I registered an app as a valid admin in my network.
I got my token.
when i request a list of tokens to impersonation I receive only my token and not all the tokens (of users in my network).
This is the request I'am making:
https://www.yammer.com/api/v1/oauth/tokens.json?consumer_key={0}&user_id={1}", CONSUMER_KEY, UserId
Where {0} = My Application Client Id,
Where {1} = My UserId (The verified admin user id).
what could i be doing wrong?
Thanks guys.
I found the answer.
My error was I was registered under
"xxx.com"
and when I requested the token I was under the domain of:
"yyy.com"
so the token I received was not the right token.
Another mistake I made was trying to impersonate verified admins - a verified admin can't impersonate another verified admin.
**
Solution:
Register a new app with a user that is registered on the right domain.
Get the token with thee user that is registered on the right domain.
Get id's of users that are not verified admin.
**
Thanks for all your help.
Hope this info contribute to someone.
You can pass in user_id the sender_id from the post object
var config = require('../config');
module.exports = function (sender_id, tk) {
var params = '?' + 'user_id=' + sender_id + '&consumer_key=' + config.YAMMER_CONSUMER_KEY + '&access_token=' + tk;
var url = 'https://www.yammer.com/api/v1/oauth/tokens.json' + params;
return url;
};
Related
I'm trying to use Okta SSO to authenticate my users in AspNetZero app.
When I click on the OpenID in the bottom of the login page, I'm redirected to Okta login and then I'm back to my app login page and finally "openIdConnectLoginCallback" is calling "ExternalAuthenticate" on the TokenAuthController and the call to _externalAuthManager.GetUserInfo throw exception "name claim is missing".
In "login.service.ts", claims array contain "name" claim and ExternalAuthenticateModel.ProviderAccessCode contains a valid JSon Token and I check and "name" is in the token.
let claims = this.oauthService.getIdentityClaims();
const model = new ExternalAuthenticateModel();
model.authProvider = ExternalLoginProvider.OPENID;
model.providerAccessCode = this.oauthService.getIdToken();
model.providerKey = claims['sub'];
model.singleSignIn = UrlHelper.getSingleSignIn();
model.returnUrl = UrlHelper.getReturnUrl();
Here is my appsettings.json
Here is my app configuration in Okta
Any ideas to fix that "name" claim missing ?
We are evaluating Keycloak to replace Forgerock for user registration
Our current workflow provides a registration screen. On submitting the registration form, an email is sent to the user to verify their email and activate their account. The link in the email confirms the user registration before creating the user in forgerock.
My questions:
Is there a way to create the user after the email verification as a confirmation?
I have this implementation but sendVerifyEmail it is just for checking the email and basically the user can login even if he/she didn't check the email
Keycloak keycloak = KeycloakBuilder
.builder()
.serverUrl(KEYCLOAK_URL)
.realm(KEYCLOAK_REALM)
.username(KEYCLOAK_USER)
.password(KEYCLOAK_PASSWORD)
.clientId(KEYCLOAK_ADMIN_CLI)
.build();
CredentialRepresentation credential = createPasswordCredentials(userRegistrationRequest.getPassword());
UserRepresentation user = new UserRepresentation();
user.setEmail(userRegistrationRequest.getEmail());
user.setCredentials(Collections.singletonList(credential));
user.setEnabled(true);
// Get realm
RealmResource realmResource = keycloak.realm(KEYCLOAK_REALM);
UsersResource usersResource = realmResource.users();
// Create user (requires manage-users role)
Response response = usersResource.create(user);
String userId = CreatedResponseUtil.getCreatedId(response);
System.out.println("Response: " + response.getStatusInfo());
System.out.println(userId);
UserResource u = realmResource.users().get(userId);
u.sendVerifyEmail();
This is late though but you can set the user representation email verified to false when creating the user. So they won't be able to access until they verify the email.
I have some troubles with the crsf_token() in laravel. I create a URL to send to the user with the token and if they click this unique link the post will set the token to NULL.
Here my sample code:
//get token from database
$getDataUserToken = $subject->lists('token');
// send the token to email user (unique token)
#foreach ($token as $toke){{ URL::to('/extend/verify', array($toke)) }}#endforeach
This code will generate: www.example.com/extend/verify/1234123TOKENHERE2313213123
Now I want if user clicks on this link that the token sets to null.
