I've implemented Google OAuth 2.0 login on a site that I'm working on. It works fine, except in situations when the user is logged with two or more different accounts on the same browser. It's asking him to choose which one he want's to use. But it's asking the user every time to choose the account. Is there a way to remember this, so the user can choose the account only the first time and later automatically to log him with that account?
You can put hd=domain.com parameter in the request to Google, but that only helps if the two logged accounts are from different domains and it can than log the user in with #domain.com account.
I read somewhere that you can send user_id account as a parameter to Google (I guess that would be the email address), but in this case I don't know the users email address before he logs in.
I think this behavior is the same if you use OpenID.
I'm using Google's PHP OAuth library.
Thanks,
Andrej
Google should have a cookie set that enables OAuth applications to tell what account to currently use.
If you know the email address you want to log in with, you can use the login_hint parameter and they won't see the account chooser. See https://developers.google.com/accounts/docs/OAuth2Login#sendauthrequest
Related
We want to send email to logged in users in our Drupal application. We are authenticating using AAD and our site is hosted in Azure app service.
we have a generic service account with a mailbox attached and we would like to notify the logged in users in case of any event using MS graph API and O365 connections.
Can we please get some guidance in this respect.
You can use the Graph API to send emails from your service account. Where you are going to have a problem is with identifying logged in users. An AAD token will be valid for your site even if the user originally signed in somewhere else, so logging signins isn't foolproof. Unless your users specifically sign out, the token will also be valid past when they stop using the site.
If you wanted to go down this road, then doing some logging of user actions and then sending the email to users that have been active within X amount of time might be an option.
If your goal is to notify users and you don't need an email specifically, then you might want to looking into using websockets or something similar to send notifications to the users within their browser.
Does anyone know how to set the "Email Address" as mandatory when a user logins in via Facebook using Socialite (if it is possible)?
At the moment my integration allows the user to remove the Email Address from the data that will be shared by Facebook on the Facebook side.
While we don't currently use the email address to contact the user, we do use it for matching accounts together if they login via different methods. This makes the site easier for the user overall.
If this is not possible then in the long run I may need to revoke the users access if they don't share the email address in order to avoid data issues. However I will hopefully be able to avoid this.
Any help is appreciated.
Thanks,
Cs1h
You can't explicitly require it, it's up to the user to share it or not when authorizing so you need to build your application to support this.
In my opinion if they don't choose to share the email then you should detect this and have a page that asks them to enter it manually and send them an activation link to confirm their account before linking.
I am planning to allow users to login to my website using oAuth authentication. I have a doubt whether I can completly rely on the email returned from the response to link the users to actual user account in my website. Can there be any security issue with this?
The most immediate, is that you must absolutely trust the oAuth provider. It might lie to you and take over your local user account.
For example, if the oAuth provider does not validate the user email, someone might register an account there with someone else's email, then login to your site taking over the local user account.
Also make absolutely sure you're using SSL.
I've got Oauth support in place for an app I'm working on. What I'm trying to work through is the logic for associating Oauth accounts.
Example:
Let's say a user has logged in before. They authenticated using Facebook. I now have an email address which I can safely assume will always be unique to that user. However, Twitter does not provide email addresses through its Oauth implementation, so if someone signs in with Twitter, and then Facebook, how do I correctly associate their account? I can't use user name, or handler, because obviously that could vary per provider. Is there any other way I could do this?
Do I require the user to enter their email address if they use an Oauth provider which omits it? I'm trying to put together the best user experience and the most stable system - so your help is highly appreciated.
If you're looking at working with multiple identity providers then your best solution would be to use an internal ID unique to your system and then associate the external accounts with that ID when the external authentication takes place. Additionally users in FB can change their primary email address so it would be safe to assume it's unique it's probably not safe to assume that it's current.
I am building an app on top of Google Reader. Since users have to enter their Google Account data, I'd like to use this data to assign personal settings to each user.
However, if I do so and a user would change his email adress or password(for the whole Google Account), I wouldn't be able to identify him anymore.
Thus, I need to know if there's a Google Account ID or something that I can use to identify users regardless of an email adress or password.
Thanks for your help!
If you use the Google Account API, you can connect the user to your app using OpenID or OAuth. Both methods return an account ID which stays static for that user.
More information: http://code.google.com/apis/accounts/