Frustrated!
I've can get Sign In and Sign Up to work with UI customizations and API connector integrated to a JavaScript SPA, using the latest Microsoft Authentication Library for JavaScript (MSAL.js) 2.0 for Browser-Based Single-Page Applications, version 2.28.1 and OAuth 2.0 Authorization code flow (with PKCE).
Sign In works.
Sign In, then click "Don't have an account? Sign up now" and Sign Up works.
What I can't do, is get directly to Sign Up to work. I'm utilizing User Flow, and soo close to getting past this hurdle and finishing up with the migration.
When I pass in prompt="create" to the loginRequest, I get is "create" is not an allowed option, but it's in the MSAL documentation in one place, but in another it states that only "login" is allowed. Bu there's GOT to be a way to load the Sign Up page first and NOT have to go through the Sign In page.
https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_browser.html#popuprequest
e.g. error returned: error=invalid_request&error_description=AADB2C90043%3a+The+prompt+included+in+the+request+contains+invalid+values.+Expected+%27none%27%2c+%27login%27%2c+%27consent%27+or+%27select_account%27.
Other docs I found state I have to Enable guest self-service sign up via user flows... When I go to the AAD B2C tenant, this screen doesn't look like the one that is available, so the docs are old because everything changes so often:
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-user-flow
I tried doing another route, and setup a Sign Up only user flow. When it returns back to my app, it returns nothing. The User is created, but NOT signed in. There's pre-request values stored in the sessionStorage. But nothing to tell me if it worked or failed, just nothing. But, if the user clicks on Login, then it auto logs them in and then bounces back and the user is fully logged in.
And there was this:
https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/FAQ.md#how-do-i-implement-self-service-sign-up which at the end states "Please note that that self-service sign-up is not available in B2C and test environments." What?!? So is what I am trying to do NOT supported? Makes no sense why not. What's the point of offering B2C if a user can't Sign Up????
Any help is greatly appreciated, thank you!
Rob Bramhall
Related
I have a Firebase backed React Native application which allows customers to sign in via email/password, Google ID or Apple ID. It's mainly working fine but I've noticed a UX problem which stems from the behaviour of the signInWithCredential method which creates a new user implicitly on first sign in.
You create a new user in your Firebase project by calling the createUserWithEmailAndPassword method or by signing in a user for the first time using a federated identity provider, such as Google Sign-In or Facebook Login.
https://firebase.google.com/docs/auth/web/manage-users#create_a_user
This seems handy and meant my "register" or "sign up" function was basically the same as my "login" function.
However from the customer's perspective it's confusing. E.g. if they come to the app and forget they used email/password to sign-up and click "Sign in with Google", click accept in the OAuth popup, then they get logged in to a brand new account they've never used before and of course their previous data/history/purchases are absent.
If a new customer signs in via OAuth, I want to receive the auth/user-not-found error as listed in the API docs here so that I can present the "normal" UX of saying "You don't have an account with those credentials, please sign up first" or similar to apply some friction and help the user to realise they're on the wrong path. i.e. I want sign up to be completely independent from sign in and prevent accidental, spurious accounts being created.
BTW I understand (and have tested) that if a customer subsequently uses a second provider which shares the same email address already registered, then Firebase does some clever stuff to migrate or unify the accounts. But I can't be sure a customer's Google ID would match the email they used with an email/password account creation (e.g. work vs personal or other reasons) so there would still be duplicate/spurious accounts. There's also the "one account per email" option to tweak this)
I actually find it curious that there don't seem to be any discussions about this, as the lack of a "don't auto-register" flag prevents a typical UX supporting a clear difference between "new here? signup" onboarding vs. "got an account? login" for existing customers. So perhaps I'm missing something obvious.
After discussing with a few people I have a tentative answer - you can't prevent it.
It seems this is pretty much standard behaviour from the auth providers like Firebase, and apparently most people would expect this UX. I just must be in the minority.
I'm incorporating Google Sign-In for my website and the basic setup is working fine, however I face a problem to manage the user's login status.
