I'm using Auth0 as an idP, my Service Provider requires that i add a custom attribute in the assertion.
I've tried doing this on the Dashboard. Dashboard > Applications > Applications -> AddOns. Following this article. https://auth0.com/docs/authenticate/protocols/saml/saml-configuration/customize-saml-assertions
I've added my_custom_attr in the mapping object, screenshot below.
However when i 'Debug', my custom attribute isn't showing in the assertion xml and my Service Provider isn't receiving the custom attribute. They're only receiving the default attributes. email, nickname etc
When using Auth0 as a SAML identity provider, you can customize the outgoing claims using mapping. Consider you have the user profile that looks like this:
RAW JSON
{
"user_id": "auth0|qwer-1234-zxcv-0987",
"email": "john.doe#example.com"
"picture": "https://placeholder.img/user",
"name": "John Doe"
}
If you need the picture attribute to be in the outgoing claims, you would do a mapping like this:
"mappings": {
"picture": "http://schemas.auth0.com/picture"
}
Note that the each property name on the left side represents a property in the Auth0 profile. Each "value" on the right side is the name for the resulting SAML attribute in the assertion.
If you don't have a my_custom_attr property in the user profile, this mapping won't work. The workaround is to use an Auth0 Rule to add that value during the user log in time. You can read more about it here.
Here's an example.
function customizeMappings(user, context, callback) {
// we are altering the user profile
user.my_custom_attr = "My Custom Attribute";
context.samlConfiguration.mappings = {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/color": "my_custom_attr"
};
callback(null, user, context);
}
Note that using context.samlConfiguration.mappings in a Rule will override the configuration you've set in your SAML add-on. Therefore, all the mappings you set in the add-on will be lost if you're using a Rule to customize the SAML assertions.
Related
I have a Micronaut microservice that handles authentication via JsonWebTokens (JWT) from this guide.
Now I'd like to extend this code. The users in my app have some extra attributes such as email, adress, teamId etc. I have all users in the database.
How do I know in the backend controller method which user corresponds to the JWT that is sent by the client?
The guide contains this example code for the Micronaut REST controller:
#Secured(SecurityRule.IS_AUTHENTICATED)
#Controller
public class HomeController {
#Produces(MediaType.TEXT_PLAIN)
#Get
public String index(Principal principal) {
return principal.getName();
}
}
I know that I can get the name of the principal, ie. the username from the HttpRequest. But how do I get my additional attributes?
(Maybe I misunderstand JWT a bit???)
Are these JWT "claims" ?
Do I need to load the corresponding user by username from my DB table?
How can I verify that the sent username is actually valid?
edit Describing my usecase in more detail:
Security requirements of my use case
Do not expose valid information to the client
Validate everything the client (a mobile app) sends via REST
Authentication Flow
default oauth2 flow with JWTs:
Precondition: User is already registerd. Username, hash(password) and furhter attributes (email, adress, teamId, ..) are known on the backend.
Client POSTs username and password to /login endpoint
Client receives JWT in return, signed with server secret
On every future request the client sends this JWT as bearer in the Http header.
Backend validates JWT <==== this is what I want to know how to do this in Micronaut.
Questions
How to validate that the JWT is valid?
How to and where in which Java class should I fetch additional information for that user (the additional attributes). What ID should I use to fetch this information. The "sub" or "name" from the decoded JWT?
How do I load a “user” in a micronaut backend when JWT is provided?
I am reading this as you plan to load some kind of User object your database and access it in the controller.
If this is the case you need to hook into the place where Authentication instance is created to read the "sub" (username) of the token and then load it from the database.
How to extend authentication attributes with more details ?
By default for JWT authentication is created using JwtAuthenticationFactory and going more concrete default implementation is DefaultJwtAuthenticationFactory. If you plan to load more claims this could be done by replacing it and creating extended JWTClaimsSet or your own implementation of Authentication interface.
How do I access jwt claims ?
You need to check SecurityService -> getAuthentication() ->getAttributes(), it returns a map of security attributes which represent your token serialised as a map.
