Azure B2C user flows - accessibility issues on screen readers - dom

We currently have issues to make the B2C user flows accessible from a screen reader perspective.
All the DOM ingested by the MS user flows in junction with our html/css UI files makes impossible for a screen reader to donĀ“t crash or work with normality.
Has someone a better insight in how to overcome these issues using B2C user flows? Any workarounds or alternatives?
Thanks and Regards

Related

User management and Commenting system for website

I am working on a news media website, and I am looking to add feature to allow users to register, login and make comments.
For example (New York Times login/register screen)
May I know what options are available, what are the common approaches publishers would choose ?
So far I have been looking at:
AWS Cognito: Allows to create own user directory, and authenticate.
Disquss SSO: also implemented commenting.
In house development: Code a new microservice to manage user directory and store/serve comments, alternatively using AWS Lambda. I am very keen to go down that path, example, but this might costs a lot to develop + maintain.
User data security is my top consideration, I would prefer to use a separate system to store user data. Either a robust third party service or complete in house development of a new system.
Any suggestions?
Thank you.
These are web-standards for single sign on:
OpenID
OpenID Connect
Companies like Google and Facebook provide authentication using Google-/Facebook-accounts. As far as I know, Google uses OpenID Connect which is based on OAuth. However, I don't know if you don't have to store user data any more at all when using this.
I believe it's worth checking again if authentication and commenting should be combined, especially when using a third-party-solution. It makes it harder to change one of the two.
This could give you some more ideas: https://en.m.wikipedia.org/wiki/List_of_single_sign-on_implementations.

Is OAuth suitable for this scenario?

I'm new to OAuth and I would really appreciate if someone could give me a hand with my problem. I need to create a simple web application for track expenses, with some basic actions (user must be able to create an account and log in, list expenses, edit them, etc) with a REST API for each one, and the trick is that I need to be able to pass credentials to both the webpage and the API. So, after some research I've found some examples using Digest Authentication and HMAC Authentication but lot of posts also mentioned OAuth as an alternative approach, so my question is, given this scenario, would be proper to use OAuth? I mean, as far as I understand OAuth is suitable when you want to share resources with other application, which I'm not doing for this project; besides that, when you try to access the shared resource it appears a page requesting permission for the foreign application, would that page appear at some point in my application? (maybe after the login?)
Thanks in advance guys
In your current scenario it does not make sense to use OAuth. It's not what OAuth is designed for.
If your application ecosystem is going to have multiple webapps running on a single SSO (like google) then it is very helpful to have OAuth.
Suggestion: Decide based on your business/operation plan and implement accordingly.
Note: If you plan to have 10 apps in the span of the next 5 years but only have one app now it does not make sense to spend time to implement complex protocols like OAuth right now. Scale as you grow.

Sending SAML request to NetSuite

I've been navigating and toying with features of netsuite, for one feature that came across was the SAML single sign-on. I can not understand how it works or even get it working.
I've read the numerous SAML documents on suiteanswers however, they leave me puzzled.
Does anyone have a working netsuite SAML code example or documentation?
A hurl.it would suffice also!
Thanks is advance
I don't have a specific SAML snippet, but IIRC SSO needs to be enabled/provisioned. Kindly navigate to Setup, Company, View Billing Information. There must be users provisioned towards the bottom under: Two Factor Authentication Users (Should show Provisioned Quantity and Used Quantity.) I believe there is also a place on Role Permissions where a Role can be defined as single Sign On ONLY - but I don't think that is what you are asking.
Like I said, I have no snippet, however on the Suite-Answers Site, They give me a reference Link that has a PDF that shows a sample for you. The PDF Itself is Located here: https://system.netsuite.com/core/media/media.nl?id=7490306&c=NLCORP&h=cd5c1c4877483ebab26b&_xt=.pdf
I've made an offline http nonsecured version here stored in Dropbox: https://www.dropbox.com/s/ohiu6f308szu6rd/SAML_Setup_ADFS_Netsuite.pdf

Facebook - Twitter authentication - information merge

I'm building a service which can be used anonymously, however the user has the ability to share content on his\her Facebook and\or Twitter profiles. Upon authorizing the applications I wish to store basic information about the users and link it to the content they are sharing.
Usually services require authentication prior to usage, which solves this problem, however in my case authentication comes at the very last stage and it's split into 4 paths:
[Facebook + Twitter]
[Facebook alone]
[Twitter alone]
[Nothing]
However doing the above will create redundant data in the database i.e. I will have the Facebook information and Twitter information in separate tables with no linkage between them and no relation to the post.
What's the best approach to prevent this? The solution is on the data modeling level? Or on the code level? Or both?
Has this been done before?
I have created a flow chart of how the merging of account data can be done, however this process might create overhead on the database level as it will require searching for entries using the very long FacebookID \ TwitterID.
If extra information is required please state it in a comment.
Thank you
The way I would handle this is to separate the concept of user identity from the concept of authentication used by your application. For example, at the data model level, have Users table store basic user information and have Authentications table that stores user credentials/tokens associated with a particular Authentication Provider.
At the code level, if you are planning to stick with third-party authentication, I would recommend looking into building a layer that can shield your application from having to deal directly with various OAuth providers.
In Ruby/Rails world, this is accomplished by a combination of Devise that manages user identities (it also allows to have built-in username/password authentication, but it does not sound like you are interested in that) and OmniAuth that delivers authentication against multiple providers.
An example application incorporating both is available here: Devise + OmniAuth.
Finally, RailsCast on the subject is here: OmniAuth Part 1
I realize that you may not be working in Ruby/Rails, but these materials may provide you with inspiration for the architecture you are trying to achieve.

Secure/Best Practices for Account Creation for app that uses REST services?

I apologize if this is a somewhat stupid question, but I am very new to the REST programming realm. I have an application that is both web, mobile and machine accessible, and I will be leveraging REST-like web services for the mobile and machine part. I was going to use the S3 authentication model for the REST requests, however that requires the user account to already be setup.
If the user initiates his use of the service via an iPhone or other mobile device, what is the best way to securely create the user account? As it stands right now, anyone can create an account that will be created inactive and then activated via email link to a CAPTCHA web page. But I am afraid this could still lead to DOS attacks given the fact an email is generated for each request.
Any suggestions on improving this model and/or assuring the request does in fact come from an iPhone?
A good CAPTCHA will prevent such DOS attacks.
Require the CAPTCHA before sending the email link, ie when requesting an account.