I need to allow less secure app access in Yahoo but I can't find the button :(
Any ideas ?
Regards,
Finally found it,
Go to ‘Generate App Password’ then select MacMail(in my case I use it) then copy past the generated code instead of your password.
Tested and working (2021)
The answer already provided by #zackzulg (see below). I have extended it.
'Less secure apps/services' don't support Yahoo's own sign-in method. An app password is a long, randomly generated code that gives a non-Yahoo app permission to access your Yahoo account.
Some older, third-party email apps (that do not use our Yahoo branded sign-in page) require you to enter a single password for login credentials. To access your Yahoo Mail account on these apps, you'll need to generate and use an app password.
Log into your Yahoo email account
Click your name on top right
Click the text 'Account info'
Select 'Generate App Password'
Click 'Get Started'. if its your first time
Add your "App's name" (Any name, for your reference)
Click 'Generate Password'
Copy this password and go to your app and instead of yahoo password enter this one.
What you need to know about 'Generate App Password'
You'll only need to provide this code once to sign in to your third-party app.
It does not replace your normal password.
If you are stop using the app you can delete this password from the same place.
For yahoo smtp configuration for used on third party app,need to generate app password. below step follow
1 Please login to your yahoo account and after login top right side Username show, please hover mouse on this username ,Click on Account information Link.
2 Go to Account Security tab, Go to App password Section, and Click on Generate and manage app passwords, Type app name and click on generate Password.
This is your smtp email password
Now set yahoo smtp configuration
Smtp Address : smtp.mail.yahoo.com
Smtp Port: 587
Smtp Username: Your yahoo Email
Smtp Password: Password is which you generate app password
Enable SSL: True
i get this information from this link
http://w3teachers.com/javascript-problem/How-to-set-up-Yahoo-smtp-configuration-for-use-on-third-party-app
This works as of June 29, 2022. I am using the latest version of java mail (1.6.2) - it has since moved to jakarta and angus so those jars may also work but I didn't try them. Get the jar here.
Set up your smtp settings to use port 465, SMTPS, and STARTTLS with outgoing server smtp.mail.yahoo.com
Generate an app password in Yahoo and use this in place of your usual password. Do this by logging into your yahoo mail account, click on your profile pic, and in the drop down choose "Account Info." Choose "Account Security" and on this page select "Generate App Password". I read something that said you need to use the company name in the app name so that's what I did.
after some time (in my case 2 months) that password stops working and you need to generate a new password for your app. otherwise you get the "too many bad auth attemps" error.
Related
We have a PHP/MySQL based User Management System and are integrating it with Keycloak version 16 where we will store users credentials.
Our application does not allow users to self register. We create user accounts on the system. When we do this we do NOT specify a password because we want users to set up their own password.
The current system sends 2 separate emails in 2 different circumstances regarding passwords:
If it's a completely new user who does NOT have an existing password, we send them a link to set up a password.
If it's an existing user who already has a password, the system allows them to reset it, e.g. if they forget their password and can't login.
Keycloak seems to cater for scenario (2) because the login forms have a forgotten password link which opens a form where the user can enter their email address and receive a link which lets them do (2).
Unfortunately it doesn't deal with scenario (1) very well and that's where our problem starts. This has been asked a while ago Send password forgotten mail but it seems that Keycloak didn't support this very well in 2020 and perhaps still doesn't now.
Our "workaround" to this was that we added custom email templates and a custom page (reference: Themes on https://www.keycloak.org/docs/latest/server_development/#emails) which includes wording that caters for both scenarios, e.g. "set your password" rather than "reset your (existing) password". The result of this is that our email and form now reads appropriately for both scenarios (1) and (2).
The problem
We want to be able to send a link to the user that allows them to set their initial password to cover scenario (1).
We know that this page exists because on the login page for Keycloak there is a link to the forgotten password form that handles scenario (2). However, the form requires the user to enter their email address and submit the form. The user then receives an email from Keycloak which contains a URL to the page where they can do this. The URL has the following format:
https://example.com/auth/realms/foo/login-actions/action-token?key=...
The key= contains a ~945 character token. Going to the URL above redirects to the form where the user can reset their password. This next URL does not contain a token but a cookie has been set in the browser - by the previous URL - which makes it functional:
https://example.com/auth/realms/foo/login-actions/required-action?execution=UPDATE_PASSWORD
We can't send either of these URLs to the user because the first one (containing key=) has no API method for us to find out what it is - it's only possible to generate this by going through the "forgotten password" step during login, in the browser.
The second URL (/login-actions/required-action...) won't work either because it relies on the previous URL (containing key=) setting the cookie in the browser. If you try and go to this second URL directly (i.e. bypassing the first URL) it will error.
So neither of these URLs will work because we can't find what the first one is programmatically, and we can't use the second one without knowing the first one.
I found https://lists.jboss.org/pipermail/keycloak-user/2018-October/015910.html and the suggestion is using the Keycloak API to trigger a password reset email. This works - sending an HTTP PUT request containing 'UPDATE_PASSWORD' along with the relevant user ID sends the user an email. The request endpoint has the format PUT /{realm}/users/{id}/execute-actions-email which is documented on the link above.
