my question relates to how to log users into LinkedIn (SP) automatically from a company web portal that I am making. (As opposed to how to authenticate user on my website using linked in as the IdP).
I need my website users to be able to configure their LinkedIn account username and be automatically logged in to LinkedIn when they click the LinkedIn icon. I achieved this with Sales Force by use of an uploaded certificate and a SAML token and ideally would be able to use a similar approach with LinkedIn.
Is this possible? Has anyone else managed to achieve this and what is the best approach?
Related
I want to allow users to sign up using either a user-pool identity (email + password) or a Facebook-federated identity.
But I also want them to be able to switch later on: either add Facebook federation if they didn't sign up using Facebook initially, or remove the Facebook link from their account if they initially signed up using Facebook.
Is this possible?
Thanks in advance!
Yes, it is. I'm assuming that Facebook is added directly to the Userpool as an IdP.
Splitting your query into 2 parts:
1. User signs up using username & password. Later, he wants to link his Facebook account
This is pretty easy. Give an option in your UI and use the AdminLinkProviderForUser API to link Facebook/Google account to the user. Now, when the user signs in using this Facebook/Google account next time, Cognito will treat it as the native user & generate token for the same. Of course, the Facebook info will be mentioned in the identities claim. If the user wants to remove this Facebook/Google link later, it is possible using the AdminDisableProviderForUser API call.
2. User signs up using Facebook
This is a bit tricky since Facebook login will automatically create a user in your Userpool with status EXTERNAL_PROVIDER (unlike native users who have CONFIRMED status). As the name suggests, this user can only be logged in using the relevant external provider - Facebook in this case. If the user wants to login using a username password, a new account will have to be created using SignUp API or AdminCreateUser API. Also, this account can not be linked to the previous Facebook account using AdminLinkProviderForUser because a pre-requisite is that no Facebook user with the same details (email etc.) should exist in the Userpool. But at this moment, we have an auto-created Facebook user with EXTERNAL_PROVIDER status.
So, in short, you would have to - create a new user using SignUp or AdminCreateUser API, delete the auto-created Facebook user & Finally link the Facebook account as mentioned in case 1.
I have a REST service that my mobile app uses to authenticate when the users click on the Facebook or Google icons.
The service accepts the user's id from the provider and checks if it exists on the database and then issues the access_token to be used for the other methods.
The problem is that I just thought that it could be pretty easy for someone to intercept the calls and discover which service authenticates and what the user id is and then call it with to get a token.
How can I avoid this?
I think you just need to separate the authentication and authorization functions. You can let Google (Google Sign-In) handle authentication. If you follow the API they will securely authenticate the user and send you the token which you can validate.
Once you know who they are for sure, your site can safely authorize that user approriately. For example, they might be an existing user, need to make an account, be an administrator. You can make those authorizations on your site based on the user authenticated by Google (in my example).
Twitter, Facebook and others do the same. Also see OpenID Connect.
I'm developing a Web API that needs create, read, update and delete privileges on OneDrive for Business sites using REST.
So far my understanding is that an Azure Application will need to be registered within Azure for this
WebAPI.
Once registered the Application will have a client ID and secret key that can be used as part of OAuth. Also within Azure it can also be given the permission to call the SharePoint 365 API. (Provided the authenticated user is also authorized).
MSDN has code examples in which using the Application client ID within OAuth the client gets redirected to a login page for authentication. Once they enter in their username and password they are redirected back to the web application.
http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx
As I am developing a web API I do not want any redirects to login pages. Instead I would like to automatically authenticate using a service account. (Which will have appropriate permissions within the OneDrive for Business site).
Does anyone know how this can be done or point me in the direction of some code samples?
Thanks
Service to Service (app only) grants aren't possible today for SharePoint with AzureAD OAuth. We only allow app + user grants.
This is on our radar - please stay tuned.
I'm developing a mobile API and I would like to allow mobile users to log in to my mobile application using their Facebook account.
I've been struggling to find some detailed information regarding this request. Could someone point me in the right direction? I'm using the following Laravel package for OAuth2:
https://github.com/lucadegasperi/oauth2-server-laravel
As I understand, the user clicks the "Login with Facebook" button and then proceeds to authentication. Facebook provides the access token as a result. But how does a user account appear on our server? And to my knowledge, it is our server that should provide an access token which is tied to the user account on our database. Could someone clear this up?
Have you looked at the Facebook mobile sdk guides?
iOS: https://developers.facebook.com/docs/ios
Andriod: https://developers.facebook.com/docs/android/
The package you mention looks like it performs oAuth authentication, and I don't think you need that. If I understand correctly, you should be able to use the Facebook sdk to perform the authentication and tell your app that the user is authenticated. You will have to create a user account for them (for example, add a record to the users table in your database) and store their Facebook ID.
I want to allow users connect to my website using their facebook account.
First, the user authorizes my application and then I get an access token. Problem is, that I'm supposed on the first time to register the user, and the next time to auto login him based on his facebook email.
How do I create a SECURE way to auto login the user?
I'm using pure javascript, but I can't find any way to create a secure mechanism.
Thanks.
Facebook should handle all that for you - when they come back to your website, they can click the 'login' button(javascript SDK) and facebook should pass you back an access token.
I may, however, have misunderstood the question.