I'm developing a Sina Weibo integration and I'm doing the oauth correctly but I have a problem with authorization page. When I click on enter, I accept authorization page and I can loggin correctly but if I log off and I try to clic another time enter, I can only see a login page, but no an authorization page.
How can I force that an authorization page shows always?
The correct login flow consists of the following:
1. redirect user to the authorize page with the app's client id
2. client logs in to weibo (authentication)
3. client grants the application requested permissions (authorization)
4. client is redirected to your app page.
I believe the step you are asking about is #3. Once a user has granted your application permissions, this will be stored on their weibo account. The user will no longer be prompted to grant permissions every time the user logs in. The exception is when the user has removed your application from their weibo account. Thus there is no way for your application to force the user to reauthorize your app every time. It is unclear under what circumstances this would ever be required/beneficial.
As a side note:
If a user is already logged in, #2 is skipped by default. The user can be forced to relogin with the forcelogin parameter described in the docs: http://open.weibo.com/wiki/2/oauth2/authorize/en
Related
I am creating an asp.net web application with "Remember Me" option during Login and it has an Edit Profile module where users can change their passwords. Here is the scenario.
I logged into the website from Machine A clicking "Remember Me". So I am logged in and since a persistent cookie is created I dont need to login the next time
until my forms authentication times out.
I logged into the website from Machine B using the same account details I used above and from this machine, I changed my password. In this case How can I make the user in Machine A to login again? (Since my credentials have changed). The same scenario can happen if someone gets any user's credential and uses the application.
Thanks
You have to save the last credentials modification date in your database.
When a user try to consult a page of your website, you have to check the date specified in the cookie.
You can also make an AJAX system that verify each minute if any changes are done and, in that case, verify the validity of the credentials.
If the latest date is the "last credentials modification", then delete the cookie and ask the user to log by himself.
I have a ASP.NET website where multiple users access the site using same user credentials. The site functions fine when used by single user, however when a second user with the same credentials logs in simultaneously and the first user performs any action (clicks any link, selects any dropdown etc.), the first user is redirected to the default/login page. I want both the users to access the site without any trouble.
Can any one comment on why this is happening and how this can be solved.
My guess for the reason of the behaviour would be the authentication method you are using. Probably when the first user logs in he gets a session ID that authorises him for the following requests.
When another user uses the same credentials to log in, different session ID is created for that user so the ID the first user has is not valid any more, and therefore he gets redirected to the login page.
I have an ASP.NET MVC application which uses Google+ sign-in to authenticate the user. The flow is as follows;
User accesses controller action decorated with [Authorize]
attribute, forms authentication is configured so the user is
forwarded to the log in page.
User clicks the Sign In with Google+ button and the server side flow is initiated as per guide
Server receives the Google tokens which are used to authenticate the user, logging them in and returning the standard asp.net auth cookie in the response. The user can then access the site with the cookie.
Now, if I go through the usual asp.net forms log out process of clearing the user's cookie/session there's a problem. If they attempt to access the application after they've logged out but are still signed into a Google product in another tab, they'll be re-directed to my login page. The Google+ sign-in button will automatically sign them back in again initiating the whole sign in process and getting a brand new asp.net cookie!! The only way to truly sign out is to ensure you are not signed into any Google products still and then attempt to sign out. Not exactly user friendly. I guess the same thing happens with all Google products, if I'm signed into Gmail and open Docs, I'll get signed in automagically. The difference being if you sign out of one, you'll sign out of all Google products. I think.
There is currently not a supported means of logging the user out from your site. What you can do is force the user to click the Google+ Sign-In Button before they will be authorized unless you have set a cookie on their client indicating they are signed in (or enrolled, if you want to distinguish between the sign-in action and being signed-in). You can look at this question:
how do i sign user out of my app?
or this question:
Preventing automatic sign-in when using Google+ Sign-In
for discussions on this topic on stack overflow and answers to similar questions.
Hi I'm using the FederatedPassiveSignInControl on my asp.net site (called ChildSite) to get an user identity from a STS which is set up on another asp.net site (called ParentSite). The authentication of my site (ChildSite) is set to FormsAuthentication, so the FederatedPassiveSignInControl is located on ChildSite's forms authentication login page.
