For test purpose I added a read-only LDAP look-up via the User Store Management menu at admin, selecting the option:
org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager
After testing, I'm not able to remove this store entry at the Web console doing a "Select All" and selecting the the "Delete" icon. The command confirms deletion of the store, but after a new lookup the entry is still present. It is currently set in a disabled state, as some details are yet missing in the LDAP setup.
It displays a pop-up message like this:
Do you want to delete the selected user stores? Yes
Selected user stores are being deleted. Refresh the page after few seconds to check the new status. OK
After this issue, the dashboard login function stopped working, not accepting local LDAP store registered users. Under admin console access, the local users are still visible.
Please advice how to correct this issue.
A "kill -9 process number" solved the problem reported above and new start of the Identity server removed the web cache error. Yes, it did remove all the persistent entries.
Related
I am using Keycloak to secure my application but I am using an extra database too. I am holding my users in both of them. Thus whevener a change is made to a user, the user needs to be updated in both the Keycloak db and my db. Thus whenever the application's main page loads, I update the user (everytime). Because maybe the user was changed from the Keycloak User Account Management service. And I need to put the change in the db.
But I don't want to do this everytime the app loads. I would like to know if there's a way to know Keycloak acocunt page was opened by the user. (So that I can update the users only then) Maybe Keycloak returns a parameter or smt? I don't know.
If anyone can help, I would be grateful.
I wrote an app script which provides a web UI for data entry into a team calendar. I published it using G-Suite super admin account and added it as Trusted App under Security/API Permissions. "Trust domain owned apps" is checked under "Internal App Settings".
When a G-Suite user in our organization tries to access the app, he sees
"The developer of ShiftSchedulingApp, admin#_our_organization_.org, needs your permission to access your data on Google."
Those brave enough to click "Review Permissions" are taken to the next message:
"ShiftSchedulingApp wants to access your Google Account. See, edit, share, and permanently delete all the calendars you can access using Google Calendar"
Of course nobody wants to risk losing all the calendars on their Google Account and this is where it ends.
How do I get rid of this misleading message? It's not Google account, it's their organization account on G-Suite. It's not all their calendars, it's the shared team calendar only. It's adding data, not permanently deleting calendars. It's published by their administrator in their G-Suite, not an unknown 3rd party.
I spent days trying to make this message go away but no luck. App must be executed as an accessing user and not as publishing user because their user ID determines what shifts they can fill on a calendar.
I'd appreciate any hints pointing me the right direction.
I experimented with variations of the two-app approach as suggested.
The app which provides the UI needs to read the calendar to display available shifts - so I can't get away from the user authorization prompt.
Another variation I tried was having one app do everything and run as me, and another do nothing but return Session.getActiveUser(). I tried calling the 2nd one from the 1st one on the client side via XMLHttpRequest. It would be ideal for my needs - but I hit CORS error as apps URL is script.google.com but it actually gets redirected to script.googleusercontent.com. There doesn't seem to be a way to set CORS in Google App Script.
Although I was not able to find a way to avoid prompting users for authorization when executing the app as accessing user, it turns out my reasons for doing that were based on a false premise.
I chose to publish app as accessing user because I thought that's the only way to get accessing user Id - which is true for non-G Suite accounts.
However, when app is published by a G Suite account, the app can get accessing user ids within the same G Suite domain even when it's set to execute as publishing user.
Thanks Niek and TheMaster for your help!
If you just need user ID, why do you ask for all those permissions?
Possible Solutions:
2 web-apps- One running as you and another as user accessing (with only profile) permission. The second one will be the actual web interface and POST necessary information to the first one with privileges. OR
Implement your own web-app Google-sign in1
Use the least permissive2 scope3
I am developing an inventory management system. I am using AppWithinMinutes (AWM). Only administrator can add, edit and delete. In this system, the user name is entered in the user field. Other fields are entering other information. How can users see only their own children when they log in to xwiki with their own name? And how can not he see the other kids?
You could implement and EventListener in your application so that, whenever an entry in your application is created, an XWikiRights object is added to the page to allow view access only to the user that created it and some admin group (that is allowed to see all the entries of all the users).
Note that it would be recommended to implement your EventListener as a WikiComponent so that it is automatically registered when your XWiki instance is restarted.
I created a cognito user pool with some apps and attributes. All is empty, it has no user yet.
Now, I want to add some new attributes in "Atributes" tab, but all fields are disabled.
On the other hand, in Federated Policies, i was trying to change the "user pool id" and "client id", under tab "Authentication Provider" > "Cognito". All fine, I do my changes and I press "Save Changes", but when I refresh the page to see it, i see that my changes was lose.
