Single Sign out in All application using Auth0 - javascript

I have URL "http://mywebsite.com" like this. I am using Auth0 for login my web application.Once the user logged in my application i will logging the user to my wordpress site and other website using the same login(Single Single Sign On). Once the user logged out from my application I need to logged out from wordpress and other website Also(Single Sign OFF/OUT).
Is it possible?
please suggest better option

Haven't had any experience with doing this personally, but this is straight from the docs on Auth0:
"This will clear any single sign-on cookies set by Auth0 for that user. If you also want to log the user out of their identity provider, add a federated query string parameter to the logout URL:
https://appname.auth0.com/v2/logout?federated"

I have the same requirement at this point. I am also using Auth0.
From their documentation, I understand that calling the Auth0 logout endpoint will only clear the SSO cookie on Auth0 and It does not logout of all other applications. It is our responsibility to clear the Sessions for each application.
The same is explained using a Auth0 anjularjs sample here https://github.com/auth0/auth0-single-sign-out-sample
Hope this helps.

#udayr answer led me on the right path:
I'm actually using ASP.Net Owin, so I created an overload of the LogOff endpoint at the Auth0AccountController of all my Apps like this:
[HttpGet]
public ActionResult LogOff() {
return this.LogOff("");
}
Then I added an SLO (Single Log Of) view and put the following code on it:
<iframe id="app1" height="0" width="0" src="http://app1.localtest.me/Auth0Account/LogOff"></iframe>
<iframe id="app2" height="0" width="0" src="http://app2.localtest.me/Auth0Account/LogOff"></iframe>
<h2 id="message">Logging off, please wait...</h2>
<script>
var app1Ready = false;
var app2Ready = false;
$('iframe').load(function (e) {
switch ($(e.target).attr("id")) {
case "app1":
app1Ready = true;
break;
case "app2":
app2Ready = true;
break;
}
if (app1Ready && app2Ready) {
$("#message").html("You have been Logged Off successfully!");
}
});
</script>
Basically, we need to make a Get call to the new LogOff end point via the iframes, the oly drawback is that all the aplications needs to know all the others applications' Log Off URLs, and this needs to implemented on all of them.

To log out the user from multiple applications, you can always check auth0 session has expired or not for the user by using the checkSession() method periodically. If there is no active session for the user, you can log out the user from your application.
// check every 15 minutes if the SSO session is still active
setInterval(function() {
// if the token is not in local storage, there is nothing to check (that is, the user is already logged out)
if (!localStorage.getItem('userToken')) return;
auth0.checkSession(function (err, data) {
if (err) {
// if we get here, it means there is no session on Auth0,
// then remove the token and redirect to #login
localStorage.removeItem('userToken');
window.location.href = '#login';
}
});
}, 900000)
https://auth0.com/docs/sso/current/single-page-apps#single-log-out
https://auth0.com/docs/migrations/guides/legacy-lock-api-deprecation#session-management
To clear the server session, all you need to do to redirect the user to /v2/logout endpoint.
https://auth0.com/docs/logout/guides/logout-auth0
If the users are logging in using the external identity provider, you can force the user to logout from IDP by adding federated querystring parameter when calling /v2/logout endpoint
https://auth0.com/docs/logout/guides/logout-idps
In the case of SAML IDP, you must configure SAML Logout URI in the connection settings.
https://auth0.com/docs/logout/guides/logout-saml-idps

Related

How can I check or verify that a user is signed in with AWS Cognito Javascript?

I am creating a React web app where the user sign in/up and other authentication related processes are being handled by AWS Cognito and the accompanying Javascript SDK.
My app has some 'public' routes/pages that everybody, signed in or not, can view, such as /documentation/ and /sign-in/. There also exist various private routes which you can only see when you are logged in, such as /my-documents/.
At the moment, I have a working sign in page, where a user is signed in with code very similar to use case #4 (Cognito Docs).
My question now is: as soon as a user goes to /my-documents/, how do I check whether the user is signed in and actually has the rights to see this page?
I am not using AWS Amplify for the authentication in my app. I only use the NPM package 'amazon-cognito-identity-js'.
This is the code I currently use to check if the session is valid, in other words if the user is successfully signed in. This however, seems like a cumbersome way to check such a simple status.
const isAuthenticated = () => {
const cognitoUser = userPool.getCurrentUser();
let isSessionValid = false;
if (cognitoUser) {
cognitoUser.getSession((err: Error, result: CognitoUserSession) => {
if (!err) {
isSessionValid = result.isValid();
}
});
}
return isSessionValid;
};
isSessionValid is returned before the callback in getSession is executed.

