Just want to ask how we can create a user using Asgardeo User Management API without providing a password?
Basically we want to replicate this flow but instead of manually doing it on the console, we want to do it from the User Management API.
enter image description here
Here are some of the Endpoints that we tested
POST
https://api.asgardeo.io/t/asgardeo/scim2
/Users
POST
https://api.asgardeo.io/t/asgardeo/scim2
/Bulk
The password field seems to be a required field.
Setting the urn:scim:wso2:schema with "askPassword":"true" should allow you to create the users without providing the password.
Sample Payload of the scim https://api.asgardeo.io/t/tenantName/scim2/Users:
{
"emails":
[
{
"primary":true,
"value":"<User Email>"
}
],
"name":
{
"familyName":"",
"givenName":""
},
"urn:scim:wso2:schema":
{
"askPassword":"true"
},
"userName":
"DEFAULT/<User Email>"
}
The will receive the invite request similar to the UI function.
Same approach can be taken with the Bulk endpoint too as mentioned this medium blog
Related
Is it possible to update the value of custom attribute via Keycloak REST API?
For example, which endpoint to use and how to construct a request body for the attribute that was created here.
Thanks!
You have to use Keycloak Admin REST API :
PUT {host}/{basepath}/admin/realms/{realm}/users/{id}
e.g.
http://localhost:8080/auth/admin/realms/alumni-realm/users/cd57cfd8-cb1c-4025-abfd-67fe6b784d22
Request Body (JSON) :
{
"attributes": {
"DOB": "1984-07-01"
}
}
Authorization (Bearer Token) :
Use Admin user access_token for authorization.
If you want to allow User to update their own profile then you have to grant manage-users role in Keycloak. (That user will be able to update other users info hence it is not recommended)
You can use the API for user update with sending only the attribute to be changed:
PUT ../realms/{realm}/users/{userID}
Body:
{
"attributes": {
"myAttribute": [
"NewValue"
]
}
}
It Cause "ID" change when you update user custom attribute via Keycloak REST API PUT ../realms/{realm}/users/{userID}
and you need to GET /{realm}/users two times to get new value in the response
I have integrated google assistant with my dialogflow agent. I need to get the user who is invoking the intent.
For eg, If an user account "ABC" have access to invoke my agent via Google assistant app, on the welcome intent I have to send a response like "Welcome ABC". How do I achieve this with google assistant app is my endpoint.
Thanks in Advance.
You have two questions here: How to get the user's name and how to get their id.
The first thing to realize is that this information is considered personally identifiable information (PII), so Google doesn't give it to you without the permission of the user. How you ask for that permission, and how it is delivered to you, depends on some of your exact needs.
User ID
Historically, you could get an anonymous user ID for the Assistant account. This would be different than the Google User ID that is available below and was meant to be a persistent identifier so you could keep track of returning users.
This has been deprecated, and if this is all you need, then you can create your own identifier and save it as part of the userStorage.
Requesting user information
The traditional way of getting their name is to request the user for permission to access their information. If you're using the actions-on-google library, you do this using the Permission object with something like this:
const options = {
// We just want permission to get their name
permissions: ['NAME'],
// Prompt them why we want the information
context: 'To address you by name'
};
conv.ask(new Permission(options));
If the user grants permission, the results will be available in conv.user.name. You should save this in the userStorage, since the permission is not persistent. So this might look something like:
var userStorageStr = conv.user.userStorage || '{}';
var userStorage = JSON.parse( userStorageStr );
var name = conv.user.name || userStorage.name;
userStorage.name = name;
// ...
conv.user.userStorage = JSON.stringify( userStorage );
With the multivocal library, you would indicate that the User/Name environment property is one of the Requirements for the action or intent you want. So this might be in your configuration as
Local: {
en: {
Requirements: {
"Action.multivocal.welcome": "User/Name"
}
}
}
The name will be available in the environment under User/Name.
If you're using JSON, then you need to use the user information helper. For Dialogflow, this would be under the payload.google.systemIntent property, while for the Actions SDK this would be in expectedInputs[0].possibleIntents[0]. You might specify something like this:
{
"intent": "actions.intent.PERMISSION",
"inputValueData": {
"#type": "type.googleapis.com/google.actions.v2.PermissionValueSpec",
"optContext": "To address you by name",
"permissions": [
"NAME"
]
}
}
The name will be under the originalDetectIntentRequest.payload.user.profile field if you are using Dialogflow and user.profile for the Action SDK.
All of this seems like a lot, just to get a name. And you can't get the email address if you want that in addition. But there are other options.
Requesting their Google Profile
Their Google Profile contains both their unique Google ID, their full name (in the "name" field, given_name, last_name, and typically some other information such as their email address (the email address isn't guaranteed since they can omit this from their profile, but is typically there). You would use Google Sign-In for the Assistant to request this information. There is some configuration required in the Action console, and then you would request permission to get it using the sign-in helper.
With the actions-on-google library, the line would be something like:
conv.ask(new SignIn());
Once the user granted it, you can get their profile in
conv.user.profile.payload
their name in
conv.user.profile.payload.name
and their email in, you guessed it,
conv.user.profile.payload.email
Note that unlike asking for the user information, the profile will be available in all future activity with you. You don't need to store it.
With multivocal, you would say that the User/IsAuthenticated environment setting is one of the Requirements for the action or intent you want. So this might be in your configuration as
Local: {
en: {
Requirements: {
"Action.multivocal.welcome": "User/IsAuthenticated"
}
}
}
The profile will be available in the environment under User/Profile, the name would be in User/Profile/name, and the email in User/Profile/email.
