I've using Twitter as one of the IDPs in my Google Identity Toolkit configuration. I followed all the required steps. I'm able to sign in with Twitter and it works fine for the most part except for 2 issues highlighted below. In my Twitter application settings, Permission is set to "Read only".
Every time I try to sign in with Twitter using an account used previously to sign in, it prompts me to "Authorize app" again. As I understand, the authorization should be one time only unless revoked. Why do I need to authorize with every sign in?
I found this thread: https://twittercommunity.com/t/why-does-my-app-need-permission-granted-every-time-the-user-authenticates-through-oauth/10251/5
It seems like Sign in with Twitter button seems to be routing to 'https://api.twitter.com/oauth/authorize' instead of 'https://api.twitter.com/oauth/authenticate'. Is this a bug in the GIT?
If I click Cancel instead of Authorize app, it brings me back to my callback page but I get a verifyAssertion error:
[identitytoolkit] verifyAssertion: {"error":{"errors":[{"domain":"global","reason":"invalid","message":""}],"code":400,"message":""}}
What is causing this error?
Any help would be appreciated.
Identity Toolkit is intended to use https://api.twitter.com/oauth/authorize because according to https://dev.twitter.com/oauth/reference/get/oauth/authorize, desktop app has to use this.
Which platform are you working on?
If you click Cancel instead of Authorize, Twitter will redirect user to Identity Toolkit with an error response. As a result, Identity Toolkit cannot verify user's identity, and fails the verifyAssertion.
Related
We have web application with keycloak as identity broker, google SAML app as IDP for google managed workspace for domain say mycompany.com. Integration works fine for except a case described below.
If user is logged in with only one non SAML app google account, google returns
403 Error: app_not_configured_for_user.
i.e. If I am logged as with my personal gmail acccount & not with mycompany.com account
I have inspected SAML AuthnRequest payload SAML tracer which has ForceAuthn="true" but still it does not show up account chooser page.
I went through couple of stackoverflow threads. Few provided solution about using account chooser url and redirecting it to auth page https://accounts.google.com/accountchooser?continue={theredirectURL}.
Looking at community to help suggesting clean solution.
This error pretty much depends on which account is the primary one in the Google account chooser as it always takes that to complete the sign in process automatically.
There is no official way or setting from Google to do this, however the mosto commonly used workaround is to add the following URL to the Start URL section of the SAML app settings for it to force the authentication whenever you click on it.
https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/saml2/initsso?idpid=[REPLACE]s&spid=[REPLACE]&forceauthn=false
There are 2 parameters that you need to replace in that URL and you need to get them from the Google apps menu next to your profile picture, then hover over the SAML app that you want to change and right click on it, then copy the link address and that will show the idpid and spid values.
I'm looking for a solution on some problem.
We have mobile app on Xamarin and requirement to sign in with Facebook credentials.
To solve this we use Xamarin.Auth also tried CloudRail.
In both cases it works but it needs to input credentials when you laungh app first time, then app remebmers and allow to use them again.
Here is question. Maybe some one know how to skip that step, and login in app via Facebook with no one first time input credentials?
Like in GMail or Shazam. You download app, click Sign in with Facebook and it does't requires to input credentials, it's already known.
You could use
Facebook Xamairn Components
, which contains binding for Xamarin.iOS or Xamarin.Android.
A user tried to login to my app using Facebook login and they encountered the following error after being redirected to their native Facebook app: "Application Unavailable: The application you're trying to use is either no longer available or access is restricted".
I'm not able to reproduce it and I haven't found much online. The app is available since it's live under Facebook apps and it's being used by existing users. The only option would be that the access is restricted but I'm not sure why. I do know that Facebook launched a security update in March to "Use Strict Mode for Redirect URIs" by default, but this update does not apply to the Facebook SDK according to what I read.
I had the same error message on Android devices which was caused by setting only development key hashes solved it by adding release key hash, following these instructions: Setting a Release Key Hash on facebook
This error is also produced if you try to sign up with recently created account. It seems like Facebook has some approval process which takes time. For me new account produced an error one day and worked perfectly on the next one.
To test sign up immediately you should create a test user in Facebook App Dashboard under Roles.
I've written an authorization flow for my action, to do account linking with the "Implicit flow". I have been testing it using the web simulator. When I try to run the action in the web simulator it tells me to link my account, and provides a URL:
"https://assistant.google.com/services/auth/handoffs/auth/start?provider=hello_dev&return_url=https://www.google.com/"
I run that URL and this is what happens:
My Java servlet receives the auth request from google. It contains what is documented, a GOOGLE_CLIENT_ID, a REDIRECT_URI, a STATE and "response_type=token"
I create an access-token from the Google ID that is logged in by using UserServiceFactory.getUserService().getCurrentUser().getUserId()
I craft a URL to the redirect-uri that contains my ACCESS_TOKEN, token_type=bearer, and state= the state string I originally received
I create a web page for the user that contains that link so they can click it and it executes the link and my account is linked.
That works great and the response is a blank page with a URL that says: "https://www.google.com/?result_code=SUCCESS&result_message=Accounts+now+linked."
However, I wanted a flow that allowed the user to ensure they are logged in, and logged into the Google Account they wanted to link
So, I also present a link that logs them out if they'd like. The link is created by using userService.createLogoutURL(thisUrl)
If they do that, I then present them a link to log in, created using userService.createLoginURL(thisUrl)
Once they have logged in, with a different Google ID, they are back on the original page which allows them to log out again or click the "link account" link.
The situation is, that if they click the "link account" link now, the EXACT same link that would have worked successfully before they logged out (except a different ACCESS_TOKEN value) and logged back in with a different account, the response is a blank page with a URL that says: "https://www.google.com/?result_code=FAILURE&result_message=Account+linking+failed"
Two things of note:
If they log out and log back in with the same account, then the "link account" URL works fine
If they are not logged in at all when beginning the process, and then log in and then use the "link account" link it works fine
So, the only time it fails is when they are logged in, log out, log in with a different account, and click to link accounts. That's when it fails.
The account doesn't matter, multiple different accounts work, as long as the browser is logged into the first account and doesn't change during the flow.
I honestly cannot imagine how this is happening.
This gets even worse if I do it in the Google Home app, as it then returns some "malformed request error" page and basically stops working, PERMANENTLY. Stopping/Starting the action didn't help. Stopping/Starting the Web service didn't help. Rebooting the Android device didn't help. Link Account from the Google Home app was permanently broken. The only way I was able to get it working again was to use the Account Link URL (gotten from the web simulator) in the Chrome Browser on my Android device, which seemed to "reset" everything.
At this time, we require that the Google user who initiates the account linking process, both via the simulator and Google Home application, be the same Google user that logs in via a Google Sign-in option, if it is offered as part of your auth flow. This is a hard requirement.
For this reason, we'd suggest not offering a Google logout option as part of your account linking process.
Several WP7 apps (like the official FB application) provide their own login dialog and after filling it you get connected to facebook.
Further you are automatically logged in when you call the application later.
In general it's no problem to store the credentials encrypted on the device.
My question - has anyone an idea how to achive what the "offical FB app" does?
I searche around - but found nothing more then "must use the dialog / there is no other way...".
But for sure there is a way - since apps do this.
The "official fb app" also requires authentication.
the "Built in facebook support" works by connecting your LiveID to your facebook, and you still gave it your credentails when you connected it the first time.
There is nothing that exposes the "built in" credentials for any of the accounts (twitter, linked in, etc)
Can you imagine what would happen if ANY app could just automatically log in to any of those apps and do whatever they want?