I have tested successfully idtokenhint demo and I am trying unsucessfully attestation verifiable credentials type , similar to the Woodgrave Employee Onboarding Demo, is this code available in c#?
In my case I need the Authenticator to request the VerifiedCredentialExpert VC first but I don't see how to trigger this on Authenticator, I tried this on issuance_request_config.json file, I also tried adding requestedCredentials to type VerifiedCredentialExpert as you see below to suggest to Authenticator to get this first, but didn't change the error behaviour:
"includeQRCode": false,
"callback": {
//In this sample code we will overwrite the callback and use the HOSTNAME dynamicall
//make sure you use ngrok or something like that when running on a local devbox.
//The MS AAD VC Request service needs to be able to reach the callback URI
"url": "https://YOURPUBLICREACHABLEHOSTNAME/api/issuer/issuanceCallback",
"state": "STATEWILLBESETINCODE",
"headers": {
"api-key": "OPTIONAL API-KEY for ISSUANCE CALLBACK API"
}
},
//The Authority is the DID from your MS AAD Verifiable Credential service, you can copy this from the VC page in azure portal
"authority": "did:ion: THIS IS YOUR DID FROM THE VC PAGE IN AZURE PORTAL WHICH IS SET IN THE SAMPLE BY COPYING THE VALUE FROM APPSETTINGS.JSON ",
"registration": {
"clientName": "Verifiable Test Register Verifiable Credential"
},
//The type needs to be the same as defined in the rules json definitione. The manifest can be copied after the credential has been
//created in the azure portal
"type": "VerifiedTestRegistration",
"manifest": "CREDENTIAL URL IN THIS SAMPLE WILL BE COPIED FROM APPSETTINGS.JSON",
//Recommendation is to protect issuance payload with a PIN code.
//The pincode is set to a random value in code and will be displayed in the UI to the user
"pin": {
"value": "123456",
"length": 4
},
//This is an example payload which will be used in the rules file of the credential.
//The rules files maps information from the ID Token (hint) to the VC
"claims": {
"country_of_registry": "",
"registration_number": "",
},
//You can request multiple verifiable credentials at once that's whty the requestCredentials is an array
"requestedCredentials": [
{
"type": "VerifiedCredentialExpert",
"purpose": "Required presentation of verifiable credentials expert to get Test Registration card.",
//You can trust multiple issuers who might be issuing the same credential type (for example certifications or diplomas)
//You need to specify at least 1 trusted issuer DID, for this sample code we copy the IssuerAuthority from appsettings to the request
//"acceptedIssuers": [ "did:ion: copied from your VC portal in this sample the code copies it from APPSETTINGS.JSON" ]
"acceptedIssuers": [ "theaccepetedidissuer" ]
}
]
}
These are the display and rules:
Display definition
{
"locale": "en-US",
"card": {
"title": "Test Verified Credential",
"issuedBy": "TheIssuer",
"backgroundColor": "#000000",
"textColor": "#ffffff",
"logo": {
"uri": "https://example.com/image.png",
"description": "Test Verified Credential"
},
"description": "Use this card to verify."
},
"consent": {
"title": "Do you want to get your Test Verified Credential?",
"instructions": "Sign in with your Verified Credential Expert Card to get your card."
},
"claims": [
{
"claim": "$.vc.country_of_registry",
"label": "Country of Registry",
"type": "String"
},
{
"claim": "$.vc.registration_number",
"label": "Registration Number",
"type": "String"
}
]
}
Rules definition:
{
"attestations": {
"presentations": [
{
"mapping": [
{
"outputClaim": "firstName",
"required": true,
"inputClaim": "$.vc.credentialSubject.given_name",
"indexed": false
},
{
"outputClaim": "lastName",
"required": true,
"inputClaim": "$.vc.credentialSubject.family_name",
"indexed": false
}
],
"required": true,
"credentialType": "VerifiedCredentialExpert",
"contracts": [
"https://verifiedid.did.msidentity.com/v1.0/tenants/id/verifiableCredentials/contracts/abcd/manifest"
],
"trustedIssuers": [
"did:ion:thedid"
]
}
],
"idTokenHints": [
{
"mapping": [
{
"outputClaim": "countryOfRegistry",
"required": true,
"inputClaim": "$.country_of_registry",
"indexed": false
},
{
"outputClaim": "registrationNumber",
"required": true,
"inputClaim": "$.registration_number",
"indexed": true
}
],
"required": true
}
]
},
"validityInterval": 2592000,
"vc": {
"type": [
"VerifiedTestRegistration"
]
}
}
I am testing on iphone12 pro latest iOS version installed.
