What is the difference when a site account is like this (PMPS, FMPA)?
"mfaType": {
"typeId": 5,
"typeName": "MULTI_LEVEL"
},
"mfaCoverage": "PMPS",
Versus this:
"mfaType": {
"typeId": 4,
"typeName": "SECURITY_QUESTION"
},
"mfaCoverage": "FMPA",
"mfaCoverage": "PMPS" is used for representing the financial institution sites which does not prompt MFA for all the users accessing the web site. This denotes that MFA will be prompted only for some users.
"mfaCoverage": "FMPA" is used for representing the financial institution sites which prompt MFA for all the users accessing the web site. This denotes that MFA will be prompted only for some users.
But you should not be worried about the coverage , instead should focus on mfaType.typeName to identify which type of MFA the financial institution supports.
Here are the possible values and it's meaning -
SECURITY_QUESTION - means the FI site has security question and answer as MFA.
IMAGE - means FI site asks user to enter the value from Image captcha.
TOKEN_ID - means FI site asks user to enter the OTP(one time password) received either by email or message or have a RSA token to generate code.
MUTLI_LEVEL - this MFA is combination of any two of the above MFA types.
Related
I have literally followed these steps from Auth0 blog to implement SSO in NodeJS with express.
Then, in Auth0 dashboard > Authentication > Enterprise > SAML, I've added a SAML connection to our Active Directory IdP.
The tutorial above requests these scopes:
scope: "openid email profile"
But our AD SAML IdP can (and should) provide us with the groups claim.
I've tried all the steps bellow, but still no "groups" on the id token that i get back from Auth0.
This is all that I'm getting back every time:
(no "groups")
{
"sub": "samlp|My-Company|Myemail#mycompany.com",
"given_name": "John",
"family_name": "Doe",
"nickname": "johndoe",
"name": "Doe, John",
"picture": "https://mycompany.com/avatar.john.doe.png",
"updated_at": "2022-11-23T13:29:49.197Z",
"email": "Myemail#mycompany.com"
}
I've tried a few things:
I've changed the scope above to scope: "openid email profile groups", but got no groups back on the ID token.
I've also tried adding another request parameter called claims, following this spec sheet. But since claims must be a JSON, and Auth0 strategy sends all in the URL, it didn't work. Either claims goes empty, or if I stringify+urlencode, Auth0 calls us back with an error saying it couldn't parse the JSON (and that is a good sign!!). I then tried just stringifying (without urlencoding) the JSON, and it was successfully sent over the URL, but i still got no groups back on the id token.
On Auth0 dashboard > authentication > enterprise > SAML > our connection > Mappings, i've clicked on "Show full mappings example" and used the example as is. It does include "groups"! But it didn't work either. On the id token that I get back, there are no groups.
On Auth Pipeline > Rules > i added a new rule based on the template called "SAML Attributes mapping". This was promising, and I added these lines:
{ ...
"http://schemas.xmlsoap.org/claims/Group": "group" ,
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups": "groups"
...}
Again, no "group" or "groups" property on the ID token.
Thank you very much.
Can I disable login for a particular CouchDB user while leaving their user doc in the authentication database?
This question is similar to How to temporarily disable particular user in couchdb?, but in that case the actual question was how to "temporarily disable particular user read/write access" [emphasis mine].
What I am trying to do is to completely prevent a user from login until a password is set.
The behavior isn't necessarily guaranteed by the CouchDB maintainers in the future, but inspired by the Unix password lockout feature it seems possible to do this in practice by replacing at least the derived_key field with a bogus value like "*" or "!".
