We are connecting to facebook via the api secret key etc… but when ever a fb user changes their password the tool disconnect… How can we stop this from happening
This is expected behavior. When a user changes their password, all access tokens are revoked for all applications that the user has installed.
There is nothing you can do to prevent a user from changing their password. What you will be able to do is detect an invalid token when the user arrives and re-authenticate them to generate a new token.
Related
I am trying to build a REST API that will login to Facebook using socialite with lumen, a micro-service of Laravel. I have set up my Facebook app and configured the client_id, secret and access url accordingly.
The work flow is:
Here is the work flow
1.get user details from socialite
2.check the user existence with email ,if its exists execute auth::login, otherwise create a new record in users table and redirect to profile.
The program now redirects me to Facebook, however once the user presses the login button, it returns the following error:
Client error: `POST https://graph.facebook.com/v3.3/oauth/access_token` resulted in a `400 Bad Request` response:
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100,"error_subcode":*****,"f (truncated...)
I am confused as it has not been long since I generated the token and no user login/ permissions have changed, so the token should not be expired. Do I need to store the access token in a database in order to grant the user permission or is there some way to store it in a user's browser session?(I already have a database configured on forge for user name and email)
I'm trying to implement OTA (one time access) using WSO2 (IS 5.7.0, AM 2.5.0, EI 6.4.0), and I need to find a way to generate user access token.
I have tried:
using admin service for password recovery. Disadvantage is email template is bound to password reset, but OTA is not a password reset scenario, so using password recovery email template will be spoiled.
find admin service that generate user access token, but nothing was found
find WSO2 extension\plugin, but nothing corresponding was found
using OTP, but met an error like this: https://github.com/wso2/product-is/issues/1860
Even admins are not allowed to generate tokens for a user without their consent.
For one-time password, this should work.
https://docs.wso2.com/display/IS570/Configuring+Email+OTP
You can write a custom grant handler, to authenticate user, not via password, but using something he has unique(mobile no, email, etc) as per your requirement and generates an access token from that grant.
You can easily do a token call to WSO2 Identity Server through your custom grant and get the access token.
You can check out for more details in [1]
[1] https://docs.wso2.com/display/IS570/Writing+a+Custom+OAuth+2.0+Grant+Type
I have created a website which allows the user to authenticate against oauth2 (from another provider), the basic flow is (assuming a new user):
The user loads my webpage
An OAuth request token key and secret is provided by the OAuth endpoint
I store the request token into the user's cookies
The user is redirected to the OAuth authentication page from an external provider
The user accepts and is redirected by to my webpage with URL parameters which specify the OAuth verifier and OAuth token
Using the request token (retrieved from cookies) and OAuth verifier (passed via URL parameters), I am able to get an access token key and secret from the OAuth endpoint.
I am now able to authenticate with the providers API and use that to get the logged in user ID.
I then store into a MySQL database, the user ID, a token which I generate as a random unsigned integer, OAuth token and OAuth secret. In cases of the token I generate already being in the database, I just continue in a loop until a unique token is generated. The MySQL database has a strong name, username and password. The database user can only access the table in question and only has privileges to add an entry, delete an entry and make a query.
I clear the request token from the user's cookies and instead store the user ID and my generated token.
When a user comes back to my website, I check if they have the user ID and token stored in their cookies, if so I attempt to look up the OAuth token and secret from MySQL. If they are found, I test they are still valid (does the API endpoint accept them) and if so, the user remains 'logged in' to my website. In cases where the user ID or token isn't found in MySQL or cases where it is found, but is not accepted by the endpoint (expired?), I just go back through the flow above.
The above all works correctly, new users can successfully authenticate, returning users find the website remembers them. I do not expose the OAuth token key or secret to the user and instead, give the user this token ID which I generate.
Are there any problems with what I am doing?
Should I be encrypting the OAuth token key and secret in my database?
Is there a problem with the fact if someone was to gain access to the token I generate, along with the user ID, they would be able to call my scripts. Is this a problem?
Should I be encrypting the user ID and token I generate before storing it in the user's cookies? Taking into account, ultimately whatever is stored in the user's cookies will get passed to my script, so if I were to encrypt, store to cookies, then next time read from cookies and decrypt, the user would still be able to access my endpoints by simply passing the encrypted version (assuming the server decrypts, if the client decrypts then the decryption key would be accessible via the users browser anyway), which doesn't immediately appear to offer any further security.
My goal is to tighten up the steps above so it is deemed robust and secure. The actual use case for my web site means it'll only have a tiny number of users (if any) using it. It was more of a learning process for me, combined with implementing something I actually need. But for the learning aspect alone, I would like to make everything sensible and secure. I am not trying to be overly pedantic and implement steps no other similar websites would implement, basically I would like my site to be secure enough that if there ever was a problem, no one could point a finger at me and say I didn't implement an adequate security system.
is it possible in wso2 identity server when user is disabled or locked by admin or any other scenario and then user session can be invalidated just in time and user's authentication token is disabled?
Once user login and have a valid session, but after this time, admin lock the user and deactivates user account. now user will access to protect resource and will against as your token is validate. is user's token valid yet?
Please specify the IS version that you are using. In IS 5.1 the user can't access to any resource once his account is locked. I'm not quite sure about IS 5.0 though.
Thanks
I have a mobile application that supports classic login (with email/password) and facebook login. In case of facebook login, I wonder if user can skip entering the password ?
In more detail, the user table will just have email, password_hash (optional field).
All the interactions user does with the system will be via a token (not the facebook token) that the server sends back.
After when user logs in (on a different device for example) via Facebook button, the server will check their account by querying user email in graph API using user's facebook token. The returned email will be checked against the email provided by user. If they are equal, a token is created and sent back to client.
So the schema will be
Client (mobile app):
user clicks 'log in'
app gets facebook_token and email.
App sends this token and email to server
Server:
uses the facebook_token to get user email from graph API.
if returned email == provided email, create a token and send it back to client.
Client: receive the token and do all the transaction with this token.
Thanks in advance !
The user cannot skip entering a password if they aren't logged into Facebook.
The app should never ask a user for his/her password. OAuth exists for this reason.