I want to use the lambda feature of FusionAuth to populate the JWT depending on which app the user logins, because a same user can log into different apps and have several roles or groups in it. I don't want the JWT being populating of every role, being a role action that the user can make into the app(following the NIST RBAC model it will be permissions like 'read:attentions' or 'delete:tests') because it could be dozens of them (syze reasons), instead of that i want the JWT to be populated with the Groups the user has it that specific app. I tried assigning the roles property with empty array but not succeed. I know that the tool by default dont allow you to change the roles property, but there is a way to delete it?.
function populate(jwt, user, registration) {
jwt.group = registration.data.group;
jwt.roles = [];
}
Anyway the token keeps having the roles, how can i remove them?
{
"aud": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"exp": xxxxxxx,
"iat": xxxxxxx,
"iss": "acme.com",
"sub": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"authenticationType": "PASSWORD",
"email": "xxxxxxx#mail.com",
"email_verified": true,
"applicationId": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"roles": [
"read:attentions",
"write:attentions"
],
"group": "financer"
}
The roles claim is reserved by FusionAuth and cannot be modified by a Lambda. There is an open feature that is scheduled to be complete in the upcoming release to loosen this restriction.
Once this feature is delivered you will have the option to remove or modify the roles claim.
The current reserved claims are outlined in the JWT Populate Lambda documentation.
Related
I have literally followed these steps from Auth0 blog to implement SSO in NodeJS with express.
Then, in Auth0 dashboard > Authentication > Enterprise > SAML, I've added a SAML connection to our Active Directory IdP.
The tutorial above requests these scopes:
scope: "openid email profile"
But our AD SAML IdP can (and should) provide us with the groups claim.
I've tried all the steps bellow, but still no "groups" on the id token that i get back from Auth0.
This is all that I'm getting back every time:
(no "groups")
{
"sub": "samlp|My-Company|Myemail#mycompany.com",
"given_name": "John",
"family_name": "Doe",
"nickname": "johndoe",
"name": "Doe, John",
"picture": "https://mycompany.com/avatar.john.doe.png",
"updated_at": "2022-11-23T13:29:49.197Z",
"email": "Myemail#mycompany.com"
}
I've tried a few things:
I've changed the scope above to scope: "openid email profile groups", but got no groups back on the ID token.
I've also tried adding another request parameter called claims, following this spec sheet. But since claims must be a JSON, and Auth0 strategy sends all in the URL, it didn't work. Either claims goes empty, or if I stringify+urlencode, Auth0 calls us back with an error saying it couldn't parse the JSON (and that is a good sign!!). I then tried just stringifying (without urlencoding) the JSON, and it was successfully sent over the URL, but i still got no groups back on the id token.
On Auth0 dashboard > authentication > enterprise > SAML > our connection > Mappings, i've clicked on "Show full mappings example" and used the example as is. It does include "groups"! But it didn't work either. On the id token that I get back, there are no groups.
On Auth Pipeline > Rules > i added a new rule based on the template called "SAML Attributes mapping". This was promising, and I added these lines:
{ ...
"http://schemas.xmlsoap.org/claims/Group": "group" ,
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups": "groups"
...}
Again, no "group" or "groups" property on the ID token.
Thank you very much.
I've successfully cloudformed a cognito identity-pool and could not see how I add the custom mappings to the "Cognito" "Authentication Providers" in cloudformation.
Inside the Cognito Authentication Provider on the console, there is a dropdown where I manually have to select "Use custom mappings" and then I can manually add the mappings to my custom user attributes. However, I need to be able to cloudform this and am struggling to find the correct place for it.
