We have an ASP.NET application where we need user's email in order to further send them transactional email. We have added Twitter Signup but not getting email address along with access_token.
We have checked twitter documentation and their FAQs for the same but have had no luck so far. The FAQ says that we need to ask for user's email in as a distinct act:
recently I came to a website http://medium.com which asks for email while authentication in it's scope, please refer to the image below:
I'm not sure how do I add email scope to my twitter application. Any help is highly appreciated!
It is not possible to get user's email address from twitter.
This can be made possible by filling out a form to request elevated permissions:
Go to https://support.twitter.com/forms/platform
Select "I need access to special permissions"
Enter Application Name and ID. These can be obtained via
https://apps.twitter.com/ -- the application ID is the numeric part
in the browser's address bar after you click your app.
Permissions Request: "Email address" Submit & wait for response
Related
I am working on a .NET application and I have set up an external login with facebook.
Currently, when the user uses the external login functionality, signs in to Facebook and my app recieves his email address, I create a new user account and consider the email address verified. (otherwise he could not login)
Is this a good practice though? Is it possible that some attacker would change the email address midway or something? What is the best practice for letting users sign in using external login providers?
Any help would be much appriciated, thanks.
Edit: In this tutorial the guy sends a confirmation email to the email address he recieves from the external login providers. However this seems impractical to me. It kind of defeats the purpuse of simplifying the log in/sign in process, moreover I don't think I was ever asked to confirm my email when I had used external login providers to log in myself.
Is it possible that some attacker would change the email address midway or something?
No, because you are using facebook which implements openid or oauth2.
In oauth2, mail and its password are safe because you do not manage them. Those are managed by your oauth2 provider (facebook in your case)
Also according to the oauth2 flow which is the same in google, facebook, linkedin, etc the provider don't send you the email. It sends you the authorization code:
use go to your web.com
user is redirected to https://www.facebook.com/v8.0/dialog/oauth?client_id={app_id}&redirect_uri={redirect_uri}
oauth2 provider prompts a login if user was not logged in previously
user accepts the consent form (next next)
oauth2 provider (facebook in your case) at the end, perform a final redirect to your web.com (using the callback url previously registered) sending the authorization code: https://web.com?code=196da272-083c
this code is required to generate the access_token and can be used just one time(another http invocation)
the access_token is required to get the email (another http invocation)
The only way to attack could be try to send fake authorization codes to https://web.com?code=**** but in the next step (exchange auth code for a new access_token), facebook will return you an error because the attacker cannot create real authorization codes.
Confirmation email
As you said, if your web allows the user to login with some social network, add a new step with email confirmation is impractical. Is more, facebook allows the use of phone number instead of mail.
But there are some scenarios (not in the authentication) in which mail could be your ally:
Offer an option for alert the user with something like this: Hi Bob, a new account was created with your social network... If you didn't, please click on the following...
confirm an email to be used in future notifications
I have read the functions docs and the authentication codes on the firebase website, but I have no clue if it will be secure or not. I've read the whole of this doc: https://firebase.google.com/docs/auth/custom-email-handler
They seem to do all the verification on the website but I can't find the verifyPasswordResetCode(actionCode) function in the node.js doc so what way would you go around this?
Basically, if the user forgets their password/needs to verify their email I want the user to go to my website (I've already configured the custom action URL that is sent when the user requests to reset their email to go to 'mywebsite.com/auth/action/.../'. I know that the my front end (IOS App) needs to verify the code and then In my functions (that's hosted on my website) I need to reset their password, but how would I securely transfer information from the email to my app, to my website with the function to reset their password with the action code. Or can I do it all on my website instead of where they input their new password on the website? I'm guessing using dynamic links?
Thanks,
Nathan
There are some question on the StackOverflow about facebook & email, but after reading them I still have a problem with retrieving users emails.
Our app implemented on Flex and uses REST API. And previously it used notifications.sendEmail.
App has publish_stream and email permissions (checked with users.hasAppPermission).
I tried users.getInfo for get proxied_email address.
But this function does not return email address of the friend..
