[Azure AD Mobile Plugin]  Microsoft Login Connector & Best practices with user accounts

Forge Component
(7)
Published on 2019-01-16 by Pedro Costa
7 votes
Published on 2019-01-16 by Pedro Costa

I'm using Microsoft Login Connector to provide authentication for web application. Now I am wondering, how should I handle per page authentication check?

I used following idea:

When authenticated (on callback page), I will check if proper info is available in the Token and grant current user a user role:


Yet I'm not sure if there's really such thing as "current user" in this case when I'm not using built in User Manager. 

From there, I will redirect user to application mainflow and all those interfaces need ADAuthenticatedRole for Access. To this point, does this approach make any sense?

Can I trust that role checking or should I insert some kind of GetUserInfoByUserID() check in every Preparation and action to check if token is still ok?

This sounds a easy way of doing it but i'm not sure in any way that this is the elegant and security wise correct way to do it.

Hi


Do you create a user after microsoft authentication? From there you can use all the features outsystems makes it available to an authenticated user. (grant permissions, screen permissions, userid session, ...). I see no need to check the token in the preparation of each screen.


After the session expires or the user logout, i see two options:

1. Force a new Microsoft login, verify that the user already exists, and authenticate again.

2. Get the username, search in database, get the token and refresh token. If is valid token, call user_login, else, call microsoft authentication page.


Regards

I'm not creating an user in anywhere, but i accidentally have the same user email for one user in my local users app. Is there some magic behind the scenes that automagically connect these two? Beause i'm not actively creating any users, but i still can use GetUserId() functions and such.


Pedro, are you saying that creating local user is the best practice in this case? For me, it feels that that can certainly be true and usually services have their own user databases even if they're using external authenticators. 

But if I create user when logging in, do i need to manage all data refreshes etc also? And should i just generate some long password for local user? Or how should i approach this?

Solution

Jasmo Hiltula wrote:

I'm not creating an user in anywhere, but i accidentally have the same user email for one user in my local users app. Is there some magic behind the scenes that automagically connect these two? Beause i'm not actively creating any users, but i still can use GetUserId() functions and such.

I think there is no way to connect local users with external users automatically, One way is mapping the attributes on some entity. Example: This could be an email or a return identifier returned by the Microsoft authentication response (and you can save this value in the Users / External_Id attribute "The user identifier on a platform external system.")


Pedro, are you saying that creating local user is the best practice in this case? For me, it feels that that can certainly be true and usually services have their own user databases even if they're using external authenticators. 

I particularly think it's the right way.

But if I create user when logging in, do i need to manage all data refreshes etc also? And should i just generate some long password for local user? Or how should i approach this?

You must define a unique attribute to handle the data correctly, for example: username = email. So your system must ensure that there are no users with the same username (email). Always logging in via microsoft authentication, you should check for a user with that username (email) and update as information.


See the Microsoft Login Connector example: https://www.outsystems.com/forge/component-overview/3275/microsoft-login-connector


GetToken Action


Outsystems Login (Create Local User)


Regards

Solution

Thanks for help and wisdom :)