User has a custom attribute phoneNumber in Keycloak.
There is a default method for fetching token using username and password but would it be possible to authenticate using phoneNumber / password instead of username / password
curl \
-d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
-d "username=$UNAME" -d "password=$PASSWORD" \
-d "grant_type=password" \
"$KEYCLOAKHOST/auth/realms/$REALM/protocol/openid-connect/token"
What call should I use to authenticate using a custom attribute in UserModel
After looking around it seems to me that you will not have that functionality provided by Keycloak out of the box. With the current Keycloak implementation it would not be feasible to use the :
curl \
-d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
-d "phoneNumber=$PhoneNumber" -d "password=$PASSWORD" \
-d "grant_type=password" \
"$KEYCLOAKHOST/auth/realms/$REALM/protocol/openid-connect/token"
because neither does Keycloak itself check that the user attribute phoneNumber is a valid number nor does it check that it is a unique number. This last constrain is fundamental for obvious reasons, hence the reason why Keycloak enforces the usernames to be unique.
So you can try to extend Keycloak with that functionality, which was recently done in a production environment. Fortunately, the developer was nice enough to provide that functionality for others to implement, check this redhat blog post by the developer detailing the implementation.
However, if you only want to use the "default method for fetching " that you posted in the question, then what you can do is just say that the username itself has to be the mobile phone (similar to the WhatsApp approach), which is not as bad as it sounds because 1) Keycloak enforces that the usernames are unique, 2) Keycloak still has the fields first name and last name to identify by name the users.
Now the tricky part is to ensure that during the user registration, the user really inserts a valid phone number and not some random string. For that, you can either again extend the keycloak, and validated it there. However, if you are going this root you might as well use the feature from the RedHat blog post. Or manage the user registration with your own app, which would enforce the user to add a valid Phone Number by relying on some SMS security feature, and after the validation was performed, the app itself would register the user on Keycloak with the username field set to the user Phone Number.
Related
It's possible to "simulate" a user using the master key? I would like this feature to test what the user can really see in the application and verify that he does not have access to some part of it etc.
Is this possible without knowing the password of the user?
If you want to test how user, roles, and permissions work, a simple way to do it is to make command line REST requests against the parse-server. Here's the guide.
You should be able to go into your parse dashboard and locate a user, look at their session token and then use that in queries to simulate that user's permissions.
With a session token, you can query objects in parse like this:
$ curl \
-X GET \
-H 'X-Parse-Application-Id: ABC123 \
-H "X-Parse-Session-Token: r:XXXXXX" \
-H "Content-Type: application/json" \
https://cloud.so.good/parse/classes/Product
For a complex system, you'll want to cover your cloud code to ensure that all is working as expected. A good place to start would be with parse-server's extensive test coverage, including ACL's
You can create a Parse.Session object for the particular user, setting the user and expiresAt fields. You creating the object, get the sessionToken key from the object.
Then for any request you are trying to make, you will set the X-Parse-Session-Token header to be the value of the session token.
I have spent a lot if time in the documentation and this Q/A forum but have still not ascertained the information I need/understand. The model that I ham working with does not exactly meld with WSO2IS very well. The programmer is set in their ways and will not budge on change, nothing I can do about that. They are just after the security that is provided by WSO2IS. So here is programmers model, NOT sso.
user->web_site->wso2is authorization->website
It is to have every user login every time. What they want from wso2s is to send user_name, password and company_id and to return valid/invalid id and a set of permission. External id should work well as a claim for the company id.
I have been able to create a user, but not able to add a role for that user and I have not been able to get authorization. I can get some of the information about the user via SCIM : curl -v -k --user admin:admin https://wso2-dev.h3net.com:9443/wso2/scim/Users/d9bef03a-ddcf-44fc-a431-3b71e618b61e
What I need are 3 curl commands via REST like commands
Here's what I have for adding a user : curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"user":{"username":"Gomez","realm":"PRIMARY","password":"Password1!","claims":[{"uri":"http://wso2.org/claims/givenname","value":"Gomez"},{"uri":"http://wso2.org/claims/emailaddress","value":"bnpatton#west.com"},{"uri":"http://wso2.org/claims/lastname","value":"Adams"},{"uri":"http://wso2.org/claims/mobile","value":"1234567890"}]},"properties":[]}' "https://wso2-dev.h3net.com:9443/api/identity/user/v0.9/me
This does not show haw to add a role for the user, just claims.