I have 2 scenarios. In the first the user logs in to ParentSite and continues to ChildSite via a link in ParentSite. In the second the user goes directly to ChildSite and logs in to ChildSite:
Scenario 1:
User opens ParentSite in browser
User logs in to ParentSite
ParentSite displays a link to ChildSite in browser
User clicks link to ChildSite
User goes to child site
Here the user comes to login page.
Wanted behavior is that the user is seamlessly redirected to the requested URL at ChildSite as he has already signed in at ParentSite.
Instead the login page is showed and the user has to click on the FedratedPassiveSigninControl button to retrieve his identity and then be redirected.
I cannot set the FedratedPassiveSigninControl property autosignin="true". It would always redirect the user to ParentSite when not logged in and that would break scenario 2.
I wonder how I detect, or how I get FederatedPassiveSignin Control (or other WIF components) to detect that the user is already logged in, not show FedratedPassiveSigninControl and just forward the user to his requested page.
Scenario 2:
User opens ChildSite in browser
User enters credentials in text inputs at ChildSite and clicks log in.
The requested page at ChildSite is displayed.
Am I missing something here?
Cheers,
mortb
The simplest approach would be to add an additional querystring parameter to your 4th step in Scenario 1 so that when you finally get to your login page, you have an "if" : "if the querystring parameter is present then AutoSignIn = true".
This is known as "home realm discovery" although your scenario is not typical as hrd usually involves two or more stses and here you have to differentiate between the sts and forms authentication.
This looks like a classic SSO scenario. ParentSite and ChildSite should probably be 2 different relying parties. If user goes to ParentSite, then whenever they hit a protected resource (anything that requires user to be authenticated), then they will be redirected to the STS for authentication. A session is established between the STS and the user browser and then and then the user returns to the ParentSite with a valid token (assuming a "happy path").
When they hit a protected resource on the ChildSite (e.g. through a link on ParentSite) they will be redirected again to the STS (e.g. they will be requesting a token specifically for ChildSite, a second Relying Party). This time, because there's already a session with the STS, the authentication step is completed already and a 2nd token is issued. All this works seamlessly for the user.
This chapter of the "Claims Guide" covers this scenario: http://msdn.microsoft.com/en-us/library/ff359102
An additional note: credentials should not be entered in any of the sites, but in the STS.
What is the right way to find out if a user has logged in to Flickr? I have an iframe in my application which lets user's download their images from Flickr. But if the user is not logged into flickr, then flickr redirects me OUT of the iframe to the yahoo home page.
I would like to do the following:
- Check if the user has logged into flickr, if he has, then download his images in the iframe.
- Else, open a new browser window which will let the user enter his flickr login credentials.
Any suggestions from the experts?
You should use the Flikr API. You need to setup proper flikr authentication in your app. According to the docs, the authentication should flow like this:
Our web based app has the api key
'1234567890'. It has already
registered a callback url for this key
- 'http://viewr.com/auth.php'.
User visits http://viewr.com/ and clicks on the 'login' link.
This link points to http://flickr.com/services/auth/?api_key=1234567890&perms=read&api_sig=2f3870be274f6c49b3e31a0c6728957f.
The user is already logged in to flickr - they are asked if they wish
to allow the application to have
'read' permissions to their photos.
The user clicks 'yes' and flickr updates it's auth database.
The user is redirected to http://viewr.com/auth.php?frob=abcxyz.
-The app makes a background call to flickr.auth.getToken:
http://flickr.com/services/rest/?method=flickr.auth.getToken&api_key=1234567890&frob=abcxzy&api_sig=3f3870be274f6c49b3e31a0c6728957f.
The call returns an auth token '334455'.
The application stores the auth token and creates a session for the
user with a cookie which points to the
user's auth token.
The application makes a background request to the flickr.people.getInfo
to return information about the user,
by calling
http://flickr.com/services/rest/?method=flickr.people.getInfo&api_key=1234567890&auth_token=334455&api_sig=4f3870be274f6c49b3e31a0c6728957f.