I am using Okta C# sdk. when I use Okta userclient.forgotpassword then it sending reset password mail to user but as a response it returns null.
Can anyone help how will I sure that it has sent reset email to user?
Dinesh,
This is the expected behavior: when you specify sendEmail=true with the Okta API, the response is empty if the email was sent (otherwise, you get an exception).
If you specify sendEmail=false, then the response provides the unique password reset url.
There can be a multitude of reasons why your users do not receive the password reset email that are beyond Okta's control, but if you get a null response, you should expect the email has indeed been successfully sent by Okta.
I hope this helps.
Related
I have stuck in here and couldn't find a solid solution.
I use PHP in server-side and Vanilla JS in the client side.
In server-side, I'm generating a auth token (https://www.pubnub.com/docs/general/basics/manage-access) for current logged in user's channel to make him able to read his channel messsages by the following code:
I'm also generating a new one when the key timeout so all OK with the generation.
But my problem is starts here:
I'm passing the key into the client like this:
And user is getting access to the channel. But the thing is, I'm passing this auth key to the client-side. Which is someone that get this user's auth token; can setup their own client and can read messages that sent to this user.
How can I deal with that?
And another one:
I'm publishing to a channel in PHP like this. But I'm able do to that without setting auth token. I'm sure auth token system is working because when I pass wrong auth key to the client it's giving 403 forbidden. But however, I'm able to publish to channel without auth key in here. Is this because it's server-side?
Thanks!
Googled everything...
someone that get this user's auth token; can setup their own client and can read messages that sent to this user
This authorization strategy is the same as JWT. How will someone get this auth token? If you are using a secure connection to your server (TSL, aka https), and your PHP server is secured, then that is all you can do. This is the internet :)
Now how secure is the end user's machine? Are they susceptible to phishing or other schemes that might allow a hacker to gain access to their machine? Humans are the easiest thing to hack and you can't really do anything to secure them ;)
So as far as PubNub is concerned with security, you are doing exactly what very large companies have been doing for over 10 years with PubNub. The question is how secure is your server that a hacker can't get access to your code and data and get your PubNub secret key. In my 9+ years at PubNub, I've never known this to happen.
granting permissions on your channel
You are granting too many permissions but it doesn't have any negative side effects.
read - subscribe (receive messages), fetch (messages from history), and some presence stuff (get/set state, here now)
write - publish (send messages)
get and set - this is for PubNub Objects only which is different than pub/sub.
Again, no harm comes from granting permissions that have no effect on the resources you are granting to but it adds to the size of the auth token (just a little bit in this case).
able do to that without setting auth token
When you do setToken you are setting that on the pubnub object that you use to invoke PubNub operations. The PubNUb SDK automatically adds the auth token as a query parameter in the request. So it is being passed automatically for you.
Open your browser console, select the Network tab, and look at any PubNub request/url. You will see the query parameter names auth and the value is your auth token.
PubNub Secret Key give you all access
The secret key gives your server the ability to grant permissions (generate an auth token) AND it gives your server all access to all things in your PubNub key set. Don't let that secret key get compromised.
I started a project using the Google API signin mixed with an angularJS+Firebase app.
What I would like to do is to be able to send an e-mail from one person to another programmatically.
Example: John is logged in, clicks on a button which sends an email to Rachel. But that email is sent using the stored token from Ted, not John's account.
It seems possible using the php library which is not an option here.
So far, I get the token easily using these few lines:
var GoogleAuth = gapi.auth2.getAuthInstance();
GoogleAuth.grantOfflineAccess({
scope: 'https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/drive https://mail.google.com/ profile email'
}).then(function(resp) {
console.log(resp);
this.storeToken(resp.code);
});
Is it actually possible ?
A quick search just got me results for php or about how you get a token with the JS library... not how to use it !
From my understanding you want to use a refresh token ( offline access ) to send an email from Ted's account via Javascript.
Sadly this is not possible client side. What your code gives you is a 'code' that you can send to your server using a $http.post () and trade with Google server side for a refresh token.
Here is a guide for how to change that code into a refresh token.
While you can do this client side it would involve exposing your client secret which you should never do.(https://developers.google.com/identity/sign-in/web/server-side-flow)
Every time John wants to send an email from Ted's account your application will have to send a request to your server that:
Sends a request to google with the refresh token and generates an access token (https://developers.google.com/identity/protocols/OAuth2WebServer#offline)
Sends a seccond request to google using the access token to send the email from Ted's account
I hope that this helped.
I am using MobileServiceClient for authentication, my provider is Microsoft and Google. After success login in response I am getting auth Token and Sid. But I want more detail. I am using this service for Xamarin forms. Is there any way to get more detail of login user like email, username, verified_email, family_name etc?
Yes. Send a request to the /.auth/me endpoint with the X-ZUMO-AUTH header set to the ZUMO token. You will get back a JSON blob that contains all the claims plus the identity provider token. You can use these to get the information you need if it is available.
I am using the OneLogin SAML Test Connector as a simulated IDP with the ruby-saml gem and the supplied sample program. That's working fine.
In my real-world app, we are the SP and there are multiple identity providers, each of which will have multiple users who need to SSO to our app.
I have observed that in the sample app, my AuthnRequest does not define the user's nameID (email address) anywhere, but instead it is appended to the IDP URL in the form of a numeric id. e.g. https://app.onelogin.com/saml/metadata/5551212 where app.onelogin.com identifies the IDP and 5551212 identifies the "user". I realize that when onelogin is the IDP the "user" is actually an app id, but in our case we want it to identify an actual user, not an app.
Is it correct that the AuthnRequest does not contain a nameID element?
Should I identify the user in the IDP's URL using a numeric ID? The numeric id would have to be shared offline between the parties, and would have to be transmitted in the initiating URL. I like this approach because it doesn't expose any identifying information in the URL, e.g. an email address.
Should I identify the user by Base64-encoding the email address and appending that to the URL? This is less secure, but it might be ok since the transmission will always be encrypted with SSL. And it avoids the offline handshake and sharing a numeric ID.
AuthnRequest does not define the user's nameID (email address)
anywhere, but instead it is appended to the IDP URL in the form of a
numeric id.
This is not true, that numeric id identify internally the IdP, not the user.
Yes, check the SAML standard, saml:Subject is optional. And SAML2int profile says that AuthNRequest message MUST NOT contain a saml:Subject.
No
No
You don't need to pass user information to the IdP, you should simply send an AuthNRequest to the SSO endpoint and a form to place a username/password gonna be showed to the user (if already exists an active session this authentication is not required. Then a SAMLResponse will be send back to the SP's Assertion Consumer Service endpoint.
Correct. Check out https://www.samltool.com/base64.php to help with looking at Response attributes.
I am writing a code in salesforce to update Email signature using the API documentation mentioned in https://developers.google.com/admin-sdk/email-settings/. I am using a 3 legged approach.
Considering that this is an API for domain admins, My questions is
can a user ( non - admin) provide authorization for this API ?.
And can the access token returned as a result of this authorization be used to update his email signature. ?
Right now I am getting an Error 403- "you are not authorized to access this API
Note that this is working fine if a domain admin provide authorization and his access token is used to update his/ any user's email signature
Thanks for your help
With the new updates on the GMAIL Api you can get the user signature by using the method "Users.settings.sendAs: get" explained here https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs/get and it does not require the user to be an admin. This method returns a Users.settings.sendAs resource in the response body and this resource contains the property signature which you can manipulate.
Hope it helps!