I wish to allow users with Google, Facebook, etc accounts to access my site however can I get them to utilize two factor authentictaion to access the site? Assuming it is posisble, how do I need to do, consider, etc?
You need to use OpenID to allow users to authenticate to your site via their Google or Facebook accounts. See:
https://developers.google.com/accounts/docs/OpenID
once you have OpenID enabled on your site. Users who have Google or Facebook two-factor authentication enabled will still be able to authenticate to your site assuming they succesfully pass 2-factor to Google or Facebook.
Jay
Related
For multiple applications, I want to build a centralized account solution. The core consists of some ASP.NET Core web applications. But I also want to include third-party applications like WordPress, GitLab, or a XAMPP/HipChat server. My goal: The user creates ONE account, which can be used in all of those applications. So an LDAP server seems the best way for this since many applications have support for this protocol. This also gives flexibility for other applications, which may be added later.
The problem here is, that the users should be able to authenticate using common social sites - Especially Facebook. It's state of the art and would increase the conversation rate, cause it's easier for the users.
Is it possible to integrate social login provider like Facebook to LDAP servers like ApacheDS?
As I see the topic, Facebook generates some kind of authentication token, which can be used from the application to verify the identity of the user. In my custom web apps, this is no problem. But for e.g. a XAMPP server, this seems not to work: LDAP requires username/password. But I don't have this, since there is only a Facebook token available. The LDAP server could store this in an attribute. However, this would require to check this token instead of a password on an LDAP bind.
On the other side, when I drop the LDAP server and use some framework like ASP.NET Core identity instead, it's not a big deal. The problem here: I'm not able to use this login for third-party applications. This would require the users to have an additional account for e.g. XAMPP, WordPress, and so on, which results in big chaos and is thereby not suitable for me.
By dropping social support, it works. This seems also not to be a good idea since those logins are state of the art and I'm targeting younger users, which expect an SSO solution with Facebook or similar providers.
Facebook (and other social login sites) use a protocol named OAuth to authenticate. Probably the easiest solution would be to implement an OAuth server yourself that uses your LDAP as backend and then add that beneath the Facebook login as the second way of login.
That will not add users logging in via Facebook to your LDAP but as you usually only get an OAuth token back for login (not necessarily a username) which needs to be verified against Facebook (or whoever provided that token) it doesn't work to use it as "password replacement".
We are building several websites/products, if a user has an account on one site they will also be allowed access to all other sites.
Let's say we have the following setup:
Clients
site1.com
site2.com
Single Sign On Portal
sso.company.com
APIs
api1.company.com
api2.company.com
The Single Sign On Portal supports multiple OAuth providers, such as Google, Microsoft, Facebook, etc and this is all working great built on top of the default ASP.NET Web Forms template in VS 2015 using OWIN and Idenity.
The SSO site is logging the user in an using a cookie for authentication, which works fine while still on the SSO site. Now we need to return a token that the client site can use to know that the user is authenticated
Now the challange here is how do we exchange the cookie to a token that we can return to the client(s) to use in the Authorization header in request sent to our APIs?
Should we generate a token our selves or is there some built in functionality we can use for this purpose?
I've seen most people generate a token themselves and then multiple accounts can be linked to that same user in your account (i.e. a user could log into both FB and Google). Most of the SSO providers have a way to get an identity token or one time use code for your server to use and get user info like FacebookId. The key is ensuring that identity token came from FB and not a third party.
Auth0 is a pretty good service if you want a managed route. Even if you don't use them, they have a lot of good resources on oauth. (I have no affiliation with them other than that we used them before.) we also have a little more info on auth: https://www.moesif.com/blog/technical/restful-apis/Authorization-on-RESTful-APIs/
Our company has 5 product sites developed using ASP.net,PHP,Flex, etc and most of them has common users.The requirement is to avoid multiple logins when the same user accessing these websites. We have different databases for authentication for each site.
Only registered users can able to go to the respective websites.
What would be the simple and easy approach for doing this? Cookies doesn't work because of different platform(s) . I would like to use ASP.net/c#/SQL server for the development. There are different SSO's are available in the market ( SAML 2.0 with componentspace libraries), but not sure it is needed in our case.
The way this can be implemented is with Claims Based Authentication.
Basically, you will generate a token of some kind that would follow the user from system to system. (Encrypted, validated some how coming from a trusted source.)
Using that token, each system can authenticate the user and authorize access if successful.
This is similar to how some websites (like StackOverflow) will let you log-in with a Google or Facebook account without creating an individual account. Then when you login, FB or Google issues a token (aka claim) that you are who you say you are. Because StackOverflow trusts Google, they accept the Claim (promise) that you are, in fact you.
I just wanted to ask if you can retrieve cookies in your asp.net application from when you logged into the YouTube website?
I understand how to set and retrieve cookies using .net and i could do this when the user inputs there username and password in my application but whats the point if the user has already logged into there YouTube account using YouTube. So from the user logging into there account using YouTube could i retrieve the cookies set by YouTube?.
You're not able to read cookies from another domain since doing so would be a huge security risk. So in your case, your web app would not be able to read cookies from YouTube.
Depending on what you're trying to do, you can leverage OpenId or OAuth for authentication and/or authorization respectively. This is a comparison of the two.
I am trying to implement OpenId for an internal web app. Our college is on Google Apps for Edu, so we have the suite of Google OpenID and OAuth exposed to us.
I would like my login page to have the standard username and password, and additionally a button on the side that will authenticate internal users to our app domain.
I have followed the example here http://www.dotnetopenauth.net/developers/code-snippets/programmatic-openid-relying-party/ but it seems that the rules are different for the google apps id than a general google id.
Any help or further documentation would be helpful.
I have the same problem as you.
For your Google Apps login, your relying party URL is https://www.google.com/accounts/o8/site-xrds?hd=example.comsite-xrds?hd=example.com
Where you replace example.com with your URL.
However, As far as I can tell, dotnetopenauth does not handle the protocol extensions google uses when it returns.
However, using https://www.google.com/accounts/o8/id works perfectly fine.
Using this url, you pass off users to Google to login. Google will check for cookies and prompt for a login if required. if not it'll just confirm with the user that they want to associate their authentication with this site and pass you back.
Still trying to get dotnetopenauth to accept the new url: https://www.google.com/accounts/o8/site-xrds?hd=example.com