My question is, is a bug of Cognito, or updating attributes/configuration is not supported?
EDIT 1: OK, it's not possible to update an attributes.
EDIT 2: I can't update configuration on Identity Pool. Here is my steps:
Go to federated identities
Press edit identity pool
In authentication provider, in cognito tab, unloock user pool id and app client id
Update values and press Save Changes
System show me that changes was successfully saved
Go to Authentication Provider, under Cognito, but still appears old values
Check if Pool Id and App Client Id was correct
Thanks
Part 2: Changing user pool id and the client id is somewhat confusing (some would say "inane" because it is non-standard and serves no purpose). Here is how it works, there is a little "UnLock" button next to each field, you must press this button to "unlock" the field, then you can enter the field and click Save. This is handled similarly on some of the other authentication providers (google/facebook). While the "Unlock" buttons sound like the do something undesirable (who wants to Unlock their own authentication provider?) they just unlock the text field.
Part 1, to expand on Rachit's answer: You can add custom attributes, but the standard attributes are "locked in" upon creating the pool (the Console has a note indicating that).
Updating the standard attributes is not supported in Cognito. You can add custom attributes if need be.
Updating the configuration should work in Federated Identities and I just tried to reproduce and was able to change the user pool id and the client id. Is there any error message displayed for you?
I was did exactly what you did and it worked. So maybe it is fixed, or maybe you have a browser incompatibility (I did it in safari).
You can also (alternatively) add another provider using the same user pool ID (that also works).
Lastly, and with caution...
there have been reports of where configurations have gotten messed up and deleting the identity pool and reconnecting the user pool improved things. I even experienced this personally. But I was never able to reproduce it and there are risks.
risks
(the identity pool keeps the identityID and if you delete it your devices will have old keychains with non-existant identityId's and you may have to wipe the keychain
Obviously if you have anything synced it will be lost, and if you have any data related to the identityId it will be lost (because everyone will get a new identity id).
But it is a step of last resort that is easy if you are still in development.
I was facing the exact problem described in the question but able to overcome it using AWS CLI, I could add the Cognito Authentication providers, the command is as follows:
aws cognito-identity update-identity-pool \
--identity-pool-id "<IDENTITY_POOL>" \
--identity-pool-name "<IDENTITY_POOL_NAME>" \
--no-allow-unauthenticated-identities \
--cognito-identity-providers \
ProviderName="cognito-idp.<USER_POOL_ID>",ClientId="<USER_POOL_APP_CLIENT_ID>",ServerSideTokenCheck=false
Caution:
This will overwrite the existing Cognito Identify Providers, if you don't want to overwrite but add a new one then list other Cognito Identity Providers as well in the above command like ProviderName="cognito-idp.<EXISTING_USER_POOL_ID>",ClientId="<EXISTING_USER_POOL_APP_CLIENT_ID>",ServerSideTokenCheck=false next to each other, in that case the command will look like below:
aws cognito-identity update-identity-pool \
--identity-pool-id "<IDENTITY_POOL>" \
--identity-pool-name "<IDENTITY_POOL_NAME>" \
--no-allow-unauthenticated-identities \
--cognito-identity-providers \
ProviderName="cognito-idp.<USER_POOL_ID>",ClientId="<USER_POOL_APP_CLIENT_ID>",ServerSideTokenCheck=false \
ProviderName="cognito-idp.<EXISTING_USER_POOL_ID>",ClientId="<EXISTING_USER_POOL_APP_CLIENT_ID>",ServerSideTokenCheck=false
I'm working on a project to pull information from a SharePoint calendar and and post it into the atTask Time Off calendar. This should be pretty simple, but nothing in the AtTask API works the way I would expect. I've already asked about the "POST" action deleting existing records. Now I'm running into some strange rights issues.
I have administrator rights in our AtTask sandbox. I am able to access the Time Off records (RESVY) for all users on the system. I am able to delete them without issue. However, I am only able to create new records (POST) for myself. When attempting to create a new record for another user, I'm plugging in the sessionID from my login as the administrator and the other users userID.
The result is an error message: "You do not have sufficient access to edit this User".
It seems odd that the API would allow me to delete the RESVT records for another user, but no create new records.
We are using Active Directory for authentication into AtTask, so I don't have access to the passwords of the other users. This is really getting to be a headache.
Thanks in advance,
Mark
To update another users Time-Off the following 3 scenarios will allow you to mark time-off for another user. This is using the new access module.
You are a system admin
You have User Admin setting enabled in your access level settings (Located under the Fine Tuning option through the Edit Rights at the user level)
You have users who report to you (you are a manager) you will be able to edit users Time-off for users who report to you.