I am developing an MVC 4 app and use the OAuth providers provided by MS, but I would like to get an e-mail address for every user. For Google (default) and Facebook (using FacebookClient) I already get the users address, but what to do about the following:
Twitter (I have read it is not possible - still true?)
Microsoft - solved (see comments)
Yahoo - works (see comment)
LinkedIn - solved via own provider like for MS
And what about, when it is not possible via OAuth like with Twitter?
I've read in different threads it is not good/secure to just ask the user for it. Is it "secure enough" if I also require a verification via e-mail to actually use the address (but not the account in general) as I (will) do when changing the address?
The purpose of OAuth is not to provide email addresses, its to provide authentication in a standardized way. Just because a lot of the implementations also happen to give you the option of an email address doesn't mean that all of them must comply. Twitter is a case in point.
Why would asking a user for their email address not be "secure"?
I would question that, I mean if you can't trust a users input regarding their email address, what can you trust them with? If you're using some sort of confirmation mail system it would surely be fine?
Related
I want people to be able to vote on my site, but I don't like sites that forces registration to do this. So my question is, is the any way to vote up/down, save the votes in a database, and make sure a person can only vote once? Without using cookies, I feel like its too easy to just clear cookies and vote again.
Email "captcha" is always nice - in order to vote, user has to provide email address, you send a link to that email and calculate the vote only if user clicked on that link. One unique email can have only one vote.
You could store their ip address in the database. But that would mean that people sharing one Internet connection would not be able to vote once one person has voted. Also people with dynamic IP address could vote multiple times.
So there is nothing that would work really well apart from making them register. But you could simplify the logging in process with e.g. Facbook SDK for JavaScript (https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.0). There are many others you can use in parallel (Facebook, Google, etc.). This way they would not have to manually register on your site. The down-side is that you require them to have a Facebook account. Some people also prefer not to tie their Facebook account to 3rd party sites (e.g. me).
You can collect details indirectly such as Operating System, IP address, Browser, Pligins which are installed, All Version Numbers in that session and produce a Hash.
By this, you can accompolish a reasonable vote ONCE on website without authentication.
Your options are as follows:
Read their IP address
Cookies
User Agent
However, the best bet is by far a login solution.
the only way without cookies is that you stores values in database by their IP adress for their identification.
but it will also not work perfectly, because
1)user can use proxy.
2)people who shared a same internet connection have the same ip adress.
Your options could be:
1- Save IP (note that IP is changed on DHCP, dialup connections and proxies)
2- OpenID as you see in stackoverflow.com (note that user can use multiple id on yahoo, facebook, ...)
3- send a link to email address (note that user may be use multiple email)
4- use cookies (note that user can delete cookies)
I am required to write a small webpage / utility for both Google and Yahoo to validate their email addresses. Suppose I give two textboxes, one for Yahoo and the other for Google. When the user provides the email addresses and hit the GO button I want to show if the provided emails actually exist and are valid or not. Plus, I would also like to show any publicly available information like Name, Date of Creation of Account or anything else that is available.
I have tried searching the net but was unable to find any helpful material. Hence asking the question here.
Sounds like you need to implement oauth in your application. By doing so, the user can click on the button of a network and login there. The user will be redirected back to your application with some details (depending on the settings), in most cases you will get the email address and user name.
The simplest way to implement oauth I found was with Simple Authentication: https://github.com/SimpleAuthentication/SimpleAuthentication
An implementation I made: http://www.zonneprijzen.nl/Account after login go to: http://www.zonneprijzen.nl/User/Edit
Hopefully this solved your problem.
I am using DotNetOpenAuth to identify Google users. I am currently retrieving their e-mail address and saving a copy of that in my database. However, what if they change their e-mail address in their Google account? Then my copy can no longer be linked to their profile.
Is there a way to uniquely identify a Google account through DotNetOpenAuth?
Always use the IAuthenticationResponse.ClaimedIdentifier to uniquely identify users!
OpenID's security model is based on this design. Using email addresses is insecure in many ways. Any Provider can issue a positive assertion claiming that the user owns a particular email address. OpenID doesn't prevent the OP from lying about email addresses, so if you just used email addresses and the user key then you'd be wide open to user spoofing attacks. Even if the OP isn't trying to be dishonest, you couldn't generally trust it because you don't know whether the OP verified the email address or simply asked the user what their email address was.
Even if you trust Google to not lie, there are several reasons (some of them can be mitigated, but aren't obvious) to not treat email address as the user identifier. For example, Google lets users change the email address behind their Google account. If the user did this and then returned to your web site, your site would identify them as a different user. Even worse, if another user later claimed a recycled email address for their new Google account, your site would recognize them as the older user and give the new user access to a bunch of old user data.
OpenID Claimed Identifiers are designed to avoid all this trouble.
I want to ccreate a website that reads one's Gmails headers.
If I use dotNetopenAuth to authenticate -
will I eventually get the user user and password for my applications' needs?
It seems that the answer is no- for security reasons that's why OpenId is for.
But then, I know website that do so. How?
If you use protocols like OpenID or OAuth, you will not have access to the user's userid nor password.
Instead you will receive a unique identifier for the user, which does nothing more than tell you that the trusted provider has validated that the user logged into their provider's account successfully. It is your job to match that unique identifier with your application's user record.
Depending on the provider you use for authentication (Google, Yahoo, MyOpenId, Twitter, etc.), you may request additional information such as the user's email address and name, but you are not guaranteed to get even that.
Under no circumstances will you ever get to see their password, though. If you want that, then you will have to write your application to use your own authentication provider, like the built-in ASP.NET Membership provider.
The point of OpenID is as you say: delegate authentication to another so that you don't have to deal with the password (if there even is one).
Sites that have the user log in with Google, and then gain access to that user's data at Google aren't just using OpenID. They're also using another authorization protocol. Google supports a proprietary one and a more common standard one called OAuth. OpenID and OAuth can be combined such that the user visits Google just once to log in, and then your site gains the access it needs (if the user approves).
If you take a look at the DotNetOpenAuth sample OpenIdRelyingPartyWebForms\loginPlusOAuth.aspx you'll see an example of the user logging into Google, and by doing that giving the site the ability to download the user's Google address book. This can be easily changed to include permissions to do other things (like read email headers) but you'll need to read Google documentation (GData) to learn what scope to use and APIs to call to obtain this information.
Under no circumstances should you be collecting the user's Google password yourself. I suspect that would be a violation of the Google terms of service anyway.
after I did some research on the subject, I found that Windows Live stopped providing email addresses for a user's contacts through its API. Instead, they provide the email hashes.
I did a little more research, and i found many websites being able to retrieve the contact list for a user and displaying it (with emails, not hashes) but the difference is that i don't think they are using oAuth since to retrieve the emails, the user must provide his email/password.
I need to implement importing a user's contact list on my site and i see no workaround to doing it using oAuth REST requests through Live's API (granted that i was being able to get the access token and make other REST requests).
If not using oAuth, what are other ways of getting a Windows Live/Hotmail contact list?
I ended up using Windows Live ID's Delegated Authentication. Even tho it's deprecated it'll have to do until i find a more effective solution.