For example, this user could login in by providing a certain password:
{
"_id": "org.couchdb.user:test",
"name": "test",
"roles": [],
"type": "user",
"password_scheme": "pbkdf2",
"iterations": 10,
"derived_key": "e7666ce1536488d8c0ceb2b2e9baf25d83e1d720",
"salt": "8b7ea88d05181c77553169354decb0b7"
}
By replacing the scheme-relevant fields with garbage data, the user is no longer able to log in while the CouchDB logs do not register any particular upset/crash:
{
"_id": "org.couchdb.user:test",
"name": "test",
"roles": [],
"type": "user",
"password_scheme": "pbkdf2",
"iterations": 10,
"derived_key": "!",
"salt": "-some other random nonce-"
}
I have not completely confirmed, though, how this gets handled inside of CouchDB. My read of the authenticate logic and how it interacts with the its pbkdf2 implementation is that the stored derived_key is compared as a raw byte string to the re-calculated one and thus there would be no way to generate a collision. So this should always disable the account. (As opposed to a situation where, say, the stored "!" is optimistically expected to be hex of a certainly length and gets quietly "coerced" to a buffer of all zeroes in any case where parsing fails or something…then it might be possible to find an input password such that the result looks correct. Leaving the salt set to a new random-but-valid nonce value would presumably keep a bypass like that prohibitive in practice.)
Question about security for POST method of HTTP:
I made a user called "MyAPP":
{
"userdef": [
"view",
"create"
],
"api_key": "dzn8k7hj2sdgddlvymfmefh1k2ddjl05",
"user_id": "MyAPP",
"name": "MyAPP",
"creator": "admin",
"edit": [],
"dbdef": [
"view",
"create"
],
"querydef": [
"view",
"create"
],
"databases": {
"Gaming": {
"dbuser": "mydbuser_here",
"dbpass": "mypass_here"
}
},
"password":
"$6$rounds=665736$x/Xp0k6Nj.5qzuM5$G.3w6Py1s.xZ83RHDU55qonNMpJe4Le8nD8PqjYKoOtgbab7T22knJPqwHspoT6BQxp.5gieLFuD0SdD9dyvi/",
"email": "",
"view": []
}
Then I wanted to issue a POST in order to execute a SQL Pass-thru
such as this:
http:///query/InsertBestScore/Score/99/ScreenName/GollyGolly.xml?apikey=dzn8k7hj2sdgddlvymfmefh1k2ddjl05
Where I built a query and named it "InsertBestScore":
insert into Gaming.Leaderboard
(ScreenName, Score)
values
(:ScreenName, :Score);
If I run this via POSTMAN using the POST method:
... then I get an access, 403 :
<?xml version="1.0" encoding="utf-8"?>
<SlashDB>
<http_code>403</http_code>
<description>Access was denied to this resource. Please log in with your username/password or resend your request with a valid API key.</description>
<url_template>/query/InsertBestScore/Score/{Score}/ScreenName/{ScreenName}.xml</url_template>
</SlashDB>
Also, I would be calling this POST (or PUT) request from an application, in my case a Python program running from within a AWS Lambda Function.
Now, I came across this in the documentation:
Two parameters API key
SlashDB also allows a two parameters credentials in this authentication method - app id and api key. This may come handy when integrating with API management systems like 3Scale. By default header and query string argument would be:
• appid - identifies certain application
• apikey - secret for the application
Request with API key in header - Access granted
... however in the example above, I don't see where the appid comes into play.
Can you tell me how one would call the SlashDB endpoint and pass a APIkey and assure that the userid is known as MyAPP.
So, to sum up, the Documentation mentions:
• Another application utilizes an API key to authenticate, which is sent with every request. The application is recognized as SlashDB user App2, which uses database login db_admin. Effectively this application can SELECT, UPDATE, INSERT and DELETE data.
So I want to actually, do just what is in that bullet: Identify myself as the user (instead of App2, I'm user MyAPP), and then use the dbuser and dbpass that was assigned to access that "Gaming" database.
Idea?
Make sure you've given user MyAPP permission to execute the query.
To do so:
login as admin,
go to Configure -> Queries,
open your query definition,
update field Execute. It accepts comma separated user ids.