Question as posted in this git project but unfortunately got no help.
Thank you for your help, Sergio
Related
I can successfully create user by calling the following path in Postman software:
http://{KEYCLOAK_IP}/auth/admin/realms/{REALM_NAME}/users
The body content that I send is like following:
{
"enabled":true,
"username":"Reza",
"email":"reza#sampleMailServer1.com",
"firstName":"Reza",
"lastName":"Azad",
"credentials": [
{
"type":"password",
"value":"123",
"temporary":false
}
]
}
Now, let’s assume that we have a client, which is named browserApp and this client has a role, which is named borwserAppRoleUser. Also, the realm has a role, which is name realmRoleUser.
In order to include abovementioned roles in the body content of the HTTP request I tried the following structure:
{
"enabled":true,
"username":"Reza",
"email":"reza#sampleMailServer1.com",
"firstName":"Reza",
"lastName":"Azad",
"credentials": [
{
"type":"password",
"value":"123",
"temporary":false
}
],
"role": [
{
"id": "borwserAppRoleUser",
"name": "test",
"description": "${role_create-client}",
"composite": false,
"clientRole": true,
"containerId": "browserApp"
},
{
"id":"realmRoleUser",
"composite":false,
"clientRole":false
}
]
}
Sending the above body content results in 400 bad request response. The errors contains this message:
Unrecognized field "role" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable
Also, I am sure that the rest of the role object is not correct.
I searched for examples online, but I could not find any sample regarding the role assignment. Can any body please help me to fix this problem?
REST API not supports realm & client roles by single JSON data.
It only support by Add Realm with JSON import
The simple JSON format is like this but it needs extra data.
This is working example for Import Realm JSON data
{
"id": "test",
"realm": "test",
"users": [
{
"enabled": true,
"username": "Reza",
"email": "reza#sampleMailServer1.com",
"firstName": "Reza",
"lastName": "Azad",
"credentials": [
{
"type": "password",
"value": "123",
"temporary": false
}
],
"realmRoles": [
"user"
],
"clientRoles": {
"borwserAppRoleUser": [
"test"
]
}
}
],
"scopeMappings": [
{
"client": "borwserAppRoleUser",
"roles": [
"test"
]
}
],
"client": {
"borwserAppRoleUser": [
{
"name": "test",
"description": "${role_create-client}"
}
]
},
"roles": {
"realm": [
{
"name": "user",
"description": "Have User privileges"
}
]
}
}
If you want to assign user's realm role and client role, use separate API call.
#1 Assign user's realm role
POST {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings/realm
In Body of POST
[
{
"id": {REALM ROLE UUID},
"name": {ROLE NAME},
"composite": false,
"clientRole": false,
"containerId": {REALM NAME}
}
]
1.1 Get master token - here
1.2 Get User UUID
1.3 Get Realm role UUID and name
1.4 POST realm role into user
#2 Assign user's client role
POST {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings/clients/{CLIENT-UUID}
In Body of POST
[
{
"id": {CLIENT ROLE ID},
"name": {ROLE NAME},
"description": "${role_create-client}",
"composite": false,
"clientRole": true,
"containerId": {CLIENT-UUID}
}
]
2.1 Get master token
2.2 Get user UUID - same 1.2
2.2 Get Client UUID
2.3 Get Client role UUID & name
2.4 POST client role into user
Finally confirm both assigned roles by this API
GET {KEYCLOAK-IP}/auth/admin/realms/{REALM-NAME}/users/{USER-UUID}/role-mappings
I am building an action with the new Actions Builder and everything is going pretty smoothly. I just setup account linking and can successfully link my account, however, once I do link my account there is no token included in the subsequent requests for me to use, even though the account linking status is in the request as "LINKED". Can anyone shed any light on why I am not seeing a token?
