I'm trying to convert from firebase into an auth0 db, by converting firebase export data into the auth0 bulk user import format.
I have a user in firebase (under the firebase_export) section, and the firebase hash config itself (hash config below),
but I'm not clear on how the base64_signer_key fits in or the salt used in the export.
{
"firebase_export": {
"localId": "localId",
"email": "e#ma.il",
"emailVerified": true,
"passwordHash": "base64hash",
"salt": "user_salt",
"lastSignedInAt": "1649680364736",
"createdAt": "1649680237223",
"disabled": false,
"providerUserInfo": []
},
"hash_config": {
"algorithm": "SCRYPT",
"base64_signer_key": "base64_signer_key",
"base64_salt_separator": "base64_salt_separator",
"rounds": 8,
"mem_cost": 14
}
}
I think the schema should look like this, but this is not working.
(I log in to auth0 with a known password and it fails, while passing in firebase).
[
{
"user_id": $localId,
"email": $email,
"email_verified": $emailVerified,
"custom_password_hash": {
"algorithm": "scrypt",
"hash": {
"value": $passwordHash,
"encoding": "base64"
},
"salt" : {
"value": base64Decode($salt) + base64Decode($hash_config.base64_salt_separator),
// based off reading https://github.com/firebase/scrypt
"encoding":"utf8",
"position" "suffix", // based off reading https://github.com/firebase/scrypt, uses PBKDF2_SHA256 which places salt as suffix.
},
"password" : {
"encoding":"utf8"
},
"keylen": 64,
"cost": 2**$hash_config.mem_cost,
"blockSize": $hash_config.rounds,
"parallelization": 1,
},
"blocked": $disabled
}
]
Because Firebase uses a custom bcrypt rather than the standard implementation, auth0 said it is unable to import users.
Other solutions to try:
add a login callback within your code to create/update/delete users in auth0 in an async fashion, to slowly migrate users over.
pay auth0 lots of money to run a custom db migration (still slow).
migrate all users without password and say that we need all users to reset their password
all of which sound suboptimal
Related
The application I am developing is team collaboration tools. This software should prevent unauthorized access. In order to implement this, I've used user and password-based authentication with two roles available - standard user and administrator.
This was implemented entirely in Python by using SQLAlchemy for interacting with the database, and PyQt for the user interface. For authentication, I am calling User Management System to get a token:
Request Body:
{
"username": "messaing_platform",
"password": "132465"
}
Response Body:
{
"apiData": {
"navigationList": [],
"userId": "messaing_platform",
"userName": "messaing_platform",
"email": "messaing_platform#erainfotechbd.com",
"cellNo": "01255",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVc2VySWQiOiJjcyIsIm5iZiI6MTY1OTUyNzcxOCwiZXhwIjoxNjYwMTMyNTE4LCJpYXQiOjE2NTk1Mjc3MThasdasd9.4lkEv-TpwIyYcldXfKucy3ynewhbuUFgjtdnKm7ymjE",
"page": 0,
"pageSize": 0,
"searchString": null,
"skip": 0
},
"message": "Record has been saved.",
"isExecute": true,
"totalRecord": 0
}
Now, I want to save this token in the PyQT user interface and if the token is expired, then the user should be logged out from the application. How can I do that?
Recently I had configure to use amplify with #aws-amplify/ui-react library to login Federated users.
Once login, for google user, I would get payload like
{
"id": "",
"email": "",
"name": "",
"picture": "",
"token": ""
}
Yet for facebbook user, I get similar stuff but no picture info
{
"id": "",
"email": "",
"name": "",
"token": ""
}
I had tried to update config in my Cognito for Facebook provider. However, this failed to get picture info for me.
Is it possible to make amplify's federated login through Facebook to pass me back picture info as well? I know I could just call another Facebook api to retrieve picture, but I wish this could be avoided, since Google login would return picture info automatically.
P.S.
Here's my Facebook identity providers config:
PPS.
Here's my recent Cognito attribute mapping config:
For Facebook:
and in CognitoUserSession's idToken's payload:
the picture field would include a JSON object about profile picture's information
For Google, much simpler:
and the payload:
the picture field is simply the image link
Assuming you're requesting public_profile, use "picture" from Facebook Attribute is actually correct, I do face similar problems that I couldn't receive it until i delete the userpool, and creating a new one.
