I am not sure how to input the code and location input the code for gsuite. So it is set up as default for each employee
Related
I am migrating my asp net core MVC web app hosted in Azure App service with Azure AD IAM from v1 to v2. When a user logs in I create/update a local user account in my database which contains the user email. The problem I have is the email claim which is now an optional claim in v2 is null so my I cannot insert a new user record in my local database.
I have been through the MS documentation and configured my optional claims in app registration manifest etc but it does not work. I have tried all 3 claim variations (email, verified_primary_email, verified_secondary_email) but nothing comes through. However the optional claims for given_name and family_name are working as expected so the configuration must be right. How can I get email to work?
Below is my configuration and result.
App Registration Manifest
App Registration Permissions
User Profile Setup (email configuration for directly assigned member)
Returned Claims
Startup Config (adding email scope)
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Authority += "/v2.0/";
options.Scope.Add("email");
options.TokenValidationParameters.ValidateIssuer = true;
// Set the nameClaimType to be preferred_username.
// This change is needed because certain token claims from Azure AD v1.0 endpoint
// (on which the original .NET core template is based) are different in Microsoft identity platform endpoint.
// For more details see [ID Tokens](https://learn.microsoft.com/azure/active-directory/develop/id-tokens)
// and [Access Tokens](https://learn.microsoft.com/azure/active-directory/develop/access-tokens)
options.TokenValidationParameters.NameClaimType = "preferred_username";
}
Signin Request (including email scope)
https://login.microsoftonline.com/28f6d551-***-7f402200e732/oauth2/v2.0/authorize
?client_id=08fde457-***-7b0eebc5e4e2
&redirect_uri=https%3A%2F%2Flocalhost%3A44308%2Fsignin-oidc
&response_type=id_token
&scope=openid%20profile%20email
&response_mode=form_post
&nonce=637023698441049167.ZWZlMGQ1MzctZDVmMi00OGZlLTg5YzYtMjczOWIxNzlhYjI0MzdiNGI2YzMtZTFjYi00MDMxLWFkODItNmExNDlmZTQ2MWE1&state=CfDJ8Em5zZW9XwdJkjHAUddTGuvClgDAA0NFafwsZBlTbau2qhMPcRBM36vSSzFEw7GME28L57BSQyGo8WNNzd61_bciTunD0R15oC__96_tXlWaPmk3jZkOpA2VUoiwG9XrZjfDOTQIWAzS2IuqUu5gXWU8dgK7YEfyAuRwVmCQlWqlt94HPUwMSsSJpMsdlB6HD3Tb0DaPCspo2BiYga-5LWDQ5FBnFCpxPAdLNa6LTHHNtKjUbG7YNX4oEKUBhWtxQ0Kh1CakChUFCpmMzAmBgyN5Hh_-nk3BrO3V6PrgbvDsGO6QNip5hCwiDd92gexrLYwS_UeKruPKCQMZBWZ9LnSRaNnTDN1483Abk75JiH19XPJwexmQ5aMa1KZwcde4axF-tb2cmnwWY8O4NGhRiQDSISZJAuXmHWBtAeNhnLHN659vbeiW8mo5aWD65NcfhLtio2odxvLFh3JZGoRwHCtKzu9fq8v4w7IN2f1bNb8zPdo7Lw_GREiYKs1twibIh305tja30MMRS3oAE1hKQE20A4wtmxVACuPZ201SRkFg8OHl-Iz6e4Pa41P4gT-F2jpzL1zqklDw0tzaYq68uVlqmeCY5T9vo2qkfvRuIdpyyTGu8pdi-Z6sVvIpIxPllQ
&x-client-SKU=ID_NETSTANDARD2_0
&x-client-ver=5.3.0.0
Returned Token (email claim still missing)
UPDATE 2019-08-26
I suspect the issue is with the user account instead. As a directory administrator I create the user accounts within AAD and enter the Email and Alternate Email values. However when I log in to AAD as the end user and view my profile I can see that Email field is blank and only Alternate Email field is populated as shown below. I'm not sure why the user profile is not picking up the set email address but it's a problem and I now have to find a way of getting the Alternate Email into the ID Token instead. How can this be done?
Email Addresses in AAD
Email Addresses in User Profile
Just some findings and suggestions, might not be a exact answer.
Based on the documentation(optional claims) from Microsoft:
A. The claim's name is email.
B. As you were migrating from V1 to V2, I just tested the V2 (For convenience, I tested with a REST API tool). By adding the openid and email scopes, I can get the email claim in id token.
