I'm attempting to pull a full list of users that have a specific app or Role on their onelogin account.
I've looked under both Roles and Users within the API but it doesn't appear it's possible to simply give the API a role name/ID and get all user's that are apart of it.
Is there an easy way to do this? It's to help automate auditing of auto-provisioned applications.
Thanks!
As described at the API documentation, at the User section.
you can use "query parameters" in order to filter users.
In your case you want to filter by role_id.
Imagine you want all the users with the role_id = 1:
curl 'https://api.<us_or_eu>>.onelogin.com/api/1/users?role_id=1' \
-X GET \
-H "Authorization: bearer:<access_token>"
In order to get the list of available roles you can execute:
curl 'https://api.<us_or_eu>.onelogin.com/api/1/roles' \
-X GET \
-H "Authorization: bearer:<access_token>"
Related
I am trying to get all permissions of a user with an admin account.
If I get an access token for my user and use this endpoint:
POST 'https://<HOST>/auth/realms/<REALM>/protocol/openid-connect/token'
with this header/body:
--header 'Authorization: Bearer <ACCESS_TOKEN_OF_USER>'
--header 'Content-Type: application/x-www-form-urlencoded' \\
--data-urlencode 'audience=<CLIENT>' \\
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket'
I get a new token with all the information I need (including permissions for resources and their scopes).
Now I want to get all these information without knowing the credentials of the user but with those of the admin. In the admin console you get access to all these information as an admin. So I guess, it should be possible to evaluate all permissions of a specific user with just the admin access.
But what request/requests do I have to do?
(I am using Keycloak 17-Wildfly)
It's possible to "simulate" a user using the master key? I would like this feature to test what the user can really see in the application and verify that he does not have access to some part of it etc.
Is this possible without knowing the password of the user?
If you want to test how user, roles, and permissions work, a simple way to do it is to make command line REST requests against the parse-server. Here's the guide.
You should be able to go into your parse dashboard and locate a user, look at their session token and then use that in queries to simulate that user's permissions.
With a session token, you can query objects in parse like this:
$ curl \
-X GET \
-H 'X-Parse-Application-Id: ABC123 \
-H "X-Parse-Session-Token: r:XXXXXX" \
-H "Content-Type: application/json" \
https://cloud.so.good/parse/classes/Product
For a complex system, you'll want to cover your cloud code to ensure that all is working as expected. A good place to start would be with parse-server's extensive test coverage, including ACL's
You can create a Parse.Session object for the particular user, setting the user and expiresAt fields. You creating the object, get the sessionToken key from the object.
Then for any request you are trying to make, you will set the X-Parse-Session-Token header to be the value of the session token.
I'am using the Active Collab API V5 to create User from our Service Desk - the creation of the User with the following POST works.
curl -k -v -h "Content-Type:application/json" -h "X-Angie-AuthApiToken:XXXXXXX" -X POST -d '{"type": "Member","email": "XXXXXXXX#XXXXXX", "password": "XXXXX"}' https://URL/api/v1/users
Is it possible to send the invite link automatically? Like the User creation on the web interface (Send invite link from People page).
I found this API Reference https://developers.activecollab.com/api-documentation/v1/people/users/invite.html but on this way its only possible to invite directly to projects.
System makes a distinction between account creation, and invitiation (which includes account creation, but does a bit more). Here's how to invite one user or more users:
curl -h "Content-Type:application/json" \
-h "X-Angie-AuthApiToken:XXXXXXX" \
-X POST -d '{"role": "Member","email_addresses": ["X#Y.COM", "Y#X.com"], "custom_permissions": ["can_manage_projects", "can_manage_finances"]}' \
https://URL/api/v1/users/invite
Differences:
API end-point is different (/api/v1/users/invite),
Use role instead of type,
A list of more than one email address can be specified,
Custom permissions can be set,
You can't specify user's password. They will receive invitation email, and complete the process themselves.
I have spent a lot if time in the documentation and this Q/A forum but have still not ascertained the information I need/understand. The model that I ham working with does not exactly meld with WSO2IS very well. The programmer is set in their ways and will not budge on change, nothing I can do about that. They are just after the security that is provided by WSO2IS. So here is programmers model, NOT sso.
user->web_site->wso2is authorization->website
It is to have every user login every time. What they want from wso2s is to send user_name, password and company_id and to return valid/invalid id and a set of permission. External id should work well as a claim for the company id.
I have been able to create a user, but not able to add a role for that user and I have not been able to get authorization. I can get some of the information about the user via SCIM : curl -v -k --user admin:admin https://wso2-dev.h3net.com:9443/wso2/scim/Users/d9bef03a-ddcf-44fc-a431-3b71e618b61e
What I need are 3 curl commands via REST like commands
Here's what I have for adding a user : curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"user":{"username":"Gomez","realm":"PRIMARY","password":"Password1!","claims":[{"uri":"http://wso2.org/claims/givenname","value":"Gomez"},{"uri":"http://wso2.org/claims/emailaddress","value":"bnpatton#west.com"},{"uri":"http://wso2.org/claims/lastname","value":"Adams"},{"uri":"http://wso2.org/claims/mobile","value":"1234567890"}]},"properties":[]}' "https://wso2-dev.h3net.com:9443/api/identity/user/v0.9/me
This does not show haw to add a role for the user, just claims.
With something like the above, how would I do the following :
1. add roles to a user
2. authorize user when just only have user_name, password and company_id(external_id claim)
3. return permissions with authorization or a separate curl command?
Question 1
You can refer this comment for adding roles to the user using SCIM API.
Question 2
In this case, you can use XACML for claim based authorization. Please refer this blog for the implementation.
Question 3
WSO2IS server is working as policy decision point(PDP). Based on the decision you can access the resource in the resource server.
Using Kong API Gateway, I have added the OAuth2 plugin to all API's in the hopes of getting one token to access these API's.
When I call: www.example.com/oauth2/token with the required fields:
grant type, client id and client secret
it forces me to add the API: www.example.com/apiendpoint/oauth2/token
Unfortunately the token generated only has access to the specific API.
I've tried:
www.example.com/apis/oauth2/token
www.example.com/token
As well as reviewing the latest API Dos:
https://getkong.org/docs/0.10.x/admin-api/
none of which worked.
Is it possible to generate one token to access all the API's and if so how?
This isn't possible with Kong today - you are welcome to open an issue https://github.com/Mashape/kong/issues to raise the visibility of your request with the Kong community.
For people searching how to do this.
A way to achieve what was asked is by doing a post on the admin API:
$ curl -X POST http://kong:8001/oauth2_tokens \
--data "api_id=API-ID" \
--data "scope=SOME-SCOPE" \
--data "credential_id=KONG-APPLICATION-ID" \
--data "token_type=bearer" \
--data "access_token=SOME-TOKEN" \
--data "refresh_token=SOME-TOKEN" \
--data "expires_in=3600"
This way you can set a token in the desired APIs.
The KONG-APPLICATION-ID can be found in the /consumers/consumername/oauth2 API point.