meteorjs persistent setUserId to switch user

i'm trying to use meteor this.setUserId() server side and Meteor.connection.setUserId() client side . It is to let admin have control on all users accounts and to be able to login without passwords.
Server side:
Meteor.methods( {
"switchUser": function(user_id) {
this.setUserId(user_id);
return user_id;
}
});
client side:
Meteor.call("switchUser", user_id , function(error, idUser) {
Meteor.connection.setUserId(idUser);
Router.go('/profile');
});
It's working but is not persistent. After refresh or moving to another page ,the logged-in user is restored to the first (admin).
How can i swith user permanently with meteorjs ?
I dont know if it works but if you look on local storage you see that its set a login token Meteor.loginToken also among with user id Meteor.userId, maybe you have to set that too for the new user when you switch. Or you should consider making a method for login without password https://github.com/meteor/meteor/blob/master/packages/accounts-base/accounts_server.js#L107

How to handle user information using firebase simple login for facebook

I am building a webpage using AngularJS and Firebase. I want to use facebook login to connect information on the webpage with the user. Firebase has a version of simple login which I guess is supposed to simplify the login process.
My problem is that I want to access information about the logged in user in a lot of places on my webpage but I can't find a good way to do it.
This is how I started out:
var userInfo = null;
var ref = new Firebase('https://<yourfirebase>.firebaseIO.com/');
var auth = new FirebaseSimpleLogin(ref, function(error, user) {
if(error)
alert("You are not logged in");
else if(user)
{
//store userinfo in variable
userInfo = user;
}
else
//user logged out
});
//do something with userInfo
alert(userInfo.name);
My first thought was to run this at the top of my page and then use the info about the user. The problem is that the code using userInfo (as in e.g. the alert) will always run before the userInfo variable has been filled and userInfo will return undefined/null.
I then proceeded to always create a new firebasesimplelogin object when i want to retrieve user data. Which of course isn't very good. Especially since every created FirebaseSimpleLogin object will be called again whenever another is called or a user logs out, for example.
So my question is, how do I use FirebaseSimpleLogin to handle and use my user information in the best way?
I would have liked some function to getUserInfo() or check isLoggedIn() for example. How do you do this properly?
You can take a look at this example for thinkster. It's based on using simple login with userid/password. http://www.thinkster.io/angularjs/4DYrJRxTyT/7-creating-your-own-user-data-using-firebase.
You can create a function like getLoggedinUser that runs in $rootScope that will allow you to find the user throughout the application.
UPDATE:
Around the middle of October 2014, firebase made some big changes. This method might still work, but it's better to take advantage of the newer version of firebase, specifically getauth and onauth. These methods will allow you to do the same thing without running on the rootScope. https://www.firebase.com/docs/web/guide/user-auth.html#section-login
Please make a constant to use it everywhere in your App like that
.constant('facebookUrl', 'https://rjrestaurantapp.firebaseio.com');
Then in the controller inject this constant "facebookUrl & "$state" as shown below...
.controller('loginCtrl', function($scope,facebookUrl,$state){
and then you only need to give name of the state where you want to redirect after facebook authentication..
var ref = new Firebase(facebookUrl);
$scope.fbLogin = function () {
ref.authWithOAuthPopup("facebook", function(error, authData) {
if (error) {
console.log("Login Failed!", error);
} else {
console.log("Authenticated successfully with payload:", authData);
$state.go('restaurant');
}
})
}})
You can see the information in authData object after successfull authentication using facebook ....
please read this doc carefully https://www.firebase.com/docs/web/guide/login/facebook.html
The above is the example of simple login using firebase and for retrieving data for each logged in user, you have to store user information at the time of signin as you know that firebase makes every child with a unique ID .. then you only need to use the offline features of firebase that will find which user is offline and according to that remove the node with the same ID which one is offline, you can find examples in the MANAGING PRESENCE section of the below link ..
https://www.firebase.com/docs/web/guide/offline-capabilities.html

