Currently, our TestCo Okta is able to pass ‘testrole’ with one of a few different values, e.g. ‘admin’ or ‘user.’ If a user has multiple ‘testrole’ attributes (based on group membership) then Okta has a precedence order that determines which one ‘testrole’ value it will return.
We need to be able to handle passing a list of roles from IdP to Cognito to our API. For example, a string of ‘admin, user, readonly, section-admin’.
You can add a "groups" or "roles" claim that contains all the groups information. To do this, log in to your Okta developer account, then navigate to API > Authorization Servers, and click on the default server. Click the Claims tab and Add Claim. Name it groups (or roles), and include it in the ID Token. Set the value type to Groups and set the filter to be a Regex of .*. Click Create.
Related
In my application the users are split in 2 macro categories: Customer and Backoffice, every category has a subset of role, for example MANAGER and USER for Customer type and different ones for the Backoffice type.
So a user could be a Customer with a MANAGER role or a Backoffice with, for example, a SALES role.
Every Spring + Cognito guide on web uses cognito:groups to map the Spring ROLE, but for my case I would need to nest groups which is not possible on Cognito.
I've been thinking to use 2 custom attributes ( writable only by the admin) to set the category and role of the user respectively.
My question is, is there any disadvantage to using attributes instead of the groups?
One major concern is, those custom attributes won't be available as claims in the access token. But groups are available. So If you plan to use acces_token you may have to consider that.
There are some other minor considerations that I can think of, which may or may not be related your implementation:
Maximum number of custom attributes per user pool is 50.
Once created, you can not edit the name, min/max length and mutable property of the custom attribute. Also we can not delete that.
Even though nested groups are not supported in Cognito, is it not an option to create groups like: category_role? example: Customer_ MANAGER?
Can I register same user (login/e-mail) in more than on tenant, so an UserId can belong to multiple Tenants?
I ask that because instead of input Tenant on login, How hard is to achieve this approach below?
When user logs in, if they belong to multiple tenants, boilerplate will identify this and show the user a select dropdown to choose which tenant they want to manage.
I feel this approach is more professional than input a tenant string value on login page.
it's not possible in aspnetboilerplate structure. a user must belong to only a single tenant.
Out of the box Laravel authorizes users by matching email (default - can be overridden) and password.
Is it possible to authorize user using 3 fields, e.g:
email
password
group
... where 'group' is some additional field from 'users' database.
In other words, user can belong to group:1 and can login to group:1 resources only, but not to group:2 using his group:1 credentials.
If user belongs to group:1 and group:2, then he needs different credentials to login to either group.
Additionally, user can use same email for both groups. In such case it is group number that would act as additional identifier. And of course passwords would be different.
I am thinking setting a database multiple column index on fields 'id' and 'group' would be a good start, but I fail to grasp (yet), what would be required to make Laravel authorization process sensitive to 3 fields, instead of 2.
I would appreciate some pointers.
This sounds like you're trying to achieve a form of tenancy on data belonging to certain groups only. Have a look at this package:
https://github.com/HipsterJazzbo/Landlord
In essence, you would add a group_id field to the tables where you wish to restrict access and then using middleware, apply an additional where('group_id', Auth::user()->group_id) clause to any database queries. This works very well for retrieving subsets of data belonging to specific users by their role, for example.
I would like to get the list of groups that every user in the yammer instance belongs to. Currently it looks like the user object from both the data export API and the REST API do not contain a section with which groups each user belongs to. I know that there is a way to see what groups I belong to in the REST API, but that does not seem to give the groups for every user in the yammer instance.
Does anybody know if there is a way to get the list of all groups that each and every user in the yammer instance belongs to using either of the APIs?
Thanks!
A fairly easy way to do this would be to get the list of groups:
https://www.yammer.com/api/v1/groups.json
And then iterate over the group IDs returned to get the list of members of each group:
https://www.yammer.com/api/v1/groups/{group id}/members.json
Bear in mind, unless you have proper access you may not be able to see into private groups to get the list of members.
I found that if you have the full list of group IDs (either from the data export api or the rest api), you can use those group IDs to individually query, and page through the following endpoint on the REST API.
https://www.yammer.com/api/v1/users/in_group/[group_id].json?page=[page_number]
I am working on an ASP.NET MVC 3 application where users can be assigned different roles for different asset types. They are able to view assets that belong to different groups (asset type), one at a time.
Depending on the asset type of the asset that is being viewed, I would like to update the Principal's roles array to only have the roles that the user has been assigned for that asset type.
I am thinking I would do an authorization filter that takes care of looking up the roles the user has been assigned to based on the asset being viewed and loading them into the roles array. This way, the roles array will always reflect the permissions they have for the asset being viewed.
Then from the view, I can hide/show different parts of the page depending if they are in a specific group (User.isInRole)
Would this be the right approach to switching roles for the user depending on the asset type?
If these roles need to be applied across a request, and you can get the items identifier from header, query string, cookie, or session, i would suggest possibly adding an httpmodule that would bind to the AuthorizeRequest event. In that point you will want to provide your IPrinciple object with its custom implementation
the IsInRoles based on your rules.
Would this work, I'm mainly just guessing about your setup and on an ipad.