The value you will get from picture should be something like this
{
"data": {
"height": 50,
"is_silhouette": false,
"url": "https://platform-lookaside.fbsbx.com/platform/profilepic/?etcetcetcetc",
"width": 50
}
}
For my React Native app I am using Parse JS SDK and hosted Parse Server on Back4app.
When I try to register a new user, the user is not authenticated because the response does not return a sessionToken.
However, once the user is in the db and signs in a sessionToken is returned and the user is authenticated successfully.
Request
The request is the same for sign in/up.
await Parse.User.logInWith('google', {
// auth data received from #react-native-community/google-signin
authData: {
id,
id_token: token
}
})
Response on initial Sign Up
The response is supposed to return a sessionToken which is missing. So the user is not authenticated and modifications on the user object are not possible.
{
"authData": {...},
"createdAt": "...",
"objectId": "...",
"updatedAt": "...",
"username": "..."
}
Response on sign in after user was created
{
"ACL": {...},
"authData": {...},
"createdAt": "...",
"objectId": "...",
"sessionToken": "...",
"updatedAt": "...",
"username": "..."
}
I don't use any cloud code. Just a simple auth flow with Google oAuth.
Any help is highly appreciated.
Edit: same issue for 'sign in with Apple'
As far as I know, according to the Official Documentation, Parse will respond 200 (HTTP OK) and include the Session Token only when it verifies the user is already associated with the OAuth authentication data.
So, again, as far as I know, the very first request when you create the user, will not contain the sessionToken.
Take a look to this tutorial https://www.thinkertwin.com/how-to-setup-google-oauth2-login-with-parse-server-in-react/
Here there is an explanation on how to setup your Cloud Code. It's for React, but with small adjustments it will work for React Native.
You also need Cloud Code as you need to store your Client ID and Secret. You don't want to have those on your public application
I'm using amazon-cognito for my application user access.
I have two different groups inside my user pool.
I want to send differenet email to each user depends on the group he belongs to.
The problem is that the email verification is sent when the user is created at the pool and not after he's linked to a group.
Is there a way do to it?
Any help? advices?
After a lot of digging, I've figured out a solution.
The solution is to use AWS Cognito Lambda.
Use AWS Cognito Lambda for SignUp or AdminCreateUser events depends on your application architecture.
When a user is created either with SignUp or AdminCreateUser functions, there's an option to pass metadata with clientMetadata entry at the object.
For example (from AWS Docs):
{
"ClientMetadata": {
"string" : "string"
},
"DesiredDeliveryMediums": [ "string" ],
"ForceAliasCreation": boolean,
"MessageAction": "string",
"TemporaryPassword": "string",
"UserAttributes": [
{
"Name": "string",
"Value": "string"
}
],
"Username": "string",
"UserPoolId": "string",
"ValidationData": [
{
"Name": "string",
"Value": "string"
}
]
}
According to docs:
clientMetadata
One or more key-value pairs that you can provide as
custom input to the Lambda function that you specify for the pre
sign-up trigger. You can pass this data to your Lambda function by
using the ClientMetadata parameter in the following API actions:
AdminCreateUser, AdminRespondToAuthChallenge, ForgotPassword, and
SignUp.
So, pass the group inside the clientMetadata as an entry:
"ClientMetadata": {
"Group": "MyNiceGroup"
},
...
Inside the lambda implementation, according to the incoming group decide which email to dispatch.
I can request a token for a user by visiting the following url:
https://trello.com/1/connect?key=<key>&name=appName&response_type=token&scope=read,write&expiration=never
However, when I request the token's info through the API, I get a response that looks like this:
{
"id": "...",
"identifier": "appName",
"idMember": "...",
"dateCreated": "2015-10-15T05:21:19.886Z",
"dateExpires": null,
"permissions": [
{
"idModel": "*",
"modelType": "Board",
"read": true,
"write": true
},
{
"idModel": "*",
"modelType": "Organization",
"read": true,
"write": true
}
]
}
I'd like to be able to request a token only grant privileges to a specific organization. But I can't seem to find clear documentation on what kinds of options the /1/connect endpoint accepts, or what other method I can use to obtain a token for a specific organization that does not expire.
I could make a machine user with access only to the organization, but it would be a shame to pay for another user account when I only want a subset of the permissions I already have.
I don't think that would be possible as you just authenticate against the API as that user and therefore have the ability to see everything that user can. The only way I'm aware of would be (as you suggested) to create a new user and limit what they can see.