web documentation and this and this stack overflow answers.
At this point, you may be wondering how to get more control over the process if this isn't the user flow you want.
You may opt to make a call to FirebaseAuth.DefaultInstance.FetchProvidersForEmailAsync before allowing the user to log in. Then you can choose to prompt them to log back in with their existing account first to link accounts before creating a new one (and potentially replacing the old account). For example:
public async void LogIn(string email, Credential credential) {
var auth = FirebaseAuth.DefaultInstance;
var identityProviders = await auth.FetchProvidersForEmail(email);
if (identityProviders.Empty()) {
var user = auth.SignInWithCredentialAsync(credential);
}
else {
// somewhere in here, log in the user and call
// user.LinkWithCredentialAsync(credential)
DisplayLinkAccountDialog(identityProviders, email, credential);
}
}
[Old answer - information still applicable but incomplete]
By default, Firebase authentication only allows one email address per user. See this section at the bottom of your Authentication Providers page in the Firebase console:
So when you sign up a new user, you should get a FirebaseException with the error code AccountExistsWithDifferentCredentials.
To handle this, you'd make your continuation look something like:
/* Registration call */.ContinueWithOnMainThread(task=>{
if (task.Exception) {
foreach (var e in task.Exception.InnerExceptions) {
var fe = e as FirebaseException;
if (fe != null) {
if (fe.ErrorCode == AuthError.AccountExistsWithDifferentCredentials) {
TryToLinkInsteadOfCreateAccount(); // TODO - cache credentials and implement this
}
}
}
}
});
Let me know if that helps!
--Patrick
I have a client that wants to use Concrete5.7 for an employee portal. If they are in the building, he does not want them to have to log in to view the site. However, if they are not in the building, he wants them to be able to access the site via a login. The building has a static IP address. Is there a way to over-ride the login or automatically use a specific credential if the user is accessing the site from a specific IP address?
You can use the concrete5 Application Events
For example-
Events::addListener('on_before_render', function($event) {
$clientIp = Request::getInstance()->getClientIp();
if ($clientIp === YOUR_STATIC_IP) {
$service = Core::make(\Concrete\Core\User\Login\LoginService::class);
$service->loginByUserID(THE_ID_YOU_WANT_TO_USE);
}
});
This is just an example. Please follow the recommended convention on concrete5 documentation.
Within the Firebase console I have specifically set it to only allow "One account per email address". This is found on the sign-in method tab under "advanced".
I have an account created using the Google login method that has an address like "me#gmail.com". If I then choose to sign-in via Facebook using an account that also uses "me#gmail.com", Firebase is allowing it with the exception that the email address in the Users entity is null.
The Firebase documentation states:
if you don't allow multiple accounts with the same email address, a
user cannot create a new account that signs in using a Google Account
with the email address ex#gmail.com if there already is an account
that signs in using the email address ex#gmail.com and a password.
Does this only count if you are trying to create a Firebase login directly with a username/password vs creating an account from two providers like Facebook and Google? I would be under the impression that if it finds a duplicate email address it should reject the registration/login. I do realize the quote states "and a password" which makes me wonder.
Go to Firebase Console
In the Authentication -> SIGN-IN METHOD
Scroll Down to Advanced Section
Click on CHANGE and then SAVE
Step 1 : Go to Firebase Console > Authentication > Sign in method. Check the option preventing multiple account creation with single email id.
Step 2 :The following documentation explains how to connect multiple providers to a single account using custom method.
https://firebase.google.com/docs/auth/web/account-linking
#AndroidBeginner's answer helped solve this for me, however, the "Account Email Settings" option is no longer under Authentication --> Signin Method, I found it under Authentication --> Settings, and it's the first option at the top "User Account Linking".
Clicking on "Create multiple accounts for each identity provider" did solve my error in chrome console, and I am able to login/register in my app with chrome and Facebook, but now I do have multiple users with the same email...
Expanding Kathir's answer, Firebase documentation does provide solution.
The following are code snippets copied from the documentation.
// Step 1.
// User tries to sign in to Google.
auth.signInWithPopup(new firebase.auth.GoogleAuthProvider()).catch(function(error) {
// An error happened.
if (error.code === 'auth/account-exists-with-different-credential') {
// Step 2.
// User's email already exists.