Up to here all is fine - the user gets an email. However, this email does NOT contain a link that goes directly to the "reset password" page! Instead it sends them an email containing the following text:
Your administrator has just requested that you update your account by performing the following action(s): Update Password. Click on the link below to start this process.
Link to account update
When the user clicks "Link to account update" it then shows them a web page like this:
It is only when they click on the link on this page (the one that says "click here to proceed" on the screenshot) that they arrive at the form where they can reset their password.
This is a really poor user experience because the user gets sent a (badly worded) email with a link to... a page with another link! It should just take them to the password reset page directly. What's more frustrating is the fact that Keycloak is clearly capable of generating/sending the exact email we'd like in this scenario: the one which gets sent when a user manually does a password reset via their browser.
So the problem seems that Keycloak's API doesn't support this incredibly important and common use-case of a user being able to set an initial password, in a user-friendly manner.
I am adding the js script in the template to automatically click "click here to proceed". It's ugly but at least the user doesn't see the page
Keycloak sends out duplicate emails when you hit Forgot password button right after user session expired and you want to login again.
It might be configuration issue with Keycloak but it is quite annoying so any help would be appreciated.
Keycloak client is set to public and used in combination javascript adapter on mobile app.
Steps to reproduce:
Login with your user account using public client.
Wait for your access token to expire and you will need to login again.
Go to login page and instead of login hit Forgot password button.
Enter your email and hit submit.
You get your first forgot password email.
You will be redirected to login-page-expired and on "click here" link.
You get your second password email (which shouldn't happen).
Used Keycloak version is 12.0.1.
We have Google Identity Toolkit implemented on our server and can successfully create "simple password accounts" and "Facebook accounts".
However if a user has first signed in with "simple password account", created password, confirmed email, etc...
How can this user then at a later time add Facebook as an alternative provider?
In our case, if this user clicks "Sign in" he will see:
On the following login screen however, he can only choose the existing "simple password account".. if he does, the login proceeds to password input, without a chance to use Facebook as an alternative.
What do we have to configure so that the user has the possibility at any time to link another provider to his "simple password account"?
Scroll down to the Account Linking section in this doc.
The key phrase here is Thus if Google Identity Toolkit detects that the same email address was used at both identity providers, we link the two accounts. It appears this is not something you can do manually, and accounts can only be linked in this particular situation. In the case of Facebook I believe the email to which they are referring would be the primary email found in the Facebook user settings.
I hope they implement more comprehensive account linking in the future! The Gitkit account manager would be the ideal place to do this if you are listing Google.
I need my application to be able to log on to Gmail and send email on behalf of the user. The user supplies credentials. However, when I do so I get this message from Gmail:
Subject: Google Account: sign-in attempt blocked
Hi Jessica,
We recently blocked a sign-in attempt to your Google Account [...].
...
If this was you you can switch to an app made by Google such as Gmail
to access your account (recommended) or change your settings at
https://www.google.com/settings/security/lesssecureapps so that your
account is no longer protected by modern security standards.
I would like my app to "protect users by modern security standards" but nowhere do I find any data on what "modern security standards" means in this context. The app uses SSL, user name and password.
The app works if you do click the link, but I really don't want my users to have to click the "lesssecureapps" link, though if that is the only option, so be it. But I'd rather modify my app to be compliant with what Gmail needs. However, nowhere does it say what I am missing.
Any help please? I want to do the right thing.
I've got a decent set of existing users on my website who login via their emailaddress as their username.
I'm setting up Facebook OAuth mechanism to allow new users to sign up more conveniently, but I'm not sure how to handle the scenario when a user who already has an email address registered with our system and now tries to login via Facebook.
Should I consider him the same user?
Should I treat him like a new user?
The situation is more complicated by the fact that I dont validate their email addresses (when they login directly into my system), so i cant assume they are the same user.
How do others resolve this conflict, or do other folks simply treat this user connecting via FB as a new entity?
On your login screen, users can have a choice: you may put
new user: signup using facebook
since this is a totally new user account, then you just need to do your facebook connect + request for email permission, etc.
existing user: login by email
Once they do this, let them login using the old-fashioned way. Then once signed in, prompt them to connect this email address to their facebook account. So the flow is login via email then optional facebook connect.
To do this, I assume you've added a field on your database table for user_accounts, that is facebook_user_id or fb_id or user_id, etc. Then on facebook connect, get the logged-in-email, UPDATE table SET fb_id = xxx WHERE email = xx
I've pondered the same issue. I think we'll go with the verified email (Facebook Connect) getting attached to and logged into the existing account with the same email.
Before we connect and log them in we'll explain that the account exist and ask for their password (they signed up using email and password, so they should know it) to ensure it's the right person.
If you support multiple external authentications (Google OAuth, Facebook etc) then you may not have a password, and in that case it gets slightly trickier.
If you do log them in to the existing account without asking for a password, make sure you clear existing sessions to avoid 'anticipation attacks', where an attacker anticipates that the target signs up, creates an account and keep the session after they've signed up and attached to the attackers existing account.