How to validate that the JWT is valid?
There is a basic validation rules checking the token is not expired and properly signed, all the rest validations especially for custom claims and validating agains a third parties sources have to be done on your own.
If you plan to validate your custom claims, I have already open source a project in this scope, please have a look.
https://github.com/traycho/micronaut-security-attributes
How to extend existing token with extra claims during its issuing ?
It is required to create your own claims generator extending JWTClaimsSetGenerator
#Singleton
#Replaces(JWTClaimsSetGenerator)
class CustomJWTClaimsSetGenerator extends JWTClaimsSetGenerator {
CustomJWTClaimsSetGenerator(TokenConfiguration tokenConfiguration, #Nullable JwtIdGenerator jwtIdGenerator, #Nullable ClaimsAudienceProvider claimsAudienceProvider) {
super(tokenConfiguration, jwtIdGenerator, claimsAudienceProvider)
}
protected void populateWithUserDetails(JWTClaimsSet.Builder builder, UserDetails userDetails) {
super.populateWithUserDetails(builder, userDetails)
// You your custom claims here
builder.claim('email', userDetails.getAttributes().get("email"));
}
}
How do I access jwt claims ?
If you want to access them from the rest handler just add io.micronaut.security.authentication.Authentication as an additional parameter in the handling method. Example
#Get("/{fooId}")
#Secured(SecurityRule.IS_AUTHENTICATED)
public HttpResponse<Foo> getFoo(long fooId, Authentication authentication) {
...
}
I found a solution. The UserDetails.attributes are serialized into the JWT. And they can easily be set in my CustomAuthenticationProviderclass:
#Singleton
#Slf4j
public class CustomAuthenticationProvider implements AuthenticationProvider {
#Override
public Publisher<AuthenticationResponse> authenticate(
#Nullable HttpRequest<?> httpRequest,
AuthenticationRequest<?, ?> authenticationRequest)
{
// ... autenticate the request here ...
// eg. via BasicAuth or Oauth 2.0 OneTimeToken
// then if valid:
return Flowable.create(emitter -> {
UserDetails userDetails = new UserDetails("sherlock", Collections.emptyList(), "sherlock#micronaut.example");
// These attributes will be serialized as custom claims in the JWT
Map attrs = CollectionUtils.mapOf("email", email, "teamId", teamId)
userDetails.setAttributes(attrs);
emitter.onNext(userDetails);
emitter.onComplete();
}, BackpressureStrategy.ERROR);
}
}
And some more pitfalls when validating the JWT in the backend
A JWT in Micronaut MUST contain a "sub" claim. The JWT spec does not require this, but Micronaut does. The value of the "sub" claim will become the username of the created UserDetails object.
If you want to load addition attributes into these UserDetails when the JWT is validated in the backend, then you can do this by implementing a TokenValidator. But (another pitfal) then you must set its ORDER to a value larger than micronaut's JwtTokenValidator. Your order must be > 0 otherwise your TokenValidator will not be called at all.
I'm am trying to implement a VSTS extension which adds a new service endpoint. Crucially, the authentication method for this service includes the API as part of the querystring.
I am using the "type": "ms.vss-endpoint.endpoint-auth-scheme-token" for AuthenticationScheme.
I've defined the dataSources like so:
"dataSources": [
{
"name": "TestConnection",
"endpointUrl": "{{endpoint.url}}projects?token={{endpoint.apitoken}}"
}
]
However, in performing a test to Verify Connection:
Failed to query service endpoint api: https://myserver.com/projects?token=.
endpoint.apitoken is always blank.
Is there a placeholder/replacement value that can be used to get access to this value or another way of achieving the same end result?
I've tried using different authentication schemes (such as 'none') and included a inputDescriptor to capture my apitoken, but I have the same result. There doesn't seem to be a way to reference these values?
No, it is not supported. This article may benefit you: Service endpoint authentication schemes
I am looking for IdentityServer3 version which can support windows authentication and customgrant.
I found the windows authentication version: "Windows Auth All-in-One" in github.
Windows token conversion is working fine.