The user pool that goes along with this identity pool has "SupportedIdentityProviders" set to "COGNITO"
Update
I can get a list of identity providers by running ...
aws cognito-identity list-identities --max-results 2 --identity-pool-id xx-xxxx-x:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
and this returns me
{
"IdentityPoolId": "xx-xxxx-x:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
"Identities": [
{
"IdentityId": "yy-yyyy-y:yyyyyyyy-yyyy-yyyy-yyyyyyyyyy",
"Logins": [
"cognito-idp.eu-west-2.amazonaws.com/eu-west-2_tFT6FBwIO"
],
"CreationDate": "2021-11-15T12:38:48.249000+00:00",
"LastModifiedDate": "2021-11-15T12:38:48.263000+00:00"
}
]
}
using the "Logins" information I can now run...
aws cognito-identity get-principal-tag-attribute-map --identity-pool-id xx-xxxx-x:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx --identity-provider-name "cognito-idp.eu-west-2.amazonaws.com/eu-west-2_tFT6FBwIO"
which returns
{
"IdentityPoolId": "xx-xxxx-x:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
"IdentityProviderName": "cognito-idp.eu-west-2.amazonaws.com/eu-west-2_tFT6FBwIO",
"UseDefaults": false,
"PrincipalTags": {
"attr_x": "custom:attr_x",
"attr_y": "custom:attr_y",
"attr_z": "custom:attr_z"
}
}
However, I still don't know how to setup this mapping via cloudformation...
Regards
Mark.
Setting PrincipalTag attribute mappings is not yet supported in CloudFormation but, according to the CloudFormation roadmap, will be supported soon.
In the meantime, you would have to create a CloudFormation Custom Resource or Resource Provider to achieve this.
Can I disable login for a particular CouchDB user while leaving their user doc in the authentication database?
This question is similar to How to temporarily disable particular user in couchdb?, but in that case the actual question was how to "temporarily disable particular user read/write access" [emphasis mine].
What I am trying to do is to completely prevent a user from login until a password is set.
The behavior isn't necessarily guaranteed by the CouchDB maintainers in the future, but inspired by the Unix password lockout feature it seems possible to do this in practice by replacing at least the derived_key field with a bogus value like "*" or "!".
For example, this user could login in by providing a certain password:
{
"_id": "org.couchdb.user:test",
"name": "test",
"roles": [],
"type": "user",
"password_scheme": "pbkdf2",
"iterations": 10,
"derived_key": "e7666ce1536488d8c0ceb2b2e9baf25d83e1d720",
"salt": "8b7ea88d05181c77553169354decb0b7"
}
By replacing the scheme-relevant fields with garbage data, the user is no longer able to log in while the CouchDB logs do not register any particular upset/crash:
{
"_id": "org.couchdb.user:test",
"name": "test",
"roles": [],
"type": "user",
"password_scheme": "pbkdf2",
"iterations": 10,
"derived_key": "!",
"salt": "-some other random nonce-"
}
I have not completely confirmed, though, how this gets handled inside of CouchDB. My read of the authenticate logic and how it interacts with the its pbkdf2 implementation is that the stored derived_key is compared as a raw byte string to the re-calculated one and thus there would be no way to generate a collision. So this should always disable the account. (As opposed to a situation where, say, the stored "!" is optimistically expected to be hex of a certainly length and gets quietly "coerced" to a buffer of all zeroes in any case where parsing fails or something…then it might be possible to find an input password such that the result looks correct. Leaving the salt set to a new random-but-valid nonce value would presumably keep a bypass like that prohibitive in practice.)
I am trying to login using token-based Auth, because we are using Odoo-web module in mobile-app.
currently using GET-method url-passing approach which is "UNSECURE" on websites without SSL certificates and localhost-websites, as
myurl.com?username=foo&password=bar
How can I do that using Token based approach or passing credentials in POST-method, in Odoo-12?
Edit 1:
I found this authenticate() method in core-modules of odoo in http-controllers file and I am calling that only now, as:
request.session(db, username, password)
but I wanted it to be token based without hardcoding password as different passwords for different partners, which I can't hardcode and it's bad approach.
how can I do it by passing token and validating it?
You can use the authenticate endpoint provided by odoo to create a session for your api user.
In the following requests you then use the session id to process operations.
Example call to /web/session/authenticate with body:
{
"jsonrpc": "2.0",
"method": "call",
"id": 1,
"params": {
"db": "<YOUR-DB>",
"login": "<YOUR#LOGIN.COM>",
"password": "<YOUR-PASSWORD>"
}
}
You can find a description of the endpoints in https://github.com/odoo/odoo/blob/12.0/odoo/http.py
I was using dreamfactory and was trying to create users with different roles and use those to send requests however those users aren't working for me. The admin users are however. I don't understand why that is.