FB.logout() - no access token - "Log in as Different User"

This question is in relation to this question: FB.logout() called without an access token
I had a question i was hoping someone could help with.
I get everything in the link above, but how do you handle when someone uses a public computer and leaves themselves logged in to FB by accident? Then a new user tries to log in to an app, but it is not them. I want to have a button to log them out of FB altogether to "log in as a different user".
I cannot do that until they authorize the app, right? So they need to authorize the app under someone else's account and then log out? There has to be another way.
Any feedback would be great - tried searching for a while on this, but to no avail. I might be over thinking it, but there should be some way to "log in as a different user".
You can do something like:
FB.getLoginStatus(function(response) {
if (response.status === "connected") {
FB.api("me", function(response2) {
// notify the user he is logged in as response2.name, and if it's not him call FB.logout
}
}
else {
// prompt the user to login
}
}
Modify your logout to something like this :-
function logout(response){
console.log("From logout" + response);
if(!response.authResponse){
window.location = "/web/login/";
return;
}
FB.logout(function(response){
FB.Auth.setAuthResponse(null,'unknown');
logout();
});
}
i.e keep on sending logout request to Facebook till the actual logout happens.
Try to use Session and save the user's ID in that session.
You can control the expiration time of that session( by default its 20 minute if the user doesn't have any activity on the page)
then in each page Load even check whether the season is still active for that user or not.
page Load event:
if(Session["LoggedIn"]==null)
{
Response.Redirect("~/Login.aspx");
}
This code above will redirect user to login page of your website if the session has expired.

Facebook Connect Publish Stream JS Help

My site allow users to login via Facebook Connect and also allows them to update a status field our site. I want to include a checkbox below the status update field that will allow them to post this update to their Facebook profile as well if they so choose. In order to do this I need the user to grant our application permissions to post to their Facebook profile which is supported by prompting the user for 'publish_stream' permission using the JS function FB.Connect.showPermissionDialog http://developers.facebook.com/docs/?u=facebook.jslib.FB.Connect.showPermissionDialog.
The problem I'm having is figuring out if I need to prompt the user to do this. Basically the user experience I'd like to have is that when the user checks this box for the first time I want them to be prompted to grant this permission. Once that has been granted I won't need to prompt them in the future if they check that box again. I can't seem to figure out what JS to include in the onclick action of that checkbox that will check to see if the user has granted this permission and if not then prompt them, otherwise do nothing. Also after checking the box and granting the permission I want to do nothing (no page reload) but if they reject the request to grant permission I'd like the checkbox to be unchecked. I think I may need to use the FB.ApiClient.users_hasAppPermission JS function http://developers.facebook.com/docs/?u=facebook.jslib.FB.ApiClient.users_hasAppPermission but am still confused on what this would look like. The psuedo code for this would be:
onclick="
if(user_already_granted_permission) { do_nothing; }
else {
prompt_user_to_grant_permission {
wait_for_response_from_permission_dialog {
if(permission_granted) { do_nothing; }
else { uncheck_checkbox; }
}
}
}
"
One other thing worth noting is that I've already verified the user is logged in through Facebook Connect when the page was rendered. I'm hoping someone else using Facebook Connect has already been able to figure this one out. Thanks in advance for your help!
I recently developed an online demo that uses Facebook Connect and gets the friend list of a given user - it's not the same as your case, but I used FB.Facebook.apiClient.requireLogin to get the user logged, like this:
var api_key = 'd04fba62ff27c6c84a6b767d404bcec3';
var channel_path = '/xd_receiver.htm';
/* initialize facebook API */
FB_RequireFeatures(['Api'], function() {
FB.Facebook.init(api_key, channel_path);
var api = FB.Facebook.apiClient;
api.requireLogin(function(exception){
// user is logged in and my application
// has permissions to get friend list
});
});
You can do something like this:
FB.Facebook.apiClient.users_hasAppPermission('publish_stream', function(has_perms) {
if(has_perms) {
// User has granted the publish_stream permission
} else {
// User has not granted the publish_stream permission
}
});
The second param for the users_hasAppPermission function is a callback which returns the result of the check.

Categories