I have literally followed these steps from Auth0 blog to implement SSO in NodeJS with express.
Then, in Auth0 dashboard > Authentication > Enterprise > SAML, I've added a SAML connection to our Active Directory IdP.
The tutorial above requests these scopes:
scope: "openid email profile"
But our AD SAML IdP can (and should) provide us with the groups claim.
I've tried all the steps bellow, but still no "groups" on the id token that i get back from Auth0.
This is all that I'm getting back every time:
(no "groups")
{
"sub": "samlp|My-Company|Myemail#mycompany.com",
"given_name": "John",
"family_name": "Doe",
"nickname": "johndoe",
"name": "Doe, John",
"picture": "https://mycompany.com/avatar.john.doe.png",
"updated_at": "2022-11-23T13:29:49.197Z",
"email": "Myemail#mycompany.com"
}
I've tried a few things:
I've changed the scope above to scope: "openid email profile groups", but got no groups back on the ID token.
I've also tried adding another request parameter called claims, following this spec sheet. But since claims must be a JSON, and Auth0 strategy sends all in the URL, it didn't work. Either claims goes empty, or if I stringify+urlencode, Auth0 calls us back with an error saying it couldn't parse the JSON (and that is a good sign!!). I then tried just stringifying (without urlencoding) the JSON, and it was successfully sent over the URL, but i still got no groups back on the id token.
On Auth0 dashboard > authentication > enterprise > SAML > our connection > Mappings, i've clicked on "Show full mappings example" and used the example as is. It does include "groups"! But it didn't work either. On the id token that I get back, there are no groups.
On Auth Pipeline > Rules > i added a new rule based on the template called "SAML Attributes mapping". This was promising, and I added these lines:
{ ...
"http://schemas.xmlsoap.org/claims/Group": "group" ,
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups": "groups"
...}
Again, no "group" or "groups" property on the ID token.
Thank you very much.
Related
I am trying to login using token-based Auth, because we are using Odoo-web module in mobile-app.
currently using GET-method url-passing approach which is "UNSECURE" on websites without SSL certificates and localhost-websites, as
myurl.com?username=foo&password=bar
How can I do that using Token based approach or passing credentials in POST-method, in Odoo-12?
Edit 1:
I found this authenticate() method in core-modules of odoo in http-controllers file and I am calling that only now, as:
request.session(db, username, password)
but I wanted it to be token based without hardcoding password as different passwords for different partners, which I can't hardcode and it's bad approach.
how can I do it by passing token and validating it?
You can use the authenticate endpoint provided by odoo to create a session for your api user.
In the following requests you then use the session id to process operations.
Example call to /web/session/authenticate with body:
{
"jsonrpc": "2.0",
"method": "call",
"id": 1,
"params": {
"db": "<YOUR-DB>",
"login": "<YOUR#LOGIN.COM>",
"password": "<YOUR-PASSWORD>"
}
}
You can find a description of the endpoints in https://github.com/odoo/odoo/blob/12.0/odoo/http.py
I want to use the lambda feature of FusionAuth to populate the JWT depending on which app the user logins, because a same user can log into different apps and have several roles or groups in it. I don't want the JWT being populating of every role, being a role action that the user can make into the app(following the NIST RBAC model it will be permissions like 'read:attentions' or 'delete:tests') because it could be dozens of them (syze reasons), instead of that i want the JWT to be populated with the Groups the user has it that specific app. I tried assigning the roles property with empty array but not succeed. I know that the tool by default dont allow you to change the roles property, but there is a way to delete it?.
function populate(jwt, user, registration) {
jwt.group = registration.data.group;
jwt.roles = [];
}
Anyway the token keeps having the roles, how can i remove them?
{
"aud": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"exp": xxxxxxx,
"iat": xxxxxxx,
"iss": "acme.com",
"sub": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"authenticationType": "PASSWORD",
"email": "xxxxxxx#mail.com",
"email_verified": true,
"applicationId": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"roles": [
"read:attentions",
"write:attentions"
],
"group": "financer"
}
The roles claim is reserved by FusionAuth and cannot be modified by a Lambda. There is an open feature that is scheduled to be complete in the upcoming release to loosen this restriction.
Once this feature is delivered you will have the option to remove or modify the roles claim.
The current reserved claims are outlined in the JWT Populate Lambda documentation.
I have been trying to create an app in Zapier for one of my project. On the very first step, I am doing Authentication where I choose "Basic Auth" method. I have set API URL along with details, however cannot see the expected result and seeing error in my API return value. After debugging, I found that API doesn't get the value I pass thru the Zapier. I have checked the same API in postman and it works, however it only doesn't work thru the Zapier.
