Using the standard OAuth functionality provided in a ASP.NET Project I want users to be able to connect their account to Facebook and GMail accounts but by default you can also register a new account by using the external log in links and I want to disable this.
How can I disable this?
I solved it by changing this in RegisterExternalLogin.aspx.cs in class ProcessProviderResult()
if (User.Identity.IsAuthenticated)
{
// User is already authenticated, add the external login and redirect to return url
OpenAuth.AddAccountToExistingUser(ProviderName, ProviderUserId, ProviderUserName, User.Identity.Name);
RedirectToReturnUrl();
}
else
{
Response.Redirect("~/Account/Register.aspx");
// User is new, ask for their desired membership name
// userName.Text = authResult.UserName;
}
If user is not authenticated I redirect the user to the normal registration page.
Related
With .Net Core 3.1 and IdentityServer4, I have successfully set up Twitter sign in.
However, if I already created an account with that same email address (independently of Twitter)... when I click login in with Twitter, it then redirects me back to the identity server External Login page with the following message:
You've successfully authenticated with Twitter. Please enter an email address for this site below and click the Register button to finish logging in.
and a textbox with my twitter email address already filled in: [ myemail#mydomain.com ]
When I click Register I get the error message:
User name 'myemail#mydomain.com' is already taken.
This makes some sense... but it would be really nice if I had the option of connecting the Twitter login to the existing account... Is there any way to do this?
Its up to you in the ExternalController.Callback method in IdentityServer to handle the mapping to existing accounts and to create new accounts for new users.
For example, see this code:
// lookup our user and external provider info
var (user, provider, providerUserId, claims) = FindUserFromExternalProvider(result);
if (user == null)
{
// this might be where you might initiate a custom workflow for user registration
// in this sample we don't show how that would be done, as our sample implementation
// simply auto-provisions new external user
user = AutoProvisionUser(provider, providerUserId, claims);
}
I have followed the instructions like the guide said:
LDAP/Active Directory
and How to use LDAP in ASP.NET Boilerplate (Free Startup Template)
But with no success.
Below is my trial and error:
User Scenario:
Most of the users are from the domain, so those domain users should not see the login page and should be able to auto login the platform.
Some of the users are not domain users, for those who have access to the platform but not belong to the domain should pop out the login page and input username/password to login.
Here is a snap of my authentication code:
If(!HttpConetxt.User.Identity.IsAuthenticated)
{
var domainUserName = System.Web.HttpContext.Current.User.Identity.Name;
var entry = new DirectoryEntry("XXX");
var search = new DirectorySearcher(entry);
search.Filter = "(sameaccountname=)" + domainUserName + ")";
// Check if the user is in domain or not
var result = search.FindOne();
if(result != null)
{
//Domain user, find the mapping user in db and login using the db user
...
}
}
Since the website should support both anonymous and windows authentication, I enabled both authentication method:
And also add [AllowAnonymous] attribute to Login ActionResult.
Per my understanding, the request authentication is performed in global.aspx, So I guess my authentication logic should have something to do with this:
protected void Application_AuthenticateRequest()
{
...
}
But it just seems that I could not put my authentication code in there. Because anyway, I need to use the db user to manage user roles, but in the global.aspx, the UserManager is not even there.
I have tried to add this piece of code into Login ActionResult, but there's a problem: when domain user logs out, it will constantly login as it can not tell if the user is actually logged out or just comes to the website.
So:
Where is the right place to put those authentication code?
How does the Ldap work in this scenario? Does Ldap meet the requirements? I could never get the Ldap work in my project.
My application uses user's email address as the user id. Currently it does not allow users to change their email address. They can create a new account if they need to use a different email address. I'm implementing Google Identity Toolkit (GIT) on my site. For users who use Email/Password for login, the Manage Account page of GIT allows users to change their email address and password. I would like to block changing of email address while keeping the change password option.
Is it possible, and if yes, how?
We do not support this option but if you want to do this at your own risk, you can add the following callback in the widget callbacks config field:
callbacks: {
'uiChanged': function(from, to) {
if (to == 'passwordAccountManage' && document.getElementsByClassName('gitkit-id-email-info-container').length) {
document.getElementsByClassName('gitkit-id-email-info-container')[0].style.display = 'none';
}
}
}
I followed this article https://azure.microsoft.com/en-us/blog/announcing-app-service-authentication-authorization/ to set up Azure authentication for my MVC app. First I turned on Azure AD provider. In the Authentication / Authorization settings, I selected "Allow request(no Action)" for "Action to take when request is not authenticated" because I only need users to login for certain controller actions.
Then I added a custom FilterAttribute to check if one action needs authentication as in https://stackoverflow.com/a/26652816/1837339. In the OnAuthenticationChallenge function, I had this code to redirect to login page:
public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
{
if (filterContext.Result is HttpUnauthorizedResult) {
filterContext.Result = new RedirectResult("~/.auth/login/aad");
}
}
All of this works, except after user finished authentication, it is redirected back to mysite/.auth/login/done page saying "You have successfully signed in" and a button to return to my site's base url.
What I want is the redirection goes back to the user's original url, so I think I need somehow set the return url for the login redirect. But I couldn't find any documentation about this. Anyone could give any advice?
You can use the post_login_redirect_url query string parameter to do this.
For example, if you want to automatically navigate the user to /welcome.html after logging in, you can set your login redirect to ~/.auth/login/aad?post_login_redirect_url=/welcome.html, and the user will be redirected to this page instead of the generic welcome page.
Thank you.
This really helped.
The below worked ok for me:
return RedirectToAction(string.Format("login/{0}?post_login_redirect_url=/Home/LoginCallBack", provider), ".auth");
provider can be one the strings: google, twitter, microsoftaccount,aad,facebook.
Also each provider must be configured on your project at the Azure Portal.
redirect url may be any uri on your project
I have an ASP.NET MVC4 web application, and I would like to use Facebook to authenticate users.
My plan is to have users "Sign Up" with Facebook, and then login using it.
Now this is fine when a user comes to the site and logs in with the Facebook Login button I have setup, which goes through an /Account/FacebookLogin action. In that action I can grab the Auth Token and check it against an SQL database to then authenticate the user with all the extra fields/info I store about them in my database (It's a web based game so Character name etc)...
Now, if the user comes to my site and they are already logged into Facebook, they obviously don't go through that /Account/FacebookLogin action... I simply have access to the auth token through the
FB.getLoginStatus(function (response) {
if (response.status === 'connected') {
var accessToken = response.authResponse.accessToken;
//alert("User is logged in");
}
else if (response.status === 'not_authorized') {
//alert("User is not authorised");
}
else {
//alert("User is not connected to Facebook");
}
});
My question is... What can I do in the "if connected" code to authorize my user, without sending them into an infinite loop? I tried redirecting them to the /Account/FacebookLogin action and passing in the auth token etc. But the getLoginStatus callback is called on every page... so they get stuck in an infinite loop..
Facebook has given you access to someone's Facebook identity. You might now want to create a user account for that identity. Once that user has an account then you then need to get the user to authenticate themselves with your application (you can use the Facebook identity to do this if you wish to tie yourself to Facebook). You can then authorize that user to undertake certain actions within your application.
In the context of MVC, you could quite simply issue them with a forms authentication token:
var username = response.authResponse.name; // <- check the syntax on this
FormsAuthentication.SetAuthCookie(username, true);
return this.RedirectToAction("Index", "AuthorizedUsersOnlyController");