For reference, here is a version of one of my requests.
{
"requestJson": {
"handler": {
"name": "main"
},
"intent": {
"name": "actions.intent.MAIN",
"params": {},
"query": "Talk to my new app"
},
"scene": {
"name": "actions.scene.START_CONVERSATION",
"slotFillingStatus": "UNSPECIFIED",
"slots": {},
"next": {
"name": "ListPrompt"
}
},
"session": {
"id": "ABwppHE7M6NS8KdyjljEptrtZZ5GkE3qDdaiwjYbL9ehrA-t_c-ZsCrZ_WhN0ZTG5lXXXXXXhU6Im5vgeSwow",
"params": {},
"typeOverrides": [],
"languageCode": ""
},
"user": {
"locale": "en-US",
"params": {},
"accountLinkingStatus": "LINKED",
"verificationStatus": "VERIFIED",
"packageEntitlements": [],
"lastSeenTime": "2020-07-13T12:02:42Z"
},
"home": {
"params": {}
},
"device": {
"capabilities": [
"SPEECH",
"RICH_RESPONSE",
"LONG_FORM_AUDIO"
]
}
}
}
The Google docs for the Account Linking with the new Actions Builder have now been updated with additional information. The token is now provided within the headers of the incoming request. Details of how to find and decode this can be found at https://developers.google.com/assistant/identity/google-sign-in#handle_data_access_requests
I'm using App ID and I follow this tuts https://cloud.ibm.com/docs/services/appid?topic=appid-tutorial-roles for my personal project.
I tried to call API {{APPID_MANAGEMENT_SERVER_HOST}}/management/v4/{{APPID_TENANT_ID}}/users with body:
"idp": "cloud_directory",
"idp-identity": "huynhdn#gmail.com",
"profile": {
"attributes": {
"role": "MANAGER"
}
}
}
I get Future User in User Profiles! => OK
Next, I call {{APPID_MANAGEMENT_SERVER_HOST}}/management/v4/{{APPID_TENANT_ID}}/cloud_directory/Users to set password for this user.
"displayName": "Test User",
"password": "abcd1234",
"emails": [
{
"value": "huynhdn#gmail.com",
"primary": true
}
]
}
Finally, I call {{APPID_AUTH_SERVER_HOST}}/oauth/v4/{{APPID_TENANT_ID}}/token to get token with user created above! But when i check in app id, attribute "role" is gone :(
WHY? or Anyone can help me another way to create user has "username", "password", "attribute" with API management!
The doc page you're referencing above states that in order to get future user attribute the user must validate ownership over email. You can either do it through standard means, or manually specifying status:confirmed when creating your CLoud Dir user, e.g.
{
"displayName": "John Smith",
"password": "p4ssw0rd",
"emails": [
{
"value": "john#example.com",
"primary": true
}
],
"status":"CONFIRMED"
}```
I decided to upgrade my Google Assistant action to use "dialogFlow V2 API" and my webhook returns an object like this
{
"fulfillmentText": "Testing",
"fulfillmentMessages": [
{
"text": {
"text": [
"fulfillmentMessages text attribute"
]
}
}
],
"payload": {
"google": {
"richResponse": {
"items": [
{
"mediaResponse": {
"mediaType": "AUDIO",
"mediaObjects": [
{
"name": "mediaResponse name",
"description": "mediaResponse description",
"largeImage": {
"url": "https://.../640x480.jpg"
},
"contentUrl": "https://.../20183832714.mp3"
}
]
},
"simpleResponse": {
"textToSpeech": "simpleResponse: testing",
"ssml": "simpleResponse: ssml",
"displayText": "simpleResponse displayText"
}
}
]
}
}
},
"source": "webhook-play-sample"
}
But I get an error message saying my action it is not available, is mediaResponse supported by V2?, should I format my object differently?, also, when I remove "mediaResponse" object works just fine and the assistant will speak the simpleResponse part.
