We are running a Spring based project with Cognito as the identification service.
We have a project requirement to customise the verification email and invitation email for users in a Cognito user pool. (See here for the AWS doc)
Default verification message:
Your verification code is {####}.
Default invitation message:
Your username is {username} and temporary password is {####}.
We would like to include the email, phone_number and name user attributes into these emails. Is it possible to do this? I have searched the docs with no avail - and is really in need of some advice.
Update: I think the correct way to do this is to use Custom Message Cognito Lambda trigger (need to implement a function). Then you can have access to all the userAttributes.
Docs: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html
Related
I have been trying to create an authentication in Laravel that is based on simple verification via an external services API key. The external API will provide me details like the username associated with the account a user should only have to supply an API key to login. No password, email, or username required.
Looking at Laravel's documentation it seems like using something like they demonstrate in the "Manually Authenticating Users" section may be most applicable. My problem is that this still appears to be based on a email + password credential model.
What is the proper way to modify/extend the frameworks authentication system to use an API key. If I use this manual authentication model I would be able to connect to the API and verify the user but I don't know the best way to modify it to accept an API key and username as the "credentials" for a new account (username would be coming from the API response data).
I am migrating my asp net core MVC web app hosted in Azure App service with Azure AD IAM from v1 to v2. When a user logs in I create/update a local user account in my database which contains the user email. The problem I have is the email claim which is now an optional claim in v2 is null so my I cannot insert a new user record in my local database.
I have been through the MS documentation and configured my optional claims in app registration manifest etc but it does not work. I have tried all 3 claim variations (email, verified_primary_email, verified_secondary_email) but nothing comes through. However the optional claims for given_name and family_name are working as expected so the configuration must be right. How can I get email to work?
Below is my configuration and result.
App Registration Manifest
App Registration Permissions
User Profile Setup (email configuration for directly assigned member)
Returned Claims
Startup Config (adding email scope)
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Authority += "/v2.0/";
options.Scope.Add("email");
options.TokenValidationParameters.ValidateIssuer = true;
// Set the nameClaimType to be preferred_username.
// This change is needed because certain token claims from Azure AD v1.0 endpoint
// (on which the original .NET core template is based) are different in Microsoft identity platform endpoint.
// For more details see [ID Tokens](https://learn.microsoft.com/azure/active-directory/develop/id-tokens)
// and [Access Tokens](https://learn.microsoft.com/azure/active-directory/develop/access-tokens)
options.TokenValidationParameters.NameClaimType = "preferred_username";
}
Signin Request (including email scope)
https://login.microsoftonline.com/28f6d551-***-7f402200e732/oauth2/v2.0/authorize
?client_id=08fde457-***-7b0eebc5e4e2
&redirect_uri=https%3A%2F%2Flocalhost%3A44308%2Fsignin-oidc
&response_type=id_token
&scope=openid%20profile%20email
&response_mode=form_post
&nonce=637023698441049167.ZWZlMGQ1MzctZDVmMi00OGZlLTg5YzYtMjczOWIxNzlhYjI0MzdiNGI2YzMtZTFjYi00MDMxLWFkODItNmExNDlmZTQ2MWE1&state=CfDJ8Em5zZW9XwdJkjHAUddTGuvClgDAA0NFafwsZBlTbau2qhMPcRBM36vSSzFEw7GME28L57BSQyGo8WNNzd61_bciTunD0R15oC__96_tXlWaPmk3jZkOpA2VUoiwG9XrZjfDOTQIWAzS2IuqUu5gXWU8dgK7YEfyAuRwVmCQlWqlt94HPUwMSsSJpMsdlB6HD3Tb0DaPCspo2BiYga-5LWDQ5FBnFCpxPAdLNa6LTHHNtKjUbG7YNX4oEKUBhWtxQ0Kh1CakChUFCpmMzAmBgyN5Hh_-nk3BrO3V6PrgbvDsGO6QNip5hCwiDd92gexrLYwS_UeKruPKCQMZBWZ9LnSRaNnTDN1483Abk75JiH19XPJwexmQ5aMa1KZwcde4axF-tb2cmnwWY8O4NGhRiQDSISZJAuXmHWBtAeNhnLHN659vbeiW8mo5aWD65NcfhLtio2odxvLFh3JZGoRwHCtKzu9fq8v4w7IN2f1bNb8zPdo7Lw_GREiYKs1twibIh305tja30MMRS3oAE1hKQE20A4wtmxVACuPZ201SRkFg8OHl-Iz6e4Pa41P4gT-F2jpzL1zqklDw0tzaYq68uVlqmeCY5T9vo2qkfvRuIdpyyTGu8pdi-Z6sVvIpIxPllQ
&x-client-SKU=ID_NETSTANDARD2_0
&x-client-ver=5.3.0.0
Returned Token (email claim still missing)
UPDATE 2019-08-26
I suspect the issue is with the user account instead. As a directory administrator I create the user accounts within AAD and enter the Email and Alternate Email values. However when I log in to AAD as the end user and view my profile I can see that Email field is blank and only Alternate Email field is populated as shown below. I'm not sure why the user profile is not picking up the set email address but it's a problem and I now have to find a way of getting the Alternate Email into the ID Token instead. How can this be done?