Then I performed the following test using Graph API and web browser:
Opened the following link for authorization with extended permissions:
https://graph.facebook.com/oauth/authorize?client_id=[app_id]&scope=publish_stream,offline_access,email&redirect_uri=http://www.facebook.com/connect/login_success.html
It returned code for retrieving access_token
Oppened the following link for retrieving access_token
graph.facebook.com/oauth/access_token?client_id=[app_id]&client_secret=[secret]&code=[code]&redirect_uri=http://www.facebook.com/connect/login_success.html
It returned access_token. And now I can use GraphAPI.
Tested with my account
graph.facebook.com/me?access_token=[token]
Ok. It returned my emal.
Tested with my friend
graph.facebook.com/[friend_id]?access_token=[token]
And here is no email field!
So my questions are
Where did I go wrong?
Is it possible to get friend's email via Facebook API (GraphAPI or REST API)?
Thanks.
Email permission gives access to your email only.
If you look at the extended permissions page it says:
Likewise, to protect the privacy of users who have not explicitly authorized your application, your application will only be able to access the basic profile information about a user's friends, like their names and profile pictures. If your application needs to access other data about a user's friends to enable social functionality, you will need to request some of the special friends permissions listed below.
And if you look at the table below, it says "not available" for email permission for friends.
there ought to be some way else how does JanRain does it?
http://www.janrain.com/products/engage/invite-friends
I think that getting friends' email ids is not permitted by Facebook; at least, that's what my research tells me.
#helloworld: Who told you that janrain gets users' friends' email ids?
Only with the extended permission you can specify via the scope attribute, when obtaining the access token
Example:
https://graph.facebook.com/oauth/authorize?
client_id=...&
redirect_uri=http://www.example.com/callback&
scope=email
I am developing an ASP.NET application.
I implemented Facebook API in my application now I want to access email addresses of my friends on Facebook.
I successfully connected Facebook with my application, but when I use FacebookApi.friends.GetList() it will give only friends userids then I will fire a FQL for each friend userid to access email but some time I got blank instead of email address.
Can someone help.
Which is best way facebook rest API or graph API?
The answer is almost certainly that one of the following is true:
The user hasn't shared an email address with Facebook
The user has placed you in a privacy group they deign to share their email address with
The user has set their privacy settings to not share their email address at all
If any of these are true, there's nothing you can do to resolve this short of asking your friends to change their privacy settings.
You need to ask for permission "email" to access email address of any user using your app, the reason why you are getting some email addresses is because few of Facebook users relatively have less restrictive privacy settings.
net website, i would like to implement forget password. I am using following steps
Form having input box for login Id and email Id and CAPTCHA
when user enter details and submit, at backend after validation new password is generated and replaced old password at database.
New passowrd is send to user at email.
Please help me whether i am doing right or not?
Is there any other secure mechanism for the same?
[EDIT]
Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt
What message should i shown to user when he enter loginId and email address at forgotten password page?
Whether message would be same for valid user and mallicious user?
Advantage of using CSRF token? Any help / link
When user click on link then what should i do; because as i guess user should automatically loggin into their account -then after that i have 2 choice (first) send new password automatically to user (second) new form will shown to user where user will enetr old password and new password twice?
Please help?
I can see why you'd want a CAPTCHA, but I'd take a different approach.
When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.
For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.
In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.
One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.
Followup
So to answer your further questions.
What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
Already addressed above.
Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!
There are many ways this has been implemented. As you said, generating a new password and sending it to the registered email address is one method. I wouldn't suggest you go that route though, as my password would be reset everytime somebody tried guessing my password.
Instead, the best thing I've seen to date is simply emailing the registered email with a link that will begin a password reset process. You may even let the user know which email address to check by showing a masked version of their email address used in registration:
An email was sent to ********#hotmail.com. Please check your inbox to continue.
Be sure to keep in consideration those of us who may forget which email address were registered with - typically a few security questions are a great way to make that information available.
I've done that recently. When the user enters their username or email address, we generate a unique token and email it to them as part of a link. Upon receipt of that email, they click the link, and are automatically logged in, taken to the my account screen, and prompted to reset their password.
Of course, this relies 100% on the security of the email client, but it's hard to beat from a usability perspective.
You shoud check the answer to the question : Can anyone provide references for implementing web application self password reset mechanisms properly? from D.W. on security.stackexchange.
It is the most complete answer I found on the subject. I also suggest you to read this article : Everything you ever wanted to know about building a secure password reset feature