Below are the steps I've taken;
In the admin console, click the Roles tab then click Create in the left sidebar.
Enter a name for the role and check the Active box.
Go to the Access tab.
Add a new entry under Service Access (you can make it more restrictive later).
set Service = All
set Component = *
check all HTTP verbs under Access
set Requester = API
Click Create Role.
Click the Services tab, then edit the user service. Go to Config and enable
Allow Open Registration.
Set the Open Reg Role Id to the name of the role you just created.
Make sure Open Reg Email Service Id is blank, so that new users can register without email confirmation.
Save changes.
Then I registered the user incognito mode
I used a google extension rest client called Postman to make the request
In postman I used Basic Auth entered the username and password and sent the request
{
"error": {
"context": null,
"message": "Access Forbidden.",
"code": 403
}
...
Above is the result I got when I use the user I just registered. However when I use the admin username and password, I get the following response.
Status 200 OK
{"resource": [{"name": "_schema"},{"name": "_table"},{"name": "_proc"},{"name":"_func"}]}
which is the result I want for the other users.
Please let me know what I did wrong so I can fix it. Thanks again for all your help
I have configured my system the same and will walk through the steps. This is done on the 06 Oct 2015 commit of DreamFactory 2.0 beta.
First, to register a user:
POST /api/v2/user/register
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
{
"email": "user#domain.com",
"first_name": "Basic",
"last_name": "User",
"display_name": "Basic User",
"new_password": "password"
}
Response: {"success":true}
Next, to login as that user:
POST /api/v2/user/session
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
{
"email": "user#domain.com",
"password": "password"
}
Response:
{
"session_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjMsInVzZXJfaWQiOjMsImZvcmV2ZXIiOmZhbHNlLCJpc3MiOiJodHRwczpcL1wvZGVtby5lbnRlcnByaXNlLmRyZWFtZmFjdG9yeS5jb21cL2FwaVwvdjJcL3VzZXJcL3Nlc3Npb24iLCJpYXQiOiIxNDQ0Njc1NDU0IiwiZXhwIjoiMTQ0NDY3OTA1NCIsIm5iZiI6IjE0NDQ2NzU0NTQiLCJqdGkiOiIyMjFiYTg5M2E2YTc4OThlNDdlZGI4MGY5YjVkY2M2ZCJ9.V8y2B_2vlh8QdFhRqyuSG8SbfIVe8g71RvNjKoW2Bi8",
"session_id":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjMsInVzZXJfaWQiOjMsImZvcmV2ZXIiOmZhbHNlLCJpc3MiOiJodHRwczpcL1wvZGVtby5lbnRlcnByaXNlLmRyZWFtZmFjdG9yeS5jb21cL2FwaVwvdjJcL3VzZXJcL3Nlc3Npb24iLCJpYXQiOiIxNDQ0Njc1NDU0IiwiZXhwIjoiMTQ0NDY3OTA1NCIsIm5iZiI6IjE0NDQ2NzU0NTQiLCJqdGkiOiIyMjFiYTg5M2E2YTc4OThlNDdlZGI4MGY5YjVkY2M2ZCJ9.V8y2B_2vlh8QdFhRqyuSG8SbfIVe8g71RvNjKoW2Bi8",
"id":3,
"name":"Basic User",
"first_name":"Basic",
"last_name":"User",
"email":"user#domain.com",
"is_sys_admin":false,
"last_login_date":"2015-10-12 18:44:14",
"host":"console",
"role":"basic",
"role_id":1
}
Since you tried using basic auth, I did too:
GET /api/v2/db
X-DreamFactory-Api-Key: 0d430cc287b5dd88b0f615d2bb69d84ba7201e8d4214fee2eabcc96bcd937d7d
Authorization: Basic dXNlckBkb21haW4uY29tOnBhc3N3b3Jk
Response:
{
"resource":
[
{"name":"_schema"},
{"name":"_table"},
{"name":"_proc"},
{"name":"_func"}
]
}
Docs for DreamFactory 2.0: http://wiki.dreamfactory.com/DreamFactory/API
In-depth docs for each possible API call may be found in the API Docs tab of a DreamFactory instance. API Docs are automatically generated and self-documenting, using Swagger UI.