Jump to content

Sign in through Google


Lavo

Recommended Posts

Let's say Google Log-in 1.0.3 is enabled on Site X. Someone uses it to log in via a public computer. Then they log out of the site, but not Google, without clearing the cache, thinking that everything is all well and good.

Then someone else comes along, chooses to log in via Google on that site, and BAM, they are logged in as that user on that site.

;)

Link to comment
Share on other sites

  • Replies 375
  • Created
  • Last Reply

I feel your pain.


1.0.3 should resolve... as well as maybe give you toys to tinker with... dunno.


use something like:



#googleIcon img { margin-right:5px; }


... put unique selectors on them for sanity sake :tongue:



Thanks but where do i change that?
Link to comment
Share on other sites


Hi MT, I meant a security issue for the IPS site, in terms of anyone being able to log in as a user that has already logged in, immediately, without a password request. I didn't mean that someone could steal the Google account, password, etc.



Sigh... I add setting, but you still dont get it, you are logged into google, you authorized me to use your information to make an account, and you are still logged into google even though you logged out of IPB.
Google is logging you Into IPB because you are still logged into google.
Log out of google.
It will ask you to log in(trust the guy who's used up over 300 API calls in tests this day alone, k -.- ).
If you hit sign in with google and you have an account, you are basically Logging in through google, not IPB, you log INTO IPB, but you are authorized to do so by your Google account.
I can add a setting to force the prompt.
I cannot force a password, unless by chance you are logged out of google.
the instant I call it as not a local account in the local Member create IPB takes off.... I could not force a password on that screen, not for lack of a massive want to.
But... good god, is on a level of sso, is just google doing the legwork not IPB.... this truly makes my head hurt.... that you dont get it's literally you being logged into google that is logging you into the forums like that.... IS one-click login.
Link to comment
Share on other sites


Sigh... I add setting, but you still dont get it, you are logged into google, you authorized me to use your information to make an account, and you are still logged into google even though you logged out of IPB.


Google is logging you Into IPB because you are still logged into google.


Log out of google.


It will ask you to log in(trust the guy who's used up over 300 API calls in tests this day alone, k -.- ).


If you hit sign in with google and you have an account, you are basically Logging in through google, not IPB, you log INTO IPB, but you are authorized to do so by your Google account.


I can add a setting to force the prompt.


I cannot force a password, unless by chance you are logged out of google.


the instant I call it as not a local account in the local Member create IPB takes off.... I could not force a password on that screen, not for lack of a massive want to.


But... good god, is on a level of sso, is just google doing the legwork not IPB.... this truly makes my head hurt.... that you dont get it's literally you being logged into google that is logging you into the forums like that.... IS one-click login.




But there is no explicit indication that logging out of the site will not reset the re-authentication requirement for subsequent log-ins at the site if one does not log out of Google. That's part of the security risk.

Here are some options to possibly resolve the issue:
1) Like was suggested, force an optional Google log-out upon log-out of the site.
2) Alternatively, at minimum, a warning message should be displayed notifying that if one logs out of the site after having logged in via Google, anyone can immediately log in as that user on the site, unless they also log out of Google, etc.
Link to comment
Share on other sites

Also.... how... if i may so brazenly ask, is this any different from IPB FB/Twitter?
Or logging in through any single other google login for any other system in existence?
They ask for access, you grant it, you login at whim... I'm confused beyond belief here... I am getting sleep.
I will add forced prompt setting to the api honored, with manual usage allowing ovverride.
my head simply hurts here... you raise a free mod to a higher standard than IPB.

Link to comment
Share on other sites


Also.... how... if i may so brazenly ask, is this any different from IPB FB/Twitter?


Or logging in through any single other google login for any other system in existence?


They ask for access, you grant it, you login at whim... I'm confused beyond belief here... I am getting sleep.


I will add forced prompt setting to the api honored, with manual usage allowing ovverride.


my head simply hurts here... you raise a free mod to a higher standard than IPB.




Holy crap.... I just tested the Facebook log-in on an IPS site and it looks like you're right about that. o__O

I would have sworn that on other sites I tested on, it wasn't as easy to log back in though, even if still logged in via, say, Facebook, without setting a local password.

Very surprising indeed. I would have expected higher security measures, but apparently they might not give a fudge about other sites' potential security issues in such aspects.
Link to comment
Share on other sites

At the end of the day, it is your responsibilty to test every impelemtation for your own security levels.

You can not blame Facebook, Twitter, Google etc., if your level is set higher than theirs, and you certainly cannot blame Marcher.

Only enable those login methods that you are comfortable with. However I bet you tick the box 'remember me' on sites? if you do then your set can be used to log into locations without your knowledge if you let anyone near your set. In the same way if you leave your front door on the latch, it does not mean that the locking mechanism is poorly designed it just means that you are using it to your benefit to ease your entry and exit at certain times of the day.