// The pending Google credential.
var pendingCred = error.credential;
// The provider account's email address.
var email = error.email;
// Get sign-in methods for this email.
auth.fetchSignInMethodsForEmail(email).then(function(methods) {
// Step 3.
// If the user has several sign-in methods,
// the first method in the list will be the "recommended" method to use.
if (methods[0] === 'password') {
// Asks the user their password.
// In real scenario, you should handle this asynchronously.
var password = promptUserForPassword(); // TODO: implement promptUserForPassword.
auth.signInWithEmailAndPassword(email, password).then(function(user) {
// Step 4a.
return user.linkWithCredential(pendingCred);
}).then(function() {
// Google account successfully linked to the existing Firebase user.
goToApp();
});
return;
}
// All the other cases are external providers.
// Construct provider object for that provider.
// TODO: implement getProviderForProviderId.
var provider = getProviderForProviderId(methods[0]);
// At this point, you should let the user know that he already has an account
// but with a different provider, and let him validate the fact he wants to
// sign in with this provider.
// Sign in to provider. Note: browsers usually block popup triggered asynchronously,
// so in real scenario you should ask the user to click on a "continue" button
// that will trigger the signInWithPopup.
auth.signInWithPopup(provider).then(function(result) {
// Remember that the user may have signed in with an account that has a different email
// address than the first one. This can happen as Firebase doesn't control the provider's
// sign in flow and the user is free to login using whichever account he owns.
// Step 4b.
// Link to Google credential.
// As we have access to the pending credential, we can directly call the link method.
result.user.linkAndRetrieveDataWithCredential(pendingCred).then(function(usercred) {
// Google account successfully linked to the existing Firebase user.
goToApp();
});
});
});
}
});
I'm looking for a way to customize logins to allow for an administrator to provide a user with an account and a one-time-use temporary password (via email), that enables the user to log into a site (the user can't create an account on their own).
The first time the user logs in, they are instructed to change the temporary password given by the administrator.
I have accounts-ui and accounts-password working, but the user can create a new account at will.
If it matters, I plan to use Autoform and Iron Router for this.
I search the Meteor docs for "enroll", but the information is sparse IMO. Is there a fully working example somewhere to help me get started?
To disable the usual way of creating an account, use Accounts.config:
forbidClientAccountCreation Boolean
Calls to createUser from the client will be rejected. In addition, if you are using accounts-ui, the "Create account" link will not be
available.
Then, instead of having a temporary password, I think you should create the account without password and then use Accounts.sendEnrollmentEmail to send the user an email to choose one.
To create an account without a password on the server and still let
the user pick their own password, call createUser with the email
option and then call Accounts.sendEnrollmentEmail. This will send the
user an email with a link to set their initial password.
So, something like that:
Accounts.config({forbidClientAccountCreation: true});
Meteor.methods({
adminCreateAccount: function (accountAttributes) {
if(Meteor.user() && Meteor.user().role == "admin") {
var accountId = Accounts.createUser({
'username': accountAttributes.username,
'email': accountAttributes.emailAddress
});
Accounts.sendEnrollmentEmail(accountId);
}
}
});
What you can do is
let the admin create user (Accounts.createUser)
add a marker ( eg user.profile.changedInitialPwd) which will be set when the user
changed his pwd)
use some verification logic to make sure, the user has changed his password before he is allowed to sign in
E.g.
Accounts.validateLoginAttempt(function(attempt){
if (attempt.user && !attempt.user.profile.changedInitialPwd ) {
console.log('Initial password not changed');
return false; // the login is aborted
}
return true;
});
Using the standard OAuth functionality provided in a ASP.NET Project I want users to be able to connect their account to Facebook and GMail accounts but by default you can also register a new account by using the external log in links and I want to disable this.
How can I disable this?
I solved it by changing this in RegisterExternalLogin.aspx.cs in class ProcessProviderResult()
if (User.Identity.IsAuthenticated)
{
// User is already authenticated, add the external login and redirect to return url
OpenAuth.AddAccountToExistingUser(ProviderName, ProviderUserId, ProviderUserName, User.Identity.Name);
RedirectToReturnUrl();
}
else
{
Response.Redirect("~/Account/Register.aspx");
// User is new, ask for their desired membership name
// userName.Text = authResult.UserName;
}
If user is not authenticated I redirect the user to the normal registration page.