I want to authorize my users with Windows Live. I use the windows Live Connect 5.0 SDK for this. I am using a WPF WebBroser control to get a token but it always prompts for consent.
I let the webbrowser navigate to the following link:
https://oauth.live.com/authorize?client_id=CLIENT_ID&response_type=token&scope=wl.signin%20wl.basic&redirect_uri=https://oauth.live.com/desktop
with the client id as my application id. And I watch for navigation to the redirect url. I mostly don't need to login. But each time I need to give Consent for the two scopes.
The weird thing is, that when I look in to the app's I have given Consent both scopes are checked.
Also when I use another url for silent logging in:
https://oauth.live.com/authorize?client_id=CLIENT_ID&response_type=token&scope=wl.signin%20wl.basic&redirect_uri=https://oauth.live.com/desktop&display=none
I get an error that the user hasn't given consent for wl.signin and wl.basic.
Unlike Facebook's OAuth implementation checking the checkbox will not remember consent on the WL server, but rather give you long lived refresh token which you can exchange for access token.
Flow:
if have refresh token saved - try to get access token based on refresh one ( http://msdn.microsoft.com/en-us/library/ff752395.aspx ), otherwise:
show consent dialog
get access and refresh tokens ( http://msdn.microsoft.com/en-us/library/ff750952.aspx )
save refresh token securely on your server - the refresh token is close equialent of enencrypted user name+password. If you can't store securely you have to live with consent dialog.
Related
Problem: How to authenticate in MS Graph using Azure AAD access token.
Current flow:
My web app has AAD configured with "Log in with AAD"
If I log into AAD my demo app is showing and if I go to https://******.azurewebsites.net/.auth/me
then I get the access_token.
What I tried:
So I tried a couple of things and this was the last, I copied the access_token as code and tried to send it, didn't work.
I'm searching for a solution to silently use the already logged-in user and call MS Graph.
The reason for the error is that you have used the wrong code. Don't try to send the access token as a code, you should request an authorization code in your browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
In addition, redirect_uri is also a required parameter.
For the already logged in user you need follow the below steps for access:
Make sure you have enable the allow access token for the register app as below
Write code to acquire access token for the for the logged in user Reference
Now you can pass this token in other successive call to get the result.
I have been following the Oauth prompt sample Oauth Sample. Its working great when I login properly and get a token. However I am working on the use case when a user logs in using the wrong credentials. I am using await botAdapter.SignOutUserAsync(innerDc.Context, ConnectionName, null, cancellationToken); to sign the user out and it works since Oauth gets prompted again. However when the user clicks on sign in button again, it takes the wrong credentials again ( i.e same logged in credentials because of browser cache ) and doesn't allow the user to use a different account. I am looking to gracefully sign the user out so that he can choose another account to login. I understand if I add this to the right tenant (add my bot to right AD identity) it wont allow the wrong email/credentials to even get through but its something I have to work through for now. I don't know if this is intended but the sign out only destroys the token doesn't log you out of Microsoft online.
Thanks
Given that the SignOutUserAsync method only signs a user out of the token server, my guess is you will need to implement a custom method to handle a full sign out. This doc discusses sending a sign-out request and should serve as guidance on how to setup. If this isn't a perfect match, other options are listed in the menu tree.
Instead of relying on the SignOutUserAsync method, you would implement this feature in its place.
I have an ASP.NET MVC application that uses Azure Active Directory for authentication. All works perfectly except for this scenario.
Launch application and login using user#domain.com, the user is authenticated and application home page is displayed
Close browser (Logoff not implemented)
Launch application again and click login as another user
Enter username as abc#domain.com - This user is fake and does not exist
Expected behavior: Some error saying the user does not exist or login failed
Application behavior: Logs in user#domain.com by default without checking the new username that's entered.
Note: portal.azure.com works the same way.
Question: Is there a way to change this behavior so that the username is validated or authenticated before the cached token is used.
thanks
This is by design.We do not go to AAD for authentication every time, cached credentials as used as the tokens / cookies the client has received during the initial login are good enough to get access to the resources.
There are two ways to achieve what you are looking for
1) Implement Sign out( feasible and optimum solution)
2) Implement a Auth filter and apply at a global level so for every request it has to validate the token and user name provide by user.
Hope it helps.
The Thing i want to do is , We have a user who is logged in a device .We have to restrict that user to login from other device.
To Login into Other device he should have to log out from the first device.
I have tried to create authentication token via web API.
Every time a user login ,a new oath token is generally passed in the request headers. (Token would be expire on logout.)
If Same User try to login from other device a new Oath token would be generated
is there anyway to check if a token is already assigned to that user then do not allow him to login
What if,
1.user close the working tab or browser
2.or He navigate to other web page by changing the URL
Are there other solutions to ensure one concurrent login per user ?
This should be simple enough to make sure a user have only one login at a time.
Steps to do would be (ASP.NET/ASP.NET MVC):
Step 1: As soon as user login, check if session for this user already exists.
Step 2: If Session already exists, delete the on going session (Here you can also prompt a message to user if he wants to stop currently going session and start a new one.)
Step 3: On User's action you may delete current session and start a new session for the user.
Step 4: If there is no current session going on, you can simply create a new one .
Update:
For ASP.NET WEB API
Here you have to use Authentication token.
On login you can provide authentication token to user.
On Relogin you can check if token is already issued for this user, and accordingly perform your action.
Hope this helps. Let me know if you have queries.
I assume you know how to code above, if not let me know.
I have implemented Google oauth2 server flow for web, the first time that user logins using his/her google account I have to use access_type=offline to get a refresh token and save it to database but after that access_type=online will be enough.
I have read that google issues limited number of refresh tokens per client (I think the limit is 25 from what I read while I was searching) so after I got the refresh token I just want to use access_type=online.
But before the user logs in how should I know if I have the account associated refresh token or not.
I don't want to rely on cookies as user may remove cookies, several people use the browser and cookie might not equal to the user I have its acount and ...
Any Ideas how to detect it with google oauth or something like that before showing the login button?
You can just continue to use access_type=offline. It just won't give you a new refresh token after the first time. This will work until the user revokes access for your client in which case you'll have to get a new one anyway.