I'm a user getting an OAUTH fail when trying to login to FounderDating. I'm getting a confirmed email address issue when I've confirmed my email is valid with LinkedIn. This has happened on other sites as well. Any solutions from LinkedIn?
Related
[Here's a link to the screen recording of the issue.] (https://drive.google.com/file/d/1vebV3izUTfP1o7NyXUP9irPM_oc89phi/view?usp=sharing).
The problem is not, in general, with accessing or logging into LinkedIn. I'm working on an app that uses the LinkedIn OAuth client to allow users to add their LinkedIn accounts.
My app https://notionsocial.web.app/ redirects the user to https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=77hkxxkjkqzq2n&redirect_uri=https://notionsocial.web.app/auth/callback/linkedin&state=state&scope=r_basicprofile%20w_member_social%20rw_organization_admin%20w_organization_social%20r_organization_social, It opens the LinkedIn authentication screen and was working fine a few days ago.
But now, when a user enters his credentials and clicks "sign in," it does not redirect to my website, with or without an error message. But show this page.
It is not related to my LinkedIn personal account; I have tried with different accounts and different browsers. Even a user of my app has encountered this issue on his computer
I have even tried other social scheduling websites and logged on to them using LinkedIn successfully.
But when I tried creating a new LinkedIn developer app and went to the access URL with the new client ID, the same issue occurred.
I have built an app that uses email & password authentication from Firebase, to enable users to log in, as per the Firebase documentation. The app itself uses Flutter as the coding language. I also have email verification enabled, to prevent spam accounts.
When a user adds their email address and password and clicks 'submit', they're given a notification telling them to check their emails for the verification link, which they must do before being allowed to log in.
The problem I am having is that users do not receive the verification email, so cannot log in. I've come across similar questions on this forum, where the answers have centred around checking spam/junk folders. I have asked the users to do this but they still have not received the email.
I've also tried using my own SMTP server, which is one from which I know I can send emails. Even with this, the users do not receive their verification email. This makes me think the emails aren't being generated/sent, as opposed to them being sent and not being received.
Can anyone suggest why this might be the case? Why is it that users are not receiving the verification email and what can I do to correct this?
If you don't use custom domain, sometimes emails go in spam folder
I am working on a .NET application and I have set up an external login with facebook.
Currently, when the user uses the external login functionality, signs in to Facebook and my app recieves his email address, I create a new user account and consider the email address verified. (otherwise he could not login)
Is this a good practice though? Is it possible that some attacker would change the email address midway or something? What is the best practice for letting users sign in using external login providers?
Any help would be much appriciated, thanks.
Edit: In this tutorial the guy sends a confirmation email to the email address he recieves from the external login providers. However this seems impractical to me. It kind of defeats the purpuse of simplifying the log in/sign in process, moreover I don't think I was ever asked to confirm my email when I had used external login providers to log in myself.
Is it possible that some attacker would change the email address midway or something?
No, because you are using facebook which implements openid or oauth2.
In oauth2, mail and its password are safe because you do not manage them. Those are managed by your oauth2 provider (facebook in your case)
Also according to the oauth2 flow which is the same in google, facebook, linkedin, etc the provider don't send you the email. It sends you the authorization code:
use go to your web.com
user is redirected to https://www.facebook.com/v8.0/dialog/oauth?client_id={app_id}&redirect_uri={redirect_uri}
oauth2 provider prompts a login if user was not logged in previously
user accepts the consent form (next next)
oauth2 provider (facebook in your case) at the end, perform a final redirect to your web.com (using the callback url previously registered) sending the authorization code: https://web.com?code=196da272-083c
this code is required to generate the access_token and can be used just one time(another http invocation)
the access_token is required to get the email (another http invocation)
The only way to attack could be try to send fake authorization codes to https://web.com?code=**** but in the next step (exchange auth code for a new access_token), facebook will return you an error because the attacker cannot create real authorization codes.
Confirmation email
As you said, if your web allows the user to login with some social network, add a new step with email confirmation is impractical. Is more, facebook allows the use of phone number instead of mail.
But there are some scenarios (not in the authentication) in which mail could be your ally:
Offer an option for alert the user with something like this: Hi Bob, a new account was created with your social network... If you didn't, please click on the following...
confirm an email to be used in future notifications
I have a web app that manages users' Google Calendar. Recently, I got an "invalid credential" error when retriving calendar list and figured out the user account is a g suite account (because of different domain). However, I still can get the access token as well as refresh token. I also can get open ID information from the account. But just cannot access the calendar. Other accounts ends with gmail.com worked fine.
Did I miss anything in authentication for these g suite users?
Based from this documentation, this error usually occurs if the access token you're using is either expired or invalid.
Here are additional links which might also help:
Error accessing Google Calendar using OAuth2.0. and service account: "Invalid impersonation prn email address."
Invalid credentials: Google API calendar
Google Calendar API 401 "Invalid Credentials"
I have a web application allowing users to login by their instagram account.
I've registered my app to Instagram.
When the user clicks the login button, I direct him to instagram page to login:
https://instagram.com/oauth/authorize/?scope=basic+relationships&client_id={MyClientId}&redirect_uri={My call back aspx page}&response_type=token
After getting access token, I try to get user's followers by sending a GET request to this link:
https://api.instagram.com/v1/users/201199350/follows?access_token={The access token i've got from the previous step}
For my account (which is the account the application registered with) it works perfect.
But the problem occurs when I try to get the 'follows' from other account.
I get 'Bad request 400' error.
How can I solve this issue?
Thank you !!
This is unsolved issue because error 400 means, that user not allowed or not found (deleted by spam/bot system). Also you cannot get followers of private user, if an authentication user is not follower of him.
For the authentication users from first link you can use https://api.instagram.com/v1/users/self/follows?access_token={The access token i've got from the previous step} link.