Email Addresses in AAD
Email Addresses in User Profile
Just some findings and suggestions, might not be a exact answer.
Based on the documentation(optional claims) from Microsoft:
A. The claim's name is email.
B. As you were migrating from V1 to V2, I just tested the V2 (For convenience, I tested with a REST API tool). By adding the openid and email scopes, I can get the email claim in id token.
C. Analyze the id token in jwt.io, I can get the email claim:
I did not modify the manifest, just added openid and email scopes. You can have a try.
Is there a way to suggest the signup email in a custom policy. I have users that need to signup only from invitational emails.
I saw in the docs (https://learn.microsoft.com/bs-latn-ba/azure/active-directory-b2c/direct-signin) that there is a way to suggest the login email in a custom policy Sign In by passing it as login_hint parameter in the request and adding DefaultValue="{OIDC:LoginHint} in the XML definition for "SelfAsserted-LocalAccountSignin-Email" TechnicalProfile. This works for Sign in but fails when I try to use the same trick in the "LocalAccountSignUpWithLogonEmail"
As #chris-padgett mentioned, you can create an invitation link.
The WingTip Games Application uses client_assertion to pass JSON to the User Journey but this approach has been deprecated: see B2C Documentation.
The recommended way is to pass JSON to the user journey, using id_token_hint.
You can find more information in this GitHub repo: SignUp with email invitation.
The application generates a sign-in invitation link(with a id_token_hint).
User clicks on the link, that takes the user to Azure AD B2C policy.
Azure AD B2C validates the input id_token_hint, asks the user to provide the password and user data (the email is read only).
User clicks continue, Azure AD B2C creates the account, issues an access token, and redirect the user back to the application.
For a code example for invitations, see the Wingtip Games application, which generates an invitation link that contains:
The e-mail address of the invited user
An invitation expiration, and
A HMAC-based signature
When the invitation link is opened, this application validates the HMAC-based signature and the invitation expiration and, if they are valid, then it redirects the invited user to an invitation policy.
This policy redirection contains a signed JWT with the email address of the invited user so that they must register with this email address.
Some users of my application do not have an email. I want them to register under a tenant. I couldn't find a way to make email field as non-mandatory while registration. The basic requirement of a stormpath account is an email and password.
Stormpath currently always requires a user's email AND password to create an account. In the future, we plan to remove this limitation.
For now, the only way to get around this is to fill in a dummy email address. Sorry!
Some users of our application are admins. We want give them a capability to create new users. We think about the following flow:
Admin goes to "Users" page and clicks a "create a new user" button and fill new user's name and email address.
That new user retrieves an email with acknowledge that a user was created in our application.
The user clicks a link from email body and proceeds to "Set password" page and specify his password.
Is it possible to achieve such flow with angular + express? Is there any other possible flows which can be achieved?
You can create an invite-based flow, but you'll have to do some custom work with our libraries.
You'll need to work with the Stormpath Client and Stormpath Application directly, these are provided by the Stormpath Node SDK. Inside of your Express middleware, retrieve the client with:
var stormpathClient = req.app.get('stormpathClient')
and the application with:
var stormpathApplication = req.app.get('stormpathApplication`)
On the application, use stormpathApplication.createAccount() to create the user. When you pass the new account data, set the password to something that is very long, random, and un-guessable. If your Stormpath directory has email verification enabled, the user will get an invite email. That email should link them into your Angular application, to a custom view which will read the email verification token from the URL and post it to a custom middleware on your server. This middleware will need to use stormpathClient.verifyAccountEmail() to verify the token.
Then you can collect a new password for the user, and save it by setting req.user.password='new password', then calling req.user.save().
Hope this helps! I work at Stormpath and I am a maintainer of these libraries :)