Link to comment
Share on other sites


At the end of the day, it is your responsibilty to test every impelemtation for your own security levels.



You can not blame Facebook, Twitter, Google etc., if your level is set higher than theirs, and you certainly cannot blame Marcher.



Only enable those login methods that you are comfortable with. However I bet you tick the box 'remember me' on sites? if you do then your set can be used to log into locations without your knowledge if you let anyone near your set. In the same way if you leave your front door on the latch, it does not mean that the locking mechanism is poorly designed it just means that you are using it to your benefit to ease your entry and exit at certain times of the day.




I never enable a 'Remember Me' option on any site. The thing is that I rarely if ever use Facebook, Twitter, etc. as browsing methods on other sites, so hadn't seen that they haven't taken the necessary precautions to resolve the security issue I was referring to. The fact that such an issue exists is very surprising indeed. That analogy doesn't quite match up.
Link to comment
Share on other sites

Anyway, Marcher, sorry for pinning that out in your mod specifically, as I didn't realize that was also the case for the other log-in types. I still think that it's a security issue, but if Facebook Log-in and Twitter Log-in aren't doing it, and they're still getting by somehow, nor should this mod have to do it. We'll just all tend toward anarchy. :)

Link to comment
Share on other sites


Hello. I was just curious if anyone else was having a problem with staying signed in. I login through this mod, and I leave and come back, and I have to login again. Is there a fix for this?



Thanks



Define leave and come back?
I do not go about signing you out, once you are logged in IPB is handling whether or not you are logged in, not this login module.
Link to comment
Share on other sites


Define leave and come back?


I do not go about signing you out, once you are logged in IPB is handling whether or not you are logged in, not this login module.



Define leave and come back?


I do not go about signing you out, once you are logged in IPB is handling whether or not you are logged in, not this login module.



For example, I click the tab off. I can come back later, and I have to login again.
Link to comment
Share on other sites

There.... Popup Prompt added with options functional.
"Remember Me" being checked basically says you want google to remember you gave it access(uncheck to force a prompt) as well as the IPB end.
Login Anonymously is present if enabled on said form and honored.
Added skin Templates, refreshed the dev docs, and enhanced the usage of the "state" URL parameter to handle IPB request passing.

Link to comment
Share on other sites


sorry if this is a dumb question, what are those new skin templates you mention for?


and the state parameter, what is his function in the login process ?



thanks for keeping this so updated!



Templates are for the html return that doesn't belong in the hook code IMHO.
state is the only way to pass data to google for it to hand back to me(all request data gets cleared)
Is basically a go-between so that the fact you said remember me or to login anonymously, or even your auth_key(which is something IPB needs to allow login) is not forgotten in transport.... I enhanced it to allow a sane passing of more than one item.
Link to comment
Share on other sites

Hi,

I cannot seem to position the botton correctly under Hook Setup->Files. It is always on its own line and has the light blue background bar . I want it on the same row as the other login button. Especially on the inline login and also registration (but I'm willing to live with it on a second line here since there doesn't seem to be room). I'm only using facebook and twitter for my other logins.

How are people with the screen shots getting it on the same row? Are people just manually editing the their template and throwing the button in there? I really dont want to do that because what if i want to disable the hook. When I look at the html I see the button is always wrapped with its own ul tag. Am i doing something wrong?


	<ul class='ipsList_inline'>


	   <li><a href="http://boards.streetace.com/index.php?app=core&amp;module=global&amp;section=login&amp;serviceClick=facebook" class='ipsButton_secondary'><img src="http://boards.streetace.com/public/style_images/master/loginmethods/facebook.png" alt="Facebook" /> &nbsp; Use Facebook</a></li>



	   <li><a href="http://boards.streetace.com/index.php?app=core&amp;module=global&amp;section=login&amp;serviceClick=twitter" class='ipsButton_secondary'><img src="http://boards.streetace.com/public/style_images/master/loginmethods/twitter.png" alt="Twitter" /> &nbsp; Use Twitter</a></li>

				  <div class='ipsBox_notice'>

				<ul class='ipsList_inline'>

					<li><a href="http://boards.streetace.com/index.php?app=core&amp;module=global&amp;section=login&amp;do=process&amp;use_google=1&amp;auth_key=880ea6a14ea49e853634fbdc5015a024" class='ipsButton_secondary'><img src='http://boards.streetace.com/public/style_extra/signin/login-google-icon.png' alt='Google' /> &nbsp; Use Google</a></li>

				</ul>

			</div>


	 </ul>



Tried a bunch of permutations but here's my settings for the inline login:
File hook type: Template hook
The skin group this hook is in: skin_global
The skin function this hook is in: inlineLogin
Type of template hook : if statement
The hook 'ID': twitter box
Position of template hook: (pos.endif) After the end statement ends

How can i set it up to not use the <ul> tags so that the button will position nicely?

