RingCentral 3-Legged OAuth Does Not Prompt For Login Every Time

  • 0
  • 1
  • Question
  • Updated 10 months ago
  • Acknowledged
Hi,

I have implemented a RingCentral 3-legged Oauth flow on my web application and am running into the following issue:

Suppose a user clicks a "Connect" button on my website. A new window pops open with RingCentral's 3-legged oauth. The user enters their phone number, extension and password, and then they are prompted to click "Authorize".

If the user clicks "Connect" on my website again, the RingCentral oauth window opens but instead of prompting for a phone number, extension, and password, it automatically takes them to the authorize page (this is due to cookies).


Is there a way to force the user to log in every single time they attempt to use the oauth? Is there a flag I can specify that will force the user to log in?


Thank you for your help!
Photo of Yash Patel

Yash Patel

  • 130 Points 100 badge 2x thumb
  • very frustrated

Posted 2 years ago

  • 0
  • 1
Photo of Jan Ferguson, Channel Partner

Jan Ferguson, Channel Partner, Champion

  • 31,796 Points 20k badge 2x thumb
Yash,

In the setup for that functionality there is a checkbox which says, "Require caller to enter security image confirmation code." Since the confirmation code changes each time, cookies will not allow it to be used again. Do you have that checkbox marked? (See screenshot below)

(Edited)
Photo of Yash Patel

Yash Patel

  • 130 Points 100 badge 2x thumb
That solution does not work. The setting you highlight above is specific to RingMe.

I am trying to have the login page appear every single time when I open a window for 3-legged oauth.

My process is as follows:

1. I click the blue connect button on my website. The RingCentral oauth window opens:



2. I fill out the oauth window with my credentials and click "Log In". It takes me to the following page:


3. I click Authorize and the window closes.

4. Next time I click on the "Connect" button, it opens a RingCentral window but does not ask for credentials. Rather, it takes me to the "Authorize" page as shown above.


I want RingCentral to ask for credentials every single time rather than caching my previous credentials. 

Do you have any suggestions on how I can achieve this?
Photo of Jan Ferguson, Channel Partner

Jan Ferguson, Channel Partner, Champion

  • 31,296 Points 20k badge 2x thumb
Sorry...I misunderstood your post. I've never heard it referred to as "3-legged oauth", which is why I thought you were referring to RingMe since it sounded similar in procedure.

I don't have any suggestions as I don't use anything similar on my website. The only thing I can conclude is that since you are using your own login, as long as no one else has access to the computer you are using, which is storing the cookies, you should have no worries.

Otherwise, depending on which browser you are using you can deny cookies from a certain site. In that case you could refuse to accept cookies from your own website on your browser, which would require you to login each and every time.
Photo of Yash Patel

Yash Patel

  • 130 Points 100 badge 2x thumb
I want the user to be able to log in with different credentials (multiple extensions). Unfortunately the login page is being served up by RingCentral who creates and manages the cookies and so unless I manually delete the cookies, I cannot force the login page to appear.

Thus, I am wondering if there is a flag I can specify on the URL to force RingCentral to ignore cookies and show the log in page?
Photo of Jan Ferguson, Channel Partner

Jan Ferguson, Channel Partner, Champion

  • 31,296 Points 20k badge 2x thumb
I understand what you are saying but have you tried blocking cookies in the browser? No matter which application or entity is serving up the cookies, you can still block them. No cookies should equal new login screen (it does in all applications I am aware of).

Addendum: I was still working off your first post where you refer to "I". I just noticed that in this post you are referring to "the user". In that case, other than having the user block the cookies in their browser, there would be no URL which would not send a cookie as that is set up in the application design.

Block cookies in Firefox



Block cookies in Chrome
(Edited)
Photo of Shawn

Shawn

  • 62 Points
It's been a year... just wondering if there is a solution similar to what Yash recommends. The proposed solution of blocking cookies for each browser on each workstation is bad for a number of reasons, the primary one being it's virtually impossible to implement at our customer sites.  It would be better to have a querystring flag that we add to the URL to ignore cookies.
Photo of Saadet - Community Support

Saadet - Community Support, Official Rep

  • 35,376 Points 20k badge 2x thumb
Hi Shawn,

I would suggest contacting our Developers to see what options there are.