I am trying to get email and id of user through chrome identity api.
I am doing this
chrome.identity.getProfileUserInfo(function(userinfo){
console.log("userinfo",userinfo);
email=userinfo.email;
uniqueId=userinfo.id;
});
I have specified identity permission and have added https://www.googleapis.com/auth/userinfo.email in scopes.
User is logged in through chrome.identity.getAuthToken and I have access token.
console.log("userinfo",userinfo); returns userinfo Object {email: "", id: ""}
The getProfileUserInfo documentation says:
email: Empty if the user is not signed in or the identity.email manifest permission is not specified.
id: Empty if the user is not signed in or (in M41+) the identity.email manifest permission is not specified.
Edit manifest.json to include both permissions:
"permissions": ["identity", "identity.email"]
In addition to having the identity.email permission, as posted in the related Chrome issue for this subject, users must have their profile syncing turned on under chrome://settings -> People -> Sync for their ID and email to show up using chrome.identity.getProfileUserInfo.
Related
I set up an Auth0 connection database, configured as a custom database with automatic migration turned on. Working great in general. I also successfully set up a rule to force email verification, needed for new signing up users and old users with unverified emails.
Of course, all migrated users are forced to verify their email address; but my biz requirement is that's should happen just for the users who haven't verified their email yet, it's annoying forcing it for old users with already verified emails.
I have a source field for that on the legacy DB, but I'm not sure how I can migrate the user including the verified_email state. My current scripts for the custom database returns these values:
Login script:
login(email, password, callback)
... returning on callback...
{
user_id: ...,
nickname: ...,
email: ...,
}
GetUser script:
getByEmail(email, callback)
... returning on callback...
{
user_id: ...,
nickname: ...,
email: ...,
name: ...,
given_name: ...,
family_name: ...,
}
You just need to edit your Login script to get that property as well and set it to the email_verified key. Just like your script creates a profile that has user_id, email, and other stuff, you just need to add a line to include email_verified in the profile and populate it with the correct data from your legacy datastore. The data you add to the profile when importing is totally up to you.
In this specific case, the value required is a boolean, so it would be just true, without the quotes.
I have two flat Feed Groups, main, the primary news feed, and main_topics.
I can make a post to either one successfully.
But when I try to 'cc' the other using the to field, like, to: ["main_topics:donuts"] I get:
code: 17
detail: "You do not have permission to do this, you got this error because there are no policies allowing this request on this application. Please consult the documentation https://getstream.io/docs/"
duration: "0.16ms"
exception: "NotAllowedException"
status_code: 403
Log:
The request didn't have the right permissions or autorization. Please check our docs about how to sign requests.
We're generating user tokens server-side, and the token works to read and write to both groups without to.
// on server
stream_client.user(user.user_id).create({
name: user.name,
username: user.username,
});
Post body:
actor: "SU:5f40650ad9b60a00370686d7"
attachments: {images: [], files: []}
foreign_id: "post:1598391531232"
object: "Newsfeed"
text: "Yum #donuts"
time: "2020-08-25T14:38:51.232"
to: ["main_topics:donuts", "main_topics:all"]
verb: "post"
The docs show an example with to: ['team:barcelona', 'match:1'], and say you need to create the feed groups in the panel, but mention nothing about setting up specific permissions to use this feature.
Any idea why this would happen? Note that I'm trying to create the new topics (donuts, all) which don't exist when this post is made. However, the docs don't specify that feeds need to be explicitly created first - maybe that's the missing piece?
If you haven’t already tried creating the feed first, then try that. Besides that, the default permissions restrict a user from posting on another’s feed. I think it’s acceptable to do this if it’s a notification feed but not user or timeline.
You can email the getstream support to change the default permissions because these are not manageable from the dashboard.
Or you can do this call server side as an admin permissions.
I am managing a Keycloak realm with only a single, fully-trusted external IdP added that is intended to be the default authentication mechanism for users.
I do not want to allow user to register, i.e. I want to manually create a local Keycloak user, and that user should then be allowed to link his external IdP account to the pre-existing Keycloak account, having the email address as common identifier. Users with access to the external IdP but without an existing Keycloak account should not be allowed to connect.
I tried the following First Broker Login settings, but whenever a user tries to login, he gets an error message (code: invalid_user_credentials).
Do you have any idea what my mistake might be?
Looks like they integrated this feature in version 4.5.0.
See automatic account link docs.
Basically you need to create a new flow and add 2 alternative executions:
Create User If Unique
Automatically Link Brokered Account
According to the doc: https://www.keycloak.org/docs/latest/server_admin/index.html#detect-existing-user-first-login-flow, you must create a new flow like this:
et voilà :)
As per this discussion:
https://keycloak.discourse.group/t/link-idp-to-existing-user/1094/5
It’s a bug in keycloak and they seem to be a reluctant to fix it for
whatever reason. I have very few users so I solved it by manually
querying the idp for the information keycloak uses and then copying it
into the relevant fields in the UI. So there is no sign up process for
my users I just make them myself. Obviously that’s a poor solution
though, what we really need is someone to take over that PR and
persuade the maintainers to merge it.
This is the PR: https://github.com/keycloak/keycloak/pull/6282
As it is described in this GitHub issue response the solution is to use a JavaScript authenticator that handles this.