Below is even more detail how I proceed, what is expected result and what I am getting:
Process we're following
We have created an App
We went to Authentication step, there we have selected “Basic Auth” option
Under the Basic Auth, we have configure with setting end point and method is “Post”
We have set our field names as Key and as value we have set “{{bundle.authData.password}” and “{{bundle.authData.username}}” in order to field mapping
Then came to Step 2 to test the authentication
Under the “Test Setup”, we have connected the current Zapier account and clicked on “Test Authentication”
This process doesn’t post any value in parameters. Hope I could explain the issue, please help us to find where we’re going wrong.
Expected Result
{
"data": {
"first_name": "Dhaval",
"last_name": "Parekh",
"email_address": "dhaval.php#gmail.com",
"phone_no": "1234567890",
"user_id": "7oiA****",
"token_id": "zNkzT***"
},
"resend_verification_link": false,
"status": true,
"message": "You have successfully Logged in!!"
}
Actual Result
{
"resend_verification_link": false,
"status": false,
"message": "The password must contain a minimum of one lower case character. one upper case character, one digit"
}
What I understand after spending too much time, is it doesn't send the data with post method and hence I'm getting this issue. While it works fine with the Get Method. So, should I consider that Basic Auth will only with work with "Get" method in Zapier? Or I'm missing any piece to include here?
Please let me know what is missing? Or even I'm going thru the wrong root. I want to create an app in Zapier to allow other apps to connect.
Question about security for POST method of HTTP:
I made a user called "MyAPP":
{
"userdef": [
"view",
"create"
],
"api_key": "dzn8k7hj2sdgddlvymfmefh1k2ddjl05",
"user_id": "MyAPP",
"name": "MyAPP",
"creator": "admin",
"edit": [],
"dbdef": [
"view",
"create"
],
"querydef": [
"view",
"create"
],
"databases": {
"Gaming": {
"dbuser": "mydbuser_here",
"dbpass": "mypass_here"
}
},
"password":
"$6$rounds=665736$x/Xp0k6Nj.5qzuM5$G.3w6Py1s.xZ83RHDU55qonNMpJe4Le8nD8PqjYKoOtgbab7T22knJPqwHspoT6BQxp.5gieLFuD0SdD9dyvi/",
"email": "",
"view": []
}
Then I wanted to issue a POST in order to execute a SQL Pass-thru
such as this:
http:///query/InsertBestScore/Score/99/ScreenName/GollyGolly.xml?apikey=dzn8k7hj2sdgddlvymfmefh1k2ddjl05
Where I built a query and named it "InsertBestScore":
insert into Gaming.Leaderboard
(ScreenName, Score)
values
(:ScreenName, :Score);
If I run this via POSTMAN using the POST method:
... then I get an access, 403 :
<?xml version="1.0" encoding="utf-8"?>
<SlashDB>
<http_code>403</http_code>
<description>Access was denied to this resource. Please log in with your username/password or resend your request with a valid API key.</description>
<url_template>/query/InsertBestScore/Score/{Score}/ScreenName/{ScreenName}.xml</url_template>
</SlashDB>
Also, I would be calling this POST (or PUT) request from an application, in my case a Python program running from within a AWS Lambda Function.
Now, I came across this in the documentation:
Two parameters API key
SlashDB also allows a two parameters credentials in this authentication method - app id and api key. This may come handy when integrating with API management systems like 3Scale. By default header and query string argument would be:
• appid - identifies certain application
• apikey - secret for the application
Request with API key in header - Access granted
... however in the example above, I don't see where the appid comes into play.
Can you tell me how one would call the SlashDB endpoint and pass a APIkey and assure that the userid is known as MyAPP.
So, to sum up, the Documentation mentions:
• Another application utilizes an API key to authenticate, which is sent with every request. The application is recognized as SlashDB user App2, which uses database login db_admin. Effectively this application can SELECT, UPDATE, INSERT and DELETE data.
So I want to actually, do just what is in that bullet: Identify myself as the user (instead of App2, I'm user MyAPP), and then use the dbuser and dbpass that was assigned to access that "Gaming" database.
Idea?
Make sure you've given user MyAPP permission to execute the query.
To do so:
login as admin,
go to Configure -> Queries,
open your query definition,
update field Execute. It accepts comma separated user ids.
OK, there are really two questions here:
Why was access denied?
What is the appid and how to use it.
Ad. 1: There are two authorization barriers that the request has to clear.
The first one is imposed by SlashDB in that the user executing the query must be listed in the Execute field on the query definition screen. This is done under Configure -> Queries -> "edit" button on your query.
The second barrier is imposed by the database. The SlashDB user who is executing your POST request must be mapped to a physical database user with INSERT privileges to the Gaming.Leaderboard table. It goes without saying that this database user must be associated with the database schema in which the table exists.