I tried this:
Route::get('/extend/verify/{$toke}', 'SubjectController#confirm');
But when I do this I get an error that says: throw new NotFoundHttpException;
So the url is not found and I don't know how to get that url token and send it to my controller to do some stuff with that.
the laravel route parameters not use "$".
this is a correct use:
Route::get('/extend/verify/{toke}', 'SubjectController#confirm');
We use ASP.NET Identity in a Web Api project with SimpleAuthorizationServerProvider, we use OAuth-tokens to authorize each request coming from the client. (Tokens have and expire timespan, we don't use refresh tokens.)
When users change their password, I would like to invalidate the tokens they may have, possibly on other devices. Is there any way to explicitly do that? I experimented and saw that the existing tokens work without any problem after a password change, which should be prevented.
I thought about putting the password hash, or part of the hash in the OAuth token as a claim, and validating that in the OnAuthorization method of our derived AuthorizeAttribute filter.
Would this be a correct way to solve the problem?
I've based my approach on Taiseer's suggestion. The gist of the solution is the following. Every time a user changes their password (and when registers), a new GUID is generated and saved in the database in the User table. I call this GUID the password stamp, and store it in a property called LatestPasswordStamp.
This stamp has to be sent down to the client as part of the token as a claim. This can be achieved with the following code in the GrantResourceOwnerCredentials method of the OAuthAuthorizationServerProvider-implementation.
identity.AddClaim( new Claim( "PasswordTokenClaim", user.LatestPasswordStamp.ToString() ) );
This stamp is going to be sent from the client to the server in every request, and it is verified that the stamp has not been changed in the database. If it was, it means that the user changed their password, possibly from another device. The verification is done in our custom authorization filter like this.
public class AuthorizeAndCheckStampAttribute : AuthorizeAttribute
{
public override void OnAuthorization( HttpActionContext actionContext )
{
var claimsIdentity = actionContext.RequestContext.Principal.Identity as ClaimsIdentity;
if( claimsIdentity == null )
{
this.HandleUnauthorizedRequest( actionContext );
}
// Check if the password has been changed. If it was, this token should be not accepted any more.
// We generate a GUID stamp upon registration and every password change, and put it in every token issued.
var passwordTokenClaim = claimsIdentity.Claims.FirstOrDefault( c => c.Type == "PasswordTokenClaim" );
if( passwordTokenClaim == null )
{
// There was no stamp in the token.
this.HandleUnauthorizedRequest( actionContext );
}
else
{
MyContext ctx = (MyContext)System.Web.Mvc.DependencyResolver.Current.GetService( typeof( MyContext ) );
var userName = claimsIdentity.Claims.First( c => c.Type == ClaimTypes.Name ).Value;
if( ctx.Users.First( u => u.UserName == userName ).LatestPasswordStamp.ToString() != passwordTokenClaim.Value )
{
// The stamp has been changed in the DB.
this.HandleUnauthorizedRequest( actionContext );
}
}
base.OnAuthorization( actionContext );
}
}
This way the client gets an authorization error if it tries to authorize itself with a token which was issued before the password has been changed.
I do not recommend putting the hash of the password as claim, and I believe there is no direct way to invalidate token when password is changed.
But if you are Ok with hitting the DB with each request send from the client app to a protected API end point, then you need to store Token Identifier (Guid maybe) for each token granted to the resource owner requested it. Then you assign the token Identifier as a custom claim for this token, after this you need to check this table with each request by looking for the token identifier and the user name for the resource owner.
Once the password is changed you delete this token identifier record for this resource owner (user) and the next time the token sent from the client it will get rejected because the record for this token identifier and resource owner has been deleted.
The Google+ API is set to "On" from google's developer console. I am fetching the profile information of the user by supplying the api key but I get an error saying:
Access Not Configured. Please use Google Developers Console to activate the API for your project. [403]
BaseClientService.Initializer ini = new BaseClientService.Initializer { ApiKey = "" };
PlusService plusService = new PlusService(ini);
if (plusService != null)
{
PeopleResource.GetRequest prgr = plusService.People.Get("me");
Person googleUser = prgr.Execute();
}
The error is thrown when Execute is called.
Does this service needs to be set up with "billed" profile ? This may be the reason I am getting access error.
The "me" argument only works when you have an authenticated user's OAuth 2.0 access token. Simple API access with a key only allows access to public data - try putting in a numeric user id instead of me and you should get a response.