In order to do so, you need to do the folowing:
Enable [custom authenticators using JavaScript in your server[(https://www.keycloak.org/docs/latest/server_installation/#profiles) by https://stackoverflow.com/a/63274532/550222creating a file profile.properties in your configuration directory that contains the following:
feature.scripts=enabled
Create the custom authenticator. You have to create a JAR file (essentially a ZIP file) with the following structure:
META-INF/keycloak-scripts.json
auth-user-must-exist.js
The content of the files are in this Gist, but I am including them here as well:
META-INF/keycloak-scripts.json:
{
"authenticators": [
{
"name": "User must exists",
"fileName": "auth-user-must-exists.js",
"description": "User must exists"
}
]
}
auth-user-must-exist.js:
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError")
ServicesLogger = Java.type("org.keycloak.services.ServicesLogger")
AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator")
IdpCreateUserIfUniqueAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.IdpCreateUserIfUniqueAuthenticator")
var IdpUserMustExists = Java.extend(IdpCreateUserIfUniqueAuthenticator)
function authenticate(context) {
var auth = new IdpUserMustExists() {
authenticateImpl: function(context, serializedCtx, brokerContext) {
var parent = Java.super(auth)
var session = context.getSession()
var realm = context.getRealm()
var authSession = context.getAuthenticationSession()
if (authSession.getAuthNote(AbstractIdpAuthenticator.EXISTING_USER_INFO) != null) {
context.attempted()
return
}
var username = parent.getUsername(context, serializedCtx, brokerContext)
if (username == null) {
ServicesLogger.LOGGER.resetFlow(realm.isRegistrationEmailAsUsername() ? "Email" : "Username")
authSession.setAuthNote(AbstractIdpAuthenticator.ENFORCE_UPDATE_PROFILE, "true")
context.resetFlow()
return
}
var duplication = parent.checkExistingUser(context, username, serializedCtx, brokerContext)
if (duplication == null) {
LOG.info("user not found " + username)
context.failure(AuthenticationFlowError.INVALID_USER)
return
} else {
authSession.setAuthNote(AbstractIdpAuthenticator.EXISTING_USER_INFO, duplication.serialize())
context.attempted()
}
}
}
auth.authenticate(context)
}
Then, you can define as follows:
User Must Exist -> ALTERNATIVE
Automatically Set Existing User -> ALTERNATIVE
Honestly i am surprised by the keycloak auto creating behavior. I tried to add new Authentication flow as descibed here https://www.keycloak.org/docs/latest/server_admin/index.html#automatically-link-existing-first-login-flow
My flow :
1 - Create User If Unique [ALTERNATIVE]
2 - Automatically Link Brokered Account [ALTERNATIVE]
My use case : Authenticating users from Github ( Github as IDP )
Result : when a github user logon with an existing "username" keycloak links the github account to my local user ( based on his username ). I expected using his email instead of username.
How to delete a user from a role or disable the user from that particular role in JasperReports Server? But I need the role in the main tenant. It should only be removed from the role (Group)
What I am doing now is a goof up like:
Method: DELETE
URL: http://localhost:8080/reportservice/rest/user/username|TenantID
Payload:
<user>
<tenantId>tenantID</tenantId>
<username>{username}</username>
<emailAddress>{emailAddress}</emailAddress>
<enabled>false</enabled>
<externallyDefined>true</externallyDefined>
<fullName>{fullName}</fullName>
<roles>
<externallyDefined>false</externallyDefined>
<roleName>ROLE_USER</roleName>
</roles>
</user>
From the REST API Reference Manual (6.3.0):
To modify the properties of a user account, put all desired information in a user descriptor, and include it in a
PUT request to the users service, with the existing user ID (username) specified in the URL.
In the community edition of the server, or commercial editions without organizations, use the first form of
the URL.
In commercial editions with organizations, use the second URL to specify the user’s organization. When
specifying the organization, use its unique ID, not its path. When logged in as the system admin
(superuser), use the first URL to modify users of the root organization.
To modify a user, the user ID in the URL must already exist on the server or in the organization. If the user ID
doesn’t exist, a user account will be created, as described in 21.3, “Creating a User,” on page 155.
Method: PUT
URL:
http://:/jasperserver[-pro]/rest_v2/users/userID
http://:/jasperserver[-pro]/rest_v2/organizations/orgID/users/userID
Content-Type:
application/xml
application/json
Content:
A user descriptor that includes the properties you want to change. Do not
specify the following properties:
username – Specified in the URL and cannot be modified in the descriptor.
tenantID – Specified in the URL and cannot be modified in the descriptor.
externallyDefined – Computed automatically by the server.
previousPasswordChangeTime – Computed automatically by the server.
Return Value on Success:
200 OK – The user properties were successfully
updated.
Typical Return Values on Failure:
404 Not Found – When the organization ID cannot be
resolved.
To add a role to the user, specify the entire list of roles with the desired role added. To remove a role from a
user, specify the entire list of roles with the desired role removed. The following example shows the descriptor
in JSON format:
{
"enabled":true,
"password":"newPassword",
"roles":[
{"name":"ROLE_USER"},
{"name":"ROLE_STOREMANAGER", "tenantId":"organization_1"}]
}
We have recently upgraded to GitLab 7.10.4 and there appears to be a change in the API. In the previous release it put the email address on the group members API call and now that appears to be removed.
If I call the API URL http://mygitlab.com/api/v3/groups/15/members?per_page=100&private_token=itsasecret
I get a list of the users but the email address is missing:
{
name: "Michael Ransley",
username: "michael.ransley",
id: 59,
state: "active",
avatar_url: "http://www.gravatar.com/avatar/88c8f05469e0ae00a904f21ccff6ed47?s=40&d=identicon",
access_level: 50
},
Any ideas on how I can get the email address back into this response?
Note: the user making the call is a gitlab admin user.
Looking into it, the code appears to be missing the email attribute. I have added it and and created a pull request to ensure that it is added into future versions.
https://github.com/mransley/gitlabhq/commit/5de73237ae585ff70013c1ae38b4a88970133e26