With something like the above, how would I do the following :
1. add roles to a user
2. authorize user when just only have user_name, password and company_id(external_id claim)
3. return permissions with authorization or a separate curl command?
Question 1
You can refer this comment for adding roles to the user using SCIM API.
Question 2
In this case, you can use XACML for claim based authorization. Please refer this blog for the implementation.
Question 3
WSO2IS server is working as policy decision point(PDP). Based on the decision you can access the resource in the resource server.
I want to share data between multiple devices and users running a couchdb server on iriscouch.com and using couchbase-lite on ios and android. Users should be able to login with facebook and email. How do I handle user access to specific documents? I dont dont want anyone to be able to access the documents and databases. I thought about using HTTP basic auth (replication security), hard coding username and password into the app code. Unfortunately it is sent as plain text and seems totally insecure. Can you help me out with some ideas about this scenario?
You can use SSL ecncryption for security. Please refer the link for enabling SSL
https://wiki.apache.org/couchdb/How_to_enable_SSL.
I had similar problem while using Basic Auth, hence we had to use SSL to make it more secure.
If can follow this method If you want to use Basic AUth.
1. Encode the username and Password
ex: username#password which after encoding becomes dXNlcm5hbWVAcGFzc3dvcmQ=
(use https://www.base64encode.org/ to encode).
Using curl try to authenticate
curl -v -H "Authorization: Basic dXNlcm5hbWVAcGFzc3dvcmQ=" -H "Content- type:application/json" -X GET IP_Address_and_DatabaseName
In this way you can hide the Username and Password but still anyone can have the encoded string. Hence If possible, try to implement SSL.
Currently I'm accessing JIRA API in C#.Net application with username and password. But I need to access the JIRA API without entering a username and a password even without hashed username and passwords. Is there any way to create an API key and access JIRA API with that?
Yes, JIRA supports OAuth for that purpose, see: https://developer.atlassian.com/display/JIRADEV/JIRA+REST+API+Example+-+OAuth+authentication
Unfortunately there's no C# sample code provided, but you should be able to assemble a solution from the other programming languages here:
https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples/src
You should use a generic OAuth library anyhow.
Oauth is great for when you need the actual user to log in and you are in the context of a browser.
However, for server-to-server communication that is not linked to any specific user (e.g. CI) you may want to create a "bot" account on your jira server and authenticate with API tokens. Creation of tokens is described here: https://confluence.atlassian.com/cloud/api-tokens-938839638.html
Then you can use [user-email]:[auth-token] as user/password to basic auth. Examples:
Curl
curl -u bot#company.com:AAABBBCCC https://[company].atlassian.net/rest/api/latest/issue/DEV-123
NodeJS got:
const issueContent = await gotService.get(
'https://[company].atlassian.net/rest/api/latest/issue/DEV-123',
{
auth: 'bot#company.com:AAABBBCCC'
}
)
Best approach for this is to read the documentation of the JIRA version you are using, since different versions could have different ways to approach Rest APIs.
For me below endpoint worked with Basic auth:
curl -u username:password -X GET -H "Content-Type: application/json" http://localhost:8080/rest/api/2/issue/createmeta
Does the WSO2 API Manager provide APIs for user registration and management?
To be more specific, the documentation states that the user can sign up using the store interface. Is there also an equivalent API that I can use to:
register new users
to authentication existing users
to initiate password recoveries
Please add the wso2am tag to this question (see related comment).
Apart from managing users through the product's Management Console, every carbon server also exposes its management services as web services.
As far as user management is concerned, you can find API samples at the following links (note that these might be specific to work on a particular carbon version):
https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/user-manager/user-admin-client/
http://blog.facilelogin.com/2010/05/managing-users-and-roles-with-wso2.html
Yes, API Store has an exposed API which can be used to register new users (User Signup) and authenticate users (Login).
SignUp
curl -X POST -b cookies http://localhost:9763/store/site/blocks/user/sign-up/ajax/user-add.jag -d "action=addUser&username=user2&password=xxx&allFieldsValues="
(Above allFieldsValues will be | seperated values for user fields, firstname, lastname, email, etc. ex :allFieldsValues=lakmali|erandi|lakmali#abc.com)
Login
curl -X POST -c cookies http://localhost:9763/store/site/blocks/user/login/ajax/login.jag -d 'action=login&username=user1&password=xxx'
But password recovery functionality is not available yet. It will be avilable in future releases.