This action was re-created this Mid March 2018 and I read about May deadline and that is why I decide to upgrade to V2, do you think I should go back to V1, I know I will have to delete it and re-created but that is fine. This is a link to the JSON object I see in the debug tab. Thanks once again
I set "API V2" in my action dialogFlow console, this is a screenshot of that setting
Here is an screenshoot of my action's integration -> Google Assistant
Thanks Allen, Yes I do have "expectUserResponse": false, I added the suggestion object you recommended but, unfortunately nothing changed, I am still getting this error
Simulator debug tag details
First of all - this is not a problem with Dialogflow V2. You also seem to be confusing the sunset of Actions on Google V1 with the release of Dialogflow V2 - they are two different creatures completely. If your project was using AoG V1, there would be a setting on the Actions integration screen, and thee isn't.
It is fine if you want to move to Dialogflow V2, but it isn't required. Media definitely works under Dialogflow V2.
The array of items must include a simpleResponse item first, before any of the other items in the RichResponse. (You also shouldn't include both ssml and textToSpeech - just one of them.) You also don't need the fulfillmentText and fulfillmentMessages components, since those are provided by the richResponse.
You also need to include suggestions chips unless you have set expectUserResponse to false. Somewhere in the simulator debug is probably a block that says
{
"name": "MalformedResponse",
"debugInfo": "expected_inputs[0].input_prompt.rich_initial_prompt: Suggestions must be provided if media_response is used..",
"subDebugEntryList": []
}
So something more like this should work:
{
"payload": {
"google": {
"richResponse": {
"items": [
{
"simpleResponse": {
"textToSpeech": "simpleResponse: testing",
"displayText": "simpleResponse displayText"
},
"mediaResponse": {
"mediaType": "AUDIO",
"mediaObjects": [
{
"name": "mediaResponse name",
"description": "mediaResponse description",
"largeImage": {
"url": "https://.../640x480.jpg"
},
"contentUrl": "https://.../20183832714.mp3"
}
]
}
}
]
"suggestions": [
{
"title": "This"
},
{
"title": "That"
}
]
}
}
},
"source": "webhook-play-sample"
}
I am not sure what is going wrong with the create user api with roles.
Observations:
When fired without the roles it works fine, the payload is given below
{
"fullName": "unittestuser",
"emailAddress": null,
"enabled": true,
"password": "39HN=K?E",
"roles": null
}
when same endpoint is invoked with the addition of roles then it fails giving the http error code 400 (bad request)
{
"fullName": "unittestuser",
"emailAddress": null,
"enabled": true,
"password": "39HN=K?E",
"roles": [
{ "name": "unittest" },
{ "name": "UsernamePasswordAuthentication" },
{ "name": "Platform_NamedUser" },
{ "name": "Platform_Anyone" },
{ "name": "Platform_Metadata_MetadataInitializeUser" }
]
}
The roles part works when the default roles shipped with JasperReports Server installation are sent.
{
"fullName": "unittestuser3",
"emailAddress": null,
"externallyDefined": false,
"enabled": true,
"password": "39HN=K?E",
"roles": [
{ "name": "ROLE_USER" },
{ "name": "ROLE_ADMINISTRATOR" }
]
}
I have checked the the new roles which I have created are present on the JR Server before the create user is hit, so I am not sure what is going wrong with the newly created roles. I am using REST api v2 for role creation as well as user creation.
I have also tried creation the user first with empty roles and then adding roles the update call still fails with the same error.
Let me know if anyone has a clue.
Fixed...the new 6.0 on wards requires tenantid to be passed with the name of the role.
So instead of:
{ "name": "unittest" }
I passed: { "name": "unittest", "tenantId": "myorg" }