But when I try to use custom grant flow, using the following code:
var client = new TokenClient(
Constants.TokenEndpoint,
"customclient",
"secret");
return client.RequestCustomGrantAsync("custom", "read write", ParameterData).Result;
I am getting the response as:
"error": "unsupported_grant_type"
Any idea how to enable the custom grant type in Windows Auth All-in-One version of Identity server?
Using IdentityServer's extensibility mechanism, you can register a custom grant validator for the my_custom_credential.
The job of a custom grant validator is to validate the incoming data, and map that to an IdentityServer user.
You start by implementing this interface:
public interface ICustomGrantValidator
{
Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request);
string GrantType { get; }
}
In the GrantType property you specify which custom grant type you want to handle with this validator.
In the ValidateAsync method you have access to the raw requests (e.g. for reading custom parameters like in the example
above) as well as validated data like scopes and client identity.
The result object allows you to set either a principal (with claims) that map to a user - or an error message.
You register the validator by setting it on the service factory:
factory.CustomGrantValidators.Add(
new Registration<ICustomGrantValidator, MyCustomGrantValidator>());
To use this grant type, you need to create a client with the following configuration:
The Flow must be set to Custom
The AllowedCustomGrantTypes must include the custom grant type
https://identityserver.github.io/Documentation/docsv2/advanced/customGrantTypes.html
For creating a group, a user and assigning the user to that group, I referred this link Add permission profile through API.
Using REST APIs I am able to do that but permission for user is not getting set.
When I check in DocuSign, group is having correct permission set but same is not set for a user. Please let me know if I am missing anything.
Additional Information: This is the request I am sending
{
"newUsers":[{
"email":"'.$email.'",
"userName":"'.$userName.'",
"password":"'.$password.'",
"groupList": [{
"groupId": "'.$groupId.'",
"groupName": "'.$groupName.'",
"permissionProfileId": "'.$permissionId.'"
}]
}]
}
Also, when a user is added to a group, permissions set at group level will be applied to the users. Is there something missing?
When you create a permission profile you use this endpoint:
POST {vx}/accounts/{accountid}/permission_profiles
the response body for that endpoint should contain this info ( I omitted some details from the response)
{
"permissionProfileId": "sample string 1",
"permissionProfileName": "sample string 2",
...
}
Once you have the permissionProfileId and permissionProfileName you should be able to assign that permission profile to a user using this endpoint:
PUT {vx}/accounts/{accountid}/users/{userid}
and using the permissionProfileId and permissionProfileName in your request (I used dummy values here):
{
"permissionProfileId": "12345",
"permissionProfileName": "SomeName"
}
I hope that helps!
-Yadriel
I am having trouble extracting UserAccount properties from MembershipReboot in conjunction with Thinktecture IdentityServer. I have both up and running using the Sample repo here: https://github.com/identityserver/IdentityServer3.MembershipReboot
When I request the "openid profile" scope in an Implicit Grant Flow, I am missing a lot of the user account fields such as "given_name, middle_name", etc from the id_token and response from the userinfo endpoint. I understand this is because they need to be assigned in the GetClaimsFromAccount function.
I can see the requestedClaims come into the GetProfileDataAsync() function in the MembershipRebootUserService class and if I hover over the instance of TAccount in GetClaimsFromAccount I can see the Firstname, Lastname, etc properties appearing in the CustomUser dynamic proxy but I can't for the life of me work out how to access them and copy them into the claims collection?
More Info:
I suspect the issue is with this line:
claims.AddRange(userAccountService.MapClaims(account));
It looks like this should be converting the user account properties into claims but I dont get any back.
The way I understand it works is you add an option to your Scope object to return all of the claims for a user. IncludeAllClaimsForUser is the key property.
e.g.
new Scope
{
Enabled = true,
Name = "roles",
Type = ScopeType.Identity,
IncludeAllClaimsForUser = true,
Claims = new List<ScopeClaim>
{
new ScopeClaim("role")
}
}
My request includes the role property as well. This pulled back all the claims for the user from MR for me. My example is with Implicit flow btw.