I have a requirement to prevent users from logging in to my ASP.NET Web API 2.0 Identity 3.0 backed website until an administrative account "activates" a user's confirmed registered ApplicationUser account.
I have implemented the EmailConfirmed logic to validate that the ApplicationUser account was registered with a working email address. Now I'm looking for an appropriate place to implement a check against the ApplicationUser.Activated property, that I have added, with behavior that prevents a login unless it has been set to true.
I've dug a little bit into the OAuthAuthorizationServerProvider class but I think I'm going to have to really take some time and understand OAuth 2.0 to get anywhere in there. Could anyone make a suggestion as to how and where to implement a test against an Activated property like this?
PS - I'm using bearer token authentication if that was not obvious.
Do one thing when user click on activation link which you send to the user .after click on that link redirect to page where you show one message "You are successfully resgistered" and on the page load you call to database and set activate column is true and put timer on that page and redirect user to login page.during login you can check the user status with email and password .if status is true that mean its registered user.
hope it will help.
Related
I am following the tutortial for .Net core Account and password recovery and I am not sure how things work. The tutorial says to add the email service in startup.cs then everything just started to work. I have no idea where the forgot password page is located, it not with the other pages, I checked hidden files and the actual directory it self (see image), yet I am being redirected there from the reset password link. I have no idea how the email service is being called yet I can set a break point and see that it is being hit with the correct data. I can see the sql query used to get the user information. Is this functionality managed by core identity?
I have no idea where the forgot password page is located, it not with the other pages
You need Scaffold Identity in your ASP.NET Core project.
That means you need to add the pages you need through Scaffold Identity: ForgotPassword, ForgotPasswordConfirmation, ResetPassword, ResetPasswordConfirmation.
Scaffold Identity in ASP.NET Core projects
I have no idea how the email service is being called yet I can set a break point and see that it is being hit with the correct data.
Is this functionality managed by core identity?
IEmailSender is in the package ASP.NET Core Identity.UI, with the default implementation injected in DI that doesn't do anything.
I will explain in detail below how to send an email to reset the password. You can read the process of resetting the password first to the last.
In other words, you need to Implement IEmailSender.
In the link you gave, it has been given in detail how to implement IEmailSender.
In the example, SendGrid email provider is used. You can also choose other email providers.
You need to register a SendGrid account first, then create an API Key, and store your SendGrid information in appsettings.json.
You can create an API Key as follows.
appsettings.json:
SendGridUser:
It’s the account you registered with SendGird. For example, I registered with the email xxx.test.com, and SendGridUser is xxx.test.com.
SendGridKey:
This is the API Key mentioned above.
{
... ...
"AllowedHosts": "*",
"SendGridUser": "xxxx",
"SendGridKey": "xxxxx"
}
The process of resetting the password can be briefly summarized as follows:
Request the ForgotPassword page after clicking the link to reset the password
Enter your email address to reset the password
If the email address you need to reset your password exists and has been confirmed, then the method OnPostAsync in ForgotPassword will send an email to your email address.
If you set a breakpoint in the Execute method in the implementation class EmailSender of IEmailSender, you can see the result of the email sent.
You can open your mailbox to see the link to reset the password you received, then enter the reset password and submit the form.
After the form is successfully submitted, it will request the OnPostAsync method of ResetPassword, and the processing will be redirected to the ResetPasswordConfirmation page.
Result
I have been following the Oauth prompt sample Oauth Sample. Its working great when I login properly and get a token. However I am working on the use case when a user logs in using the wrong credentials. I am using await botAdapter.SignOutUserAsync(innerDc.Context, ConnectionName, null, cancellationToken); to sign the user out and it works since Oauth gets prompted again. However when the user clicks on sign in button again, it takes the wrong credentials again ( i.e same logged in credentials because of browser cache ) and doesn't allow the user to use a different account. I am looking to gracefully sign the user out so that he can choose another account to login. I understand if I add this to the right tenant (add my bot to right AD identity) it wont allow the wrong email/credentials to even get through but its something I have to work through for now. I don't know if this is intended but the sign out only destroys the token doesn't log you out of Microsoft online.
Thanks
Given that the SignOutUserAsync method only signs a user out of the token server, my guess is you will need to implement a custom method to handle a full sign out. This doc discusses sending a sign-out request and should serve as guidance on how to setup. If this isn't a perfect match, other options are listed in the menu tree.
Instead of relying on the SignOutUserAsync method, you would implement this feature in its place.
I have an ASP.NET MVC application that uses Azure Active Directory for authentication. All works perfectly except for this scenario.
Launch application and login using user#domain.com, the user is authenticated and application home page is displayed
Close browser (Logoff not implemented)
Launch application again and click login as another user
Enter username as abc#domain.com - This user is fake and does not exist
Expected behavior: Some error saying the user does not exist or login failed
Application behavior: Logs in user#domain.com by default without checking the new username that's entered.
Note: portal.azure.com works the same way.
Question: Is there a way to change this behavior so that the username is validated or authenticated before the cached token is used.
thanks
This is by design.We do not go to AAD for authentication every time, cached credentials as used as the tokens / cookies the client has received during the initial login are good enough to get access to the resources.
There are two ways to achieve what you are looking for
1) Implement Sign out( feasible and optimum solution)
2) Implement a Auth filter and apply at a global level so for every request it has to validate the token and user name provide by user.
Hope it helps.
I start to working with the Facebook graph API and I have question:
I make Facebook Authentication, so after user approve my application I got accessToken and the facebookUserID. note: The accessToken is expire after One hour(!!!).
Then, in another webpage "index.html", I want to show all the users who approved the application with their full name and profile picture taken from Facebook.
Now I don't understand.. if someone will enter the "index.html" page to see list of users who accepted the application - 5(!!) month after their authentication, when i will make the HTTP call to get thier fullname and profile picture, the accessToken is now expire(a lot time before) so the HTTP call will not succeed.
The last option is to save the full name just in the One hour between user accept the application and before the accesstoken expiration. but if the user will change his name sometime... I don't have the updated Name!
if its important - I'm usind the javascriptSDK with asp.net project.
Please help me to understand how to solve this situation.
It would appear that it is not possible to generate a long-lived token with the JS SDK directly, you will have to involve the server side, see this page for details.
I'm building WP7 application using DropNet.
I have successfully managed to log in and authorize the app (using WebBrowser control) and this works ok.
The problem is when user checks 'remember me' on the drop box login screen - an obvious thing to do. When I run this application again then browser redirects to a page saying something like 'you have already authorized this application'. Nothing happens until I click the Continue/OK button on the page. The token is not valid until I click this button.
Why is this happening this way? Shouldn't it authorize the token on entering the authorization page so it would support user-free loging in?
I have come across this issue; the problem was solved by setting
_dropNetClient.UseSandbox = true;
where _dropNetClient is an instance of DropNetClient
Normally, you only do the OAuth login/auth stuff the first time he/she uses your app. Once they are authorized, you'll have an "access token" that you should save somewhere.
The next time the user runs your application, don't do any of the OAuth steps. Just load up the access token (sometimes called the "user token" in the DropNet docs) and start making real API requests.
new DropNetClient(appKey, appSecret, accessToken, accessTokenSecret)