I came across the below SO question, which suggested to use sessionStorage/localStorage to carry the login status across pages of a website, and when user signs out the stored info should be cleared.
https://stackoverflow.com/a/40206395/5345604
I afraid I don't entirely understand the suggested implementation though. What if user signs out from his Google account somewhere else, say from Gmail or from Google Maps? In this case when the user revisits my website, how can I detect that he is no longer signed in with Google and remove the stored client side session? Or this is not the way it is supposed to work?
And on top of the above question, I'm also thinking about the authentication with my backend (PHP). Given the ID token, shall I be sending it across to my server and authenticate it with the Google API Client Library every time? Or shall I only authenticate the user once and store a flag of indication in $_SESSION, and then destroy the session when the user signs out? (Given that the token is in fact a JWT, I suppose the implementation is meant to be stateless and requires the token to be passed to the server every time? Are there any concerns to implement it with the traditional approach of a server side session?)
I can only answer your first question: The login of your website is completely separate from the login status of other Google services. Even YouTube is separate from google.com.
I am using a Google App Engine (Java) with Google Cloud Endpoints. I would like to use Endpoint's built in authentication, and am doing so successfully with Google Sign-In for Websites.
Can you change the sign-in button behavior so that upon clicking the button the user is redirected to the Google sign in page and back rather than a new window opening? This would really improve the UX, especially for mobile.
In addition, is it possible to redirect non logged-in users automatically to the sign in page?
AFAIK there is no possible way to get the login into the same window. You can definitely post a Feature Request for such a thing on our issue tracker here.
As to answer your second question, yes it is possible to send non logged-in users directly to the sign in. You just need to check, at the top of your handler, if the user is signed in, and kick off the authentication flow if he isn't.
I am following authentications steps for AMS as described here:
http://azure.microsoft.com/en-us/documentation/articles/mobile-services-html-how-to-use-client-library/#caching
From Kendo UI mobile app (Javascript)
I can log in using Google as an authentication provider using client.login("google"), execute authenticated AMS custom API calls
and also doing client.Logout() via button, that seems to successfully disconnect me from AMS
On subsequent client.login(), however, I do not get the Google account login window. It is seemingly stored in a cookie and the user is logged in automatically, thus not giving me a chance to log in as another user.
I was wondering what additional actions besides client.Logout() I must do to initiate the Google login screen on the next session after the user decided to logout. I do not want to force the user out of his Google account, as this would be impolite, just log him out of my application.
I know this question is old, but since it is not answered and I found it out recently I decided to post the answer here.
When you go to google.com you can add another account (top right icon). After that you can choose after each logout which account you want to use for your application to login. And you can even add other accounts to log in.
I have a public-facing web app that will be in a kiosk-like environment. The app requires users to log in with Facebook in order to interact with the app. I am not requiring users to register or to sign up for the site, but rather just log in so the app will have access to their basic info.
This works perfectly, but the issue is when a user logs out and the app is ready for the next user to log in, the previous user's email address is in the OAUTH form.
Is there any way to keep this from being persistant?
EDIT:
To log in, users are being redirected to the Facebook OAuth Dialog page. Once the user logs in it redirects back to the app. It's not really "authenticating" for the app, I am just using Javascript to show the app content once the Facebook JS API detects that a user is logged-in.
Edit
some reason I cannot log in with my account "kevinj". Anyway, I should have been more specific in regard to the setting of this app. It is an iPad web app and the tablet device will be handed out to users for interaction and gathering data.
I have "fixed" this issue by forcing FB to use the desktop browser based OAUTH dialog instead of the Touch version. This allows the user to un-check the "keep me logged in" option and clear out their info after log out.
Thanks for the suggestions and input. I wish I could close this question out but can't log in to my account.
Sine you are on a Kiosk-like environment, I suppose you have access to the browser's options?
If that's the case then I think turning of form history will do the trick. (Firefox example)
Have you tried adding "autocomplete="off"" to the HTML field?