OK, there are really two questions here:
Why was access denied?
What is the appid and how to use it.
Ad. 1: There are two authorization barriers that the request has to clear.
The first one is imposed by SlashDB in that the user executing the query must be listed in the Execute field on the query definition screen. This is done under Configure -> Queries -> "edit" button on your query.
The second barrier is imposed by the database. The SlashDB user who is executing your POST request must be mapped to a physical database user with INSERT privileges to the Gaming.Leaderboard table. It goes without saying that this database user must be associated with the database schema in which the table exists.
Ad. 2. To enable the appid the user api key must be composed out of two parts separated by colon ":". The first part will be interpreted as the appid and the second will be the apikey.
To do that, use Configuration -> Users -> 'edit' button for the user in question. Then simply add a colon at the beginning of the API key and type in your desired appid to the left of the colon. The app will have to supply both keys to execute the request. Note that the names of those keys (i.e. appid) are configurable in /etc/slashdb/slashdb.ini.
The reasoning behind this feature is to facilitate API Management platforms, which can help with key management, especially when API will be exposed to third party developers.
I'm using the Yodlee REST API and try to update the credentials at a site.
I'm doing the following sequence:
authenticate/coblogin
authenticate/login
SiteAccountManagement/updateSiteAccountCredentials
In 3 I pass:
cobSessionToken <cobSessionToken>
userSessionToken <userSessionToken>
memSiteAccId <memSiteAccId>
credentialFields.enclosedType com.yodlee.common.FieldInfoSingle
credentialFields[0].name LOGIN
credentialFields[0].displayName User ID
credentialFields[0].valueMask LOGIN_FIELD
credentialFields[0].fieldType.typeName IF_LOGIN
credentialFields[0].valueIdentifier LOGIN
credentialFields[0].value <username>
credentialFields[1].name PASSWORD
credentialFields[1].displayName Password
credentialFields[1].valueMask LOGIN_FIELD
credentialFields[1].fieldType.typeName IF_PASSWORD
credentialFields[1].valueIdentifier PASSWORD
credentialFields[1].value <password>
All according to the API spec.
But all I get back is:
"errorOccured": "true",
"exceptionType": "com.yodlee.core.IllegalArgumentValueException",
"refrenceCode": <referenceCode>,
"message": "Multiple exceptions encapsulated within: invoke getWrappedExceptions for details"
What am I missing?
I'd recommend that you try and do the same credential edit call for another site too.
If the call works for the other site, chances are it is an error related specifically to the site you're trying to edit above (and so, a ticket with Yodlee likely needs to be opened). HTH!
I am running SampleApplication for Yodlee IDV. I already created a catalog named yantra and got credentials. When I initiate IAV, it throws ExtendedInstantAccountVerificationInfo. I have no idea what am I doing wrong.
IAV Data Matching Menu
Initiate IAV (Includes MFA)
Show All Routing Numbers for the cobrand
Show Content Service Info for a Routing Number
Exit
Enter Choice : 1
Bank Account #: (For DAGBANK it is 503-1123) 503-1123
Routing # (for DAGBANK it is 999999989) 999999989
AccountType : (Checking is 2, Savings is 1) 2
CSID: (For DAGBANK it is 11195) 11195
CobrandContext is valid (2 minutes old), using cached CobrandContext...
22059
Please Enter Username: yantra.bank1
22058
Please Enter Password: bank1
22058
Please Enter Verify Password: bank1
Core Exception....
CoreExceptionFaultMessage
ExtendedInstantAccountVerificationInfo is null, try later
Can you please provide me the API which is being used for IAV and also the SOAP URL which you are using?
My suggestion is to use below API for doing IAV
"ExtendedInstantVerificationDataService.addItemAndStartVerificationDataRequest(UserContext userContext, long contentServiceId, ArrayOfFieldInfo credentialFields, java.lang.String routingNumber, java.lang.String accountNumber) "
Regards
Shreyans