C. Analyze the id token in jwt.io, I can get the email claim:
I did not modify the manifest, just added openid and email scopes. You can have a try.
I have cognito set up to allow both email addresses and phone numbers. Here is the the scenerio.
Sign up User A with email test#test.com and auto verify the email using CognitoIdentityServiceProvider#signup with username : test#test.com and UserAttributes for the email address.
Update the users account with a phone number 123-456-7899 and auto verify the phone number
Attempt to login with 123-456-7899
Instead of logging in user A which currently has a verified phone number of 123-456-7899 it creates user B
Is there any way to let users have unique phone numbers and emails and be able to login in with both? Or does the signup always go based on the initial username?
It looks like your user pool is configured with UsernameAttributes and you chose both email and phone_number to act as the username. I agree that the behaviour is quite strange and you can end up with two different users, both having exactly the same email and phone number, both attributes verified.
Have you tried configuring the user pool with UsernameAliases? It allows you to specify 3 attributes (email, phone_number, preferred_username) that will act as username aliases and the users will be able to log in with any of them (assuming that they're verified). The caveat is that they won't be able to authenticate with the email address immediately after signing up as it needs to be verified first.
you need to choose this option while setting up cognito user pools
Users can use a username and optionally multiple alternatives to sign up and sign in. Here you can allow users to sign in by email and sign in with a phone number.
Please note email & phone number both should be verified.
Here how you can login with both email/username:
Cognito With Lambda Function:
Make sure you enable both username and email options when creating a users pool:
if you want to log in with email, verify the user email with pre-signup lambda functions, or through the email verification code sent to them, and then verify their email address with lambda functions.
Verify email address through pre-signup lambda trigger :
exports.handler = (event, context, callback) => {
event.response.autoConfirmUser = true;
event.response.autoVerifyEmail = true;
context.done(null, event);
};
in your pre-signup lambda trigger.
if the email is not verified and you are trying to log in with the email you will get the error.
Email should be verified like in the image below:
We are running a Spring based project with Cognito as the identification service.
We have a project requirement to customise the verification email and invitation email for users in a Cognito user pool. (See here for the AWS doc)
Default verification message:
Your verification code is {####}.
Default invitation message:
Your username is {username} and temporary password is {####}.
We would like to include the email, phone_number and name user attributes into these emails. Is it possible to do this? I have searched the docs with no avail - and is really in need of some advice.
Update: I think the correct way to do this is to use Custom Message Cognito Lambda trigger (need to implement a function). Then you can have access to all the userAttributes.
Docs: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html
Some users of our application are admins. We want give them a capability to create new users. We think about the following flow:
Admin goes to "Users" page and clicks a "create a new user" button and fill new user's name and email address.
That new user retrieves an email with acknowledge that a user was created in our application.
The user clicks a link from email body and proceeds to "Set password" page and specify his password.
Is it possible to achieve such flow with angular + express? Is there any other possible flows which can be achieved?
You can create an invite-based flow, but you'll have to do some custom work with our libraries.
You'll need to work with the Stormpath Client and Stormpath Application directly, these are provided by the Stormpath Node SDK. Inside of your Express middleware, retrieve the client with:
var stormpathClient = req.app.get('stormpathClient')
and the application with:
var stormpathApplication = req.app.get('stormpathApplication`)
On the application, use stormpathApplication.createAccount() to create the user. When you pass the new account data, set the password to something that is very long, random, and un-guessable. If your Stormpath directory has email verification enabled, the user will get an invite email. That email should link them into your Angular application, to a custom view which will read the email verification token from the URL and post it to a custom middleware on your server. This middleware will need to use stormpathClient.verifyAccountEmail() to verify the token.
Then you can collect a new password for the user, and save it by setting req.user.password='new password', then calling req.user.save().
Hope this helps! I work at Stormpath and I am a maintainer of these libraries :)
I am working on a Laravel 4.2 project.
I already have implemented an email activation module for new user registration. Whenever a new user registers, I provide an activation link to him in an email and clicking on link, I compare the token (a random string with 30 characters) I have provided with link and user's email address with database records. If found to be matching, I just set is_active field of users table to true and redirect him to login page with a Congratulations message for successful activation.
But now, I DON'T want him to redirect to login page, but if successful activation, I want him logged in directly to his account.
But I believe that authenticate an user with just a string token and email address is not a secure way.
There must be something that I can trust on. Many sites do this including stackoverflow itself but I am not sure how?
Can you please guide me how to do this?