I am implementing react based app and need to implement a configuration setting, that users can change themselves (say, color theme).
I know how to add custom attribute to user profile and how to get user info through #okta/okta-react getUser method. But I could not find saveUser or similar.
From API docs I see /api/v1/users/me endpoint but it does not accept neither access token (says wrong token), nor id token (says invalid character in token).
So how do I let users who login into my application using Okta change their profile values for customization?
Is it possible at all or should I implement a table in my database to keep users' configuration? This would be the most unfortunate, for I chose Okta to minimize user maintenance.
I'm positive that this API call would require sending Okta session cookie, so make sure you include it in your request
Related
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I want to implement Apple's touchId/FaceId for my app.
Currently the app has Login screen, where the user enters the userId and password. I submit the userId and password to the back end server(located at let's say https://example.com/Login?username=abc&password=xyz#123(just an example)). The backend server returns me authentication cookies. This cookies I use to access the rest of the rest api services
I am reading a number of articles which tells about how you can use Apple's touch Id with https://developer.apple.com/documentation/localauthentication framework.
It displays the generic pop up asking the use the touch Id, and returns true if the touch Id authentication is successful.
My question comes up here. If I use the touch Id and the authentication is successful. How do I proceed? Basically, I would need the authentication cookies to access the rest apis.
One flow I am assuming is.
When the user enables the touchId/faceId in settings page of my app, I store the usercredentials in the keychain.
Once the user is logged out, and the user uses touch Id and authentication is successful, I access the keychain, retrieve the password for the user, call the api https://example.com/Login?username=abc&password=xyz#123 get the authentication cookies and use them for accessing the rest of the web apis.
Is my assumption correct? Or there is a better way of implementing it?
Any examples or references would be great.
Thanks.
I'm developing a mobile app which will allow users to browse without signing up. I would like to have all my endpoints secured via token.
How would we go about allowing anonymous browsing? i.e. provide a token to anonymous users.
Not sure to understand your case, why do you need a token if your users aren't registered and your API opens to everyone?
The authentication system of Strapi has been built to only send token to registered users. However, the easiest way to make it work for you is to register every visitor coming in your app based on their IP or something unique as a username and set the same password for each one of them. Then, every time the user comes back, you can call the /auth/local URL to sign-in the user and get the token or use the token stored in the local storage.
I am making an api that accepts social logins from a few services, namely Google.
So far, the mobile app allows the user to log in to google with the OAuth2 flow, and obtains a JWT token. The first time I was able to get the profile info from the token (first name, family name, profile pic, etc...). Now, I doesn't contain all of the fields I need.
I remember reading somewhere that google will only send all the fields from time to time...
Since I'm in testing, I tend to wipe the user database often and would like to be able to count on the google JWT to re-create the account.
I'd rather use the token than hitting the userInfo API. Especially since the JWT is technically secure.
So, is there any sure way to get all of the user profile info in the id_token from the google API?
Check the 'scopes' that you define when logging in with Google. Each scope has a type of data that it returns back to the user. Be sure that you're using scope: 'profile'" when initializing the Google login. If additional scopes are necessary, use add them to the request as shown in the link below.
https://developers.google.com/identity/sign-in/web/incremental-auth
I was using an older endpoint, changed to https://accounts.google.com/o/oauth2/v2/auth and everything is ok!
We are using Spring MVC with Spring Security.
These are the requirements for our login system:
The site should be useable for anonymous users including the settings of preferences (for example turning a filter on a page on or off).
These preferences should be remembered if an anonymous user returns on the next day (in a new session).
At any time an anonymous user can choose to register a profile (user/password combination) and all preferences set by the previously anonymous user should be stored in the new profile.
Alternatively an anonymous user can choose to sign in with an already registered profile and they should be presented with the option to store the preferences they set anonymously into their profile.
Registered users can login to the page and their login should be remembered.
I am able to persist signed in users across sessions by using Spring Security Remember Me, and I am able to persist a anonymous user across session by setting a cookie by hand.
What would be a more elegant solution for this scenario (preferably using Spring Security)? Is is possible to use the Spring Security Remember Me feature for anonymous user?
It doesn't really make sense to think about using remember-me authentication for anonymous users. Remember-me requires that the user actually exists and by definition, it authenticates them as an individual. It sounds like you just want to create a cookie containing the user's settings, which isn't really related to security. You should just do that yourself in your app. That seems like the most obvious solution to me.
Once a user has registered, then you can use remember-me with their account, but how you code the logic for creating a new user profile is up to you and using the settings from the current cookie would be part of that process.