It's possible to "simulate" a user using the master key? I would like this feature to test what the user can really see in the application and verify that he does not have access to some part of it etc.
Is this possible without knowing the password of the user?
If you want to test how user, roles, and permissions work, a simple way to do it is to make command line REST requests against the parse-server. Here's the guide.
You should be able to go into your parse dashboard and locate a user, look at their session token and then use that in queries to simulate that user's permissions.
With a session token, you can query objects in parse like this:
$ curl \
-X GET \
-H 'X-Parse-Application-Id: ABC123 \
-H "X-Parse-Session-Token: r:XXXXXX" \
-H "Content-Type: application/json" \
https://cloud.so.good/parse/classes/Product
For a complex system, you'll want to cover your cloud code to ensure that all is working as expected. A good place to start would be with parse-server's extensive test coverage, including ACL's
You can create a Parse.Session object for the particular user, setting the user and expiresAt fields. You creating the object, get the sessionToken key from the object.
Then for any request you are trying to make, you will set the X-Parse-Session-Token header to be the value of the session token.
Related
User has a custom attribute phoneNumber in Keycloak.
There is a default method for fetching token using username and password but would it be possible to authenticate using phoneNumber / password instead of username / password
curl \
-d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
-d "username=$UNAME" -d "password=$PASSWORD" \
-d "grant_type=password" \
"$KEYCLOAKHOST/auth/realms/$REALM/protocol/openid-connect/token"
What call should I use to authenticate using a custom attribute in UserModel
After looking around it seems to me that you will not have that functionality provided by Keycloak out of the box. With the current Keycloak implementation it would not be feasible to use the :
curl \
-d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
-d "phoneNumber=$PhoneNumber" -d "password=$PASSWORD" \
-d "grant_type=password" \
"$KEYCLOAKHOST/auth/realms/$REALM/protocol/openid-connect/token"
because neither does Keycloak itself check that the user attribute phoneNumber is a valid number nor does it check that it is a unique number. This last constrain is fundamental for obvious reasons, hence the reason why Keycloak enforces the usernames to be unique.
So you can try to extend Keycloak with that functionality, which was recently done in a production environment. Fortunately, the developer was nice enough to provide that functionality for others to implement, check this redhat blog post by the developer detailing the implementation.
However, if you only want to use the "default method for fetching " that you posted in the question, then what you can do is just say that the username itself has to be the mobile phone (similar to the WhatsApp approach), which is not as bad as it sounds because 1) Keycloak enforces that the usernames are unique, 2) Keycloak still has the fields first name and last name to identify by name the users.
Now the tricky part is to ensure that during the user registration, the user really inserts a valid phone number and not some random string. For that, you can either again extend the keycloak, and validated it there. However, if you are going this root you might as well use the feature from the RedHat blog post. Or manage the user registration with your own app, which would enforce the user to add a valid Phone Number by relying on some SMS security feature, and after the validation was performed, the app itself would register the user on Keycloak with the username field set to the user Phone Number.
I created a public repository within my personal account, created a PAT w/ the workflow permissions checked, but am unable to disable the workflow via the API as I receive a message stating that I must have admin rights to the repository. I believe the PAT has the correct permissions so I’m unsure as to why this isn’t working.
Here is the command I am attempting to use (based on the documentation):
curl -s christronyxyocum:MY-PAT -X PUT -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/MY-USERNAME/MY-REPO/actions/workflows/workflow.yml/disable
I can retrieve information about the workflow without any issues so I believe that I have the correct URL and formatting, etc. I have even tried creating a new PAT with the same permissions and that one experiences the same error.
I have figured this out. Rather than using the username:token format like they show repeatedly in their documentation, you must use the -H "Authorization: bearer TOKEN" header with the curl command.
I'am using the Active Collab API V5 to create User from our Service Desk - the creation of the User with the following POST works.
curl -k -v -h "Content-Type:application/json" -h "X-Angie-AuthApiToken:XXXXXXX" -X POST -d '{"type": "Member","email": "XXXXXXXX#XXXXXX", "password": "XXXXX"}' https://URL/api/v1/users
Is it possible to send the invite link automatically? Like the User creation on the web interface (Send invite link from People page).
I found this API Reference https://developers.activecollab.com/api-documentation/v1/people/users/invite.html but on this way its only possible to invite directly to projects.
System makes a distinction between account creation, and invitiation (which includes account creation, but does a bit more). Here's how to invite one user or more users:
curl -h "Content-Type:application/json" \
-h "X-Angie-AuthApiToken:XXXXXXX" \
-X POST -d '{"role": "Member","email_addresses": ["X#Y.COM", "Y#X.com"], "custom_permissions": ["can_manage_projects", "can_manage_finances"]}' \
https://URL/api/v1/users/invite
Differences:
API end-point is different (/api/v1/users/invite),
Use role instead of type,
A list of more than one email address can be specified,
Custom permissions can be set,
You can't specify user's password. They will receive invitation email, and complete the process themselves.
I have spent a lot if time in the documentation and this Q/A forum but have still not ascertained the information I need/understand. The model that I ham working with does not exactly meld with WSO2IS very well. The programmer is set in their ways and will not budge on change, nothing I can do about that. They are just after the security that is provided by WSO2IS. So here is programmers model, NOT sso.
user->web_site->wso2is authorization->website
It is to have every user login every time. What they want from wso2s is to send user_name, password and company_id and to return valid/invalid id and a set of permission. External id should work well as a claim for the company id.
I have been able to create a user, but not able to add a role for that user and I have not been able to get authorization. I can get some of the information about the user via SCIM : curl -v -k --user admin:admin https://wso2-dev.h3net.com:9443/wso2/scim/Users/d9bef03a-ddcf-44fc-a431-3b71e618b61e
What I need are 3 curl commands via REST like commands
Here's what I have for adding a user : curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"user":{"username":"Gomez","realm":"PRIMARY","password":"Password1!","claims":[{"uri":"http://wso2.org/claims/givenname","value":"Gomez"},{"uri":"http://wso2.org/claims/emailaddress","value":"bnpatton#west.com"},{"uri":"http://wso2.org/claims/lastname","value":"Adams"},{"uri":"http://wso2.org/claims/mobile","value":"1234567890"}]},"properties":[]}' "https://wso2-dev.h3net.com:9443/api/identity/user/v0.9/me
This does not show haw to add a role for the user, just claims.
With something like the above, how would I do the following :
1. add roles to a user
2. authorize user when just only have user_name, password and company_id(external_id claim)
3. return permissions with authorization or a separate curl command?
Question 1
You can refer this comment for adding roles to the user using SCIM API.
Question 2
In this case, you can use XACML for claim based authorization. Please refer this blog for the implementation.
Question 3
WSO2IS server is working as policy decision point(PDP). Based on the decision you can access the resource in the resource server.
I'm attempting to pull a full list of users that have a specific app or Role on their onelogin account.
I've looked under both Roles and Users within the API but it doesn't appear it's possible to simply give the API a role name/ID and get all user's that are apart of it.
Is there an easy way to do this? It's to help automate auditing of auto-provisioned applications.
Thanks!
As described at the API documentation, at the User section.
you can use "query parameters" in order to filter users.
In your case you want to filter by role_id.
Imagine you want all the users with the role_id = 1:
curl 'https://api.<us_or_eu>>.onelogin.com/api/1/users?role_id=1' \
-X GET \
-H "Authorization: bearer:<access_token>"
In order to get the list of available roles you can execute:
curl 'https://api.<us_or_eu>.onelogin.com/api/1/roles' \
-X GET \
-H "Authorization: bearer:<access_token>"