If you're using JSON, then you need to use the sign-in helper. For Dialogflow, this would be under the payload.google.systemIntent property, while for the Actions SDK this would be in expectedInputs[0].possibleIntents[0]. You might specify something like this:
{
"intent": "actions.intent.SIGN_IN",
"inputValueData": {}
}
You will get an identity token for the user in the originalDetectIntentRequest.payload.user.idToken field if you are using Dialogflow and user.idToken for the Action SDK. You will need to validate and decode this JWT. (The actions-on-google and multivocal libraries handle this step for you.)
The easiest would be to use Google Sign-In for the Assistant: https://developers.google.com/actions/identity/google-sign-in
I am trying to create an ad using the Facebook Marketing API. In order to create an ad inside a conversion based campaign, I am required to set proper tracking_specs values.
Querying existing ads (on other similar campaigns) I see the tracking spec is generally defined as follows:
"tracking_specs": [
{
"action.type": ["offsite_conversion"],
"fb_pixel": [<pixel ID>]
},
{
"action.type": ["post_engagement"],
"page": [<page ID>],
"post": [<post ID>]
},
{
"action.type": ["link_click"],
"post": [<post ID>],
"post.wall": [<post.wall ID>]
}
]
How do I find the required tracking_specs values? More specifically, how do I find the post ID and the post.wall ID accordingly for post_engagement and link_click action types?
I managed to figure it out on my own. When creating a new ad, in a conversion typed campaign, an ad data object that includes tracking specs should be provided. These tracking specs should include some reference to a Facebook pixel.
"tracking_specs": [
{
"action.type": ["offsite_conversion"],
"fb_pixel": [<pixel ID>]
},
]
The pixels data can be obtained manually via the Facebook Business Manager or via the Facebook Marketing APIs:
GET /v2.10/{ad-account-id}/adspixels HTTP/1.1
Host: graph.facebook.com
Read more in https://developers.facebook.com/docs/marketing-api/reference/ad-account/adspixels/
Regarding the post and post.wall IDs - these are automatically added by Facebook when the ad is created. So there is no need to include theses when creating the ad.
For anyone searching for an answer in 2023. asaf's answer is totally correct BUT you also need to wait until Meta Business Manager processes your campaign in order to see tracking_specs into the API and in the Business Manager itself.
I'm looking for a way to determine who uploaded a file to a Cloud Storage bucket. All of the users with access to write to the bucket are authenticated users in the same G Suite domain.
The object ACL in Cloud Storage shows an owner identifier string which looks like the following:
{
"entity": "user-84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46",
"entityId": "84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46",
"role": "OWNER"
}
However, it does not appear that there is an easy way to map this ID back to a user's email address (or to determine the Cloud Storage ID for a user whose email I know, except by using that user account to upload a file and querying the object ACL).
Is this true? Or am I just not seeing the way to do this?
Thank you for the help!
Although I can't give you an specific timeline, we're actively working on deprecating canonical ids. This should no longer be a problem in the near future.
In the meanwhile, there are.. options.
First: A user can find their canonical ID on this page (Unfortunately it is going to make you pick a project, since the page also shows the canonical ids for the project roles).
https://console.cloud.google.com/storage/settings
However, if you really need to find out the email address for a random canonical id you should be able to do this somewhat ugly workaround.
1) Add the user to a bucket policy via the ACL API
gsutil acl ch -u <canonical_id>:READ gs://<bucket>
2) Fetch the bucket IAM policy
gsutil iam get gs://<bucket>
The entry should show up as an email address.
{
"bindings": [
{
"members": [
"projectOwner:<project-id>",
"projectEditor:<project-id>",
],
"role": "roles/storage.legacyBucketOwner"
},
{
"members": [
"projectViewer:<project-id>",
"user:<user email here>"
],
"role": "roles/storage.legacyBucketReader"
}
],
"etag": "CAI="
}
Try getting the ACLs again. I just tried today 07/05/2017 and the returned ACLs included email address. It would appear Google has updated the API, replacing the old Google Cloud Storage ID with the user's email address.
{
"email": "email#domain.com",
"entity": "user-email#domain.com",
"role": "OWNER"
}
I am using Selenium to test a Facebook auth app. Currently I am using a script in the test suite to create Facebook test users by posting to the test user api found here:
https://developers.facebook.com/docs/test_users/
https://graph.facebook.com/APP_ID/accounts/test-users?
installed=true
&name=FULL_NAME
&locale=en_US
&permissions=read_stream
&method=post
&access_token=APP_ACCESS_TOKEN
This gives me back a response of:
{
"id": "1234...",
"access_token":"1234567..." ,
"login_url":"https://www.facebook.com/platform/test_account..."
"email": "example...#tfbnw.net",
"password": "1234..."
}
This gives me the username and password of the test. However If I want to reuse the user in a later test I don't know how to get this info. I might be over looking something. If I do a GET request to get a list of registered test users the response looks like this:
{
"data" [
{
"id": "1231....",
"access_token":"1223134..." ,
"login_url":"https://www.facebook.com/platform/test_account.."
}
{
"id": "1231....",
"access_token":"1223134..." ,
"login_url":"https://www.facebook.com/platform/test_account.."
}
]
}
This response dosen't give me any emails/passwords which I'd need to login the test users in a full test. I'd rather not log them in by using the access_token and login_url because this isn't true to the Facebook auth flow on the site.
See https://developers.facebook.com/docs/test_users/#changepw
Facebook does not store cleartext passwords and will only return the password on user creation per the documentation. You can change the user's password to anything at any time without knowing their password so you could set all your test users to have whatever password you want after creation and just rely on that when running your tests.