And thanks for the nice login! :smile:

Link to comment
Share on other sites


Hi,



I cannot seem to position the botton correctly under Hook Setup->Files. It is always on its own line and has the light blue background bar . I want it on the same row as the other login button. Especially on the inline login and also registration (but I'm willing to live with it on a here since there doesn't seem to be room). I'm only using facebook and twitter.



How are people with the screen shots getting it on the same row? Are people just manually editing the their template and throwing the button in there? I really dont want to do that because what if i want to disable the hook. When I look at the html I see the button is always wrapped with its own ul tag. Am i doing something wrong?




	<ul class='ipsList_inline'>


	   <li><a href="http://boards.streetace.com/index.php?app=core&amp;module=global&amp;section=login&amp;serviceClick=facebook" class='ipsButton_secondary'><img src="http://boards.streetace.com/public/style_images/master/loginmethods/facebook.png" alt="Facebook" /> &nbsp; Use Facebook</a></li>



	   <li><a href="http://boards.streetace.com/index.php?app=core&amp;module=global&amp;section=login&amp;serviceClick=twitter" class='ipsButton_secondary'><img src="http://boards.streetace.com/public/style_images/master/loginmethods/twitter.png" alt="Twitter" /> &nbsp; Use Twitter</a></li>

				  <div class='ipsBox_notice'>

				<ul class='ipsList_inline'>

					<li><a href="http://boards.streetace.com/index.php?app=core&amp;module=global&amp;section=login&amp;do=process&amp;use_google=1&amp;auth_key=880ea6a14ea49e853634fbdc5015a024" class='ipsButton_secondary'><img src='http://boards.streetace.com/public/style_extra/signin/login-google-icon.png' alt='Google' /> &nbsp; Use Google</a></li>

				</ul>

			</div>


	 </ul>



Tried a bunch of permutations but here's my settings for the inline login:
File hook type - Template hook
The skin group this hook is in: skin_global
The skin function this hook is in: inlineLogin
Type of template hook : if statement
The hook 'ID': twitter box
Position of template hook: (pos.endif) After the end statement ends

How can i set it up to not use the <ul> tags so that the button will position nicely.


I assume you speak of the inline login or register form, one of the very reasons I added skin templates.
ensure you are using/have upgraded to(all files and hook) 1.0.4, then go to the ACP->Look and Feel->Skin Management->{skin}->skin_google->
Relevant Templates: displayAjaxButton, displayButton, displayRegister
also, you will want to move the hook "id" here to the ones used.
the hook id desired would be twitterBox post.endif.
Do not touch the javascript when making template modifications.
at stock this is designed to function without any other social login enabled, using the hook points mentioned, if FB and Twitter are disabled, the buttons would vanish.
Link to comment
Share on other sites


I assume you speak of the inline login or register form, one of the very reasons I added skin templates.


ensure you are using/have upgraded to(all files and hook) 1.0.4, then go to the ACP->Look and Feel->Skin Management->{skin}->skin_google->


Relevant Templates: displayAjaxButton, displayButton, displayRegister


also, you will want to move the hook "id" here to the ones used.


the hook id desired would be twitterBox post.endif.


Do not touch the javascript when making template modifications.


at stock this is designed to function without any other social login enabled, using the hook points mentioned, if FB and Twitter are disabled, the buttons would vanish.




Thanks!! Got it all sorted out now :) I didn't even know about the skin templates. I gotta say thanks again for taking the time to make a great plugin and going the extra mile to it integrate like something out of the box that didn't require hacking up external files. :thumbsup:
Link to comment
Share on other sites


Hey Marcher, one suggestion, you should add an option in the UserCP to allow an already registered user to link their forum account with their Google account. Possible maybe?



:unsure: Confused me here... if the account email is validly in google's system, they can already login with this method...
ergo, the link literally is the email, the only real reason I would have to add a UCP area would be importing activities to status updates...
see the previous answer:
http://community.invisionpower.com/topic/361879-download-sign-in-through-google/page__st__20#entry2262644
is quite moot.
Link to comment
Share on other sites

I have a Google account. It's a Google Apps account.

Let's say it's:
"google@mydomain.com"

However I signed up to a forum using "forumname@mydomain.com"

How can I link my Google account with my forum profile? I can link Twitter and Facebook this way, even though I used different email accounts to register on those sites too.

I also found your simple documentation steps confusing. I had no "Create New Server Key" options at all. It said something about "Create new OpenAuth" or something, and I had to choose "Web Application" in the next screen.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...