I just implemented Google JavaScript sign-in button to our homepage, and everything works the way it suppose to, but thats sometimes bad..
So the thing is that our users use our application on the same computer, 3-4 different users per day. Having a google sign in gives us access to implement some Google product features in our own site.
I understand that sign-in with google signs you into the Google account, and also gives permission to application.
Also i understand that this is the way it works to make the life easier for user, not to sign in each time on every site.
I can easily remove the application permission via GoogleAuth.signOut() or GoogleUser.disconnect(), even with GoogleAuth.disconnect(), so the .isSignedIn() will become false, so the user will always have the prompt screen, also i use prompt: 'select_account' on .signIn() to make sure even single user will get the prompt screen.
The problem is when the 2nd user enters to our login screen and chooses "Sign in with Google", he can actually choose any previous user in the prompt screen and enter into our application as not himself, but actually can choose the previous user and authenticate himself as the other without entering any password.
Password will be only asked if previous user also logs out from his Goole account.
I know a hack is to redirect user to URL:
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=YOUR_REDIRECT_URL
But thats seems like a very poor solution, because our users use our application also with their personal devices, so its kind of bad if they get logged out from all applications they have signed into.
I know asking password on each sign in is not the way auth2 intended to work, but i'm sure there is a way forcing user to enter password on each time they press "sing in with google" button.
Ive spend multiple hours on searching for a solution and tried multiple things, i hope someone of you can point out the needle in the haystack that i missed
Related
In my project, I use regular popup client-sided JS authentication (platform client)
I migrated from old Google Sign in to new Google Identity Platform (gsi client)
I used the simple exemple code
window.onload = function () {
google.accounts.id.initialize({
client_id: 'YOUR_GOOGLE_CLIENT_ID',
callback: handleCredentialResponse,
auto_select: true
});
google.accounts.id.prompt();
}
My problem is, each time a user reload the page, he gets the One Tap UX prompt which take tremendous time
A second problem to that is if a user have 2 Google account connected to his browser, the prompt ask him to choose the account everytime he reloads (like it's not saved)
How can I achieve the behavior I had with the last library which is too simply have nothing changed at page reload but only when connecting the first time ?
I think Automatic sign-in is what you need.
Google One Tap supports automatic sign-in, which provides a frictionless user experience (UX) by removing the manual steps visitors must take when returning to your site. Users don't need to remember which Google Account they selected during their last visit, decreasing the chances of unnecessary duplicate accounts being created on your platform.
Automatic sign-in is intended to complement our Sign In With Google button and One Tap dialogs. It is designed to be used across your entire site, with manual sign-up or switching accounts occurring only after the user has first signed-out of your site.
To enable automatic sign-in, add data-auto_select="true" to your HTML code, as shown in the following snippet:
<div id="g_id_onload"
data-client_id="YOUR_GOOGLE_CLIENT_ID"
data-auto_select="true"
data-login_uri="https://your.domain/your_login_endpoint">
</div>
Refer: https://developers.google.com/identity/gsi/web/guides/automatic-sign-in-sign-out#sign-in-users-automatically
After some research it was determined that this issue might be caused by callback function that handles an ID token.
I would like to add that your Singing method is correct and other users also do it this way as seen here.
I think you should take a look at the Authenticate with a backend server guide to know how to handle these tokens, .
I am trying to understand what Apple is imposing as its new policy to ask developers to use Apple's own authentication mechanism.
Apparently Apple is using a different method compared to other authorization providers, such as Facebook and Google.
Apple's approach is, you receive the name and email at first login (say sign in). And after that you only receive a user id (something like 001134.432857YEASUREe274bxy231b3.0884 which means nothing unless you save it along with email and user name at the sign up).
Up to now everything seems fine.
The part that makes me confused starts here.
According to GDPR, as far as I know, you have to provide users a right to delete all their data from your servers.
And in this case, once we delete a user's all data then the correlation between "email+fullname vs user id" is lost for ever.
If the same user decides to reactivate herself, this time Apple will not send you email+fullname and this will impact the user experience.
Is my understanding correct? What is the solution for this problem?
References:
https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user
https://docs.expo.io/versions/latest/sdk/apple-authentication/
I have built an e-commerce website using express.js. The authentication method used is passport.js. We store the cookie with all the information we need in redis.
Everything was fine until we started driving more traffic.
Now the problem
When user A comes to the site, logs in and makes a purchase, every day or two 2-3 customer details are wrong.
User A comes to the site and make a purchase. The email and address of the user A sometimes becomes the email and address of user B
We cannot easily replicate this as this happens only once in 50 purchases.or sometimes twice in 50 purchases.
So I had to call all my contacts and check what is the wrong thing we have done. And curiously one guy replied me that he also have the same issue. He is saying it the problem with passport.js, and he wrote custom authentication method to remove passport and till now he has not faced any issue. He also uses exactly my set up. NODE-EXPRESS-REDIS
I am quoting his words here
Whenever a user logs in from one computer, open the site in another computer then refresh the page, You can see the logged in details of the first user in second computer, and this issue is not frequent but it comes once in a while
I have a webpage that asks for a username and password. The problem is, it only asks the first time. After that, it bypasses that. This is an alert with a username and password place. How do I disable this saving feature so that it prompts every time the page loads.
It should be noted that the desired functionality goes against the way in which HTTP basic authentication was designed to be implemented.
However there are a few ways in which you could automatically "log out" the user so that the next time the page is visited, the authentication dialog box will appear again, prompting the user for the username and password.
One way to accomplish this requirement would be with a JavaScript solution, checking if the user has been idle for a certain amount of time, and if so log out the user.
There are a number of solutions listed here, including a Javascript based solution:
HTTP authentication logout via PHP
I am working on my first chrome app and am trying to learn by digging through some of the sample apps. Right now I am working with the gdrive app (https://github.com/GoogleChrome/chrome-app-samples/tree/master/gdrive).
The README says that this app "uses the chrome.identity.getAuthToken() API to perform OAuth2 and access the Google Drive API."
When you authorize the app, a screen pops up confirming your authorization and in the top right corner it has the email you are trying to sign in with (johndoe#gmail.com).
I want to save "johndoe#gmail.com" as a string so I can display it when the user is logged in.
Does anyone know how I would go about doing that? I am fairly new to using these APIs, so I am a bit clueless.
Thanks!
It's pretty easy to display the name that the user probably wants you to display ("Eric Austin" in your case). https://github.com/GoogleChrome/chrome-app-samples/tree/master/identity demonstrates how to do this. Look for the displayName field in the personal data response.
If you really want to display the user's email address (and take the risk that many users will decline to give your app access to their contact information), check out Google's OAuth2 docs and follow the steps to obtain the id_token listed in Step 5.