Ad. 2. To enable the appid the user api key must be composed out of two parts separated by colon ":". The first part will be interpreted as the appid and the second will be the apikey.
To do that, use Configuration -> Users -> 'edit' button for the user in question. Then simply add a colon at the beginning of the API key and type in your desired appid to the left of the colon. The app will have to supply both keys to execute the request. Note that the names of those keys (i.e. appid) are configurable in /etc/slashdb/slashdb.ini.
The reasoning behind this feature is to facilitate API Management platforms, which can help with key management, especially when API will be exposed to third party developers.
I was using dreamfactory and was trying to create users with different roles and use those to send requests however those users aren't working for me. The admin users are however. I don't understand why that is.
Below are the steps I've taken;
In the admin console, click the Roles tab then click Create in the left sidebar.
Enter a name for the role and check the Active box.
Go to the Access tab.
Add a new entry under Service Access (you can make it more restrictive later).
set Service = All
set Component = *
check all HTTP verbs under Access
set Requester = API
Click Create Role.
Click the Services tab, then edit the user service. Go to Config and enable
Allow Open Registration.
Set the Open Reg Role Id to the name of the role you just created.
Make sure Open Reg Email Service Id is blank, so that new users can register without email confirmation.
Save changes.
Then I registered the user incognito mode
I used a google extension rest client called Postman to make the request
In postman I used Basic Auth entered the username and password and sent the request
{
"error": {
"context": null,
"message": "Access Forbidden.",
"code": 403
}
...
Above is the result I got when I use the user I just registered. However when I use the admin username and password, I get the following response.
Status 200 OK
{"resource": [{"name": "_schema"},{"name": "_table"},{"name": "_proc"},{"name":"_func"}]}
which is the result I want for the other users.
Please let me know what I did wrong so I can fix it. Thanks again for all your help
I have configured my system the same and will walk through the steps. This is done on the 06 Oct 2015 commit of DreamFactory 2.0 beta.
First, to register a user:
POST /api/v2/user/register
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
{
"email": "user#domain.com",
"first_name": "Basic",
"last_name": "User",
"display_name": "Basic User",
"new_password": "password"
}
Response: {"success":true}
Next, to login as that user:
POST /api/v2/user/session
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
{
"email": "user#domain.com",
"password": "password"
}
Response:
{
"session_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjMsInVzZXJfaWQiOjMsImZvcmV2ZXIiOmZhbHNlLCJpc3MiOiJodHRwczpcL1wvZGVtby5lbnRlcnByaXNlLmRyZWFtZmFjdG9yeS5jb21cL2FwaVwvdjJcL3VzZXJcL3Nlc3Npb24iLCJpYXQiOiIxNDQ0Njc1NDU0IiwiZXhwIjoiMTQ0NDY3OTA1NCIsIm5iZiI6IjE0NDQ2NzU0NTQiLCJqdGkiOiIyMjFiYTg5M2E2YTc4OThlNDdlZGI4MGY5YjVkY2M2ZCJ9.V8y2B_2vlh8QdFhRqyuSG8SbfIVe8g71RvNjKoW2Bi8",
"session_id":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjMsInVzZXJfaWQiOjMsImZvcmV2ZXIiOmZhbHNlLCJpc3MiOiJodHRwczpcL1wvZGVtby5lbnRlcnByaXNlLmRyZWFtZmFjdG9yeS5jb21cL2FwaVwvdjJcL3VzZXJcL3Nlc3Npb24iLCJpYXQiOiIxNDQ0Njc1NDU0IiwiZXhwIjoiMTQ0NDY3OTA1NCIsIm5iZiI6IjE0NDQ2NzU0NTQiLCJqdGkiOiIyMjFiYTg5M2E2YTc4OThlNDdlZGI4MGY5YjVkY2M2ZCJ9.V8y2B_2vlh8QdFhRqyuSG8SbfIVe8g71RvNjKoW2Bi8",
"id":3,
"name":"Basic User",
"first_name":"Basic",
"last_name":"User",
"email":"user#domain.com",
"is_sys_admin":false,
"last_login_date":"2015-10-12 18:44:14",
"host":"console",
"role":"basic",
"role_id":1
}
Since you tried using basic auth, I did too:
GET /api/v2/db
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
Authorization: Basic dXNlckBkb21haW4uY29tOnBhc3N3b3Jk
Response:
{
"resource":
[
{"name":"_schema"},
{"name":"_table"},
{"name":"_proc"},
{"name":"_func"}
]
}
Docs for DreamFactory 2.0: http://wiki.dreamfactory.com/DreamFactory/API
In-depth docs for each possible API call may be found in the API Docs tab of a DreamFactory instance. API Docs are automatically generated and self-documenting, using Swagger UI.