Is it possible to update the value of custom attribute via Keycloak REST API?
For example, which endpoint to use and how to construct a request body for the attribute that was created here.
Thanks!
You have to use Keycloak Admin REST API :
PUT {host}/{basepath}/admin/realms/{realm}/users/{id}
e.g.
http://localhost:8080/auth/admin/realms/alumni-realm/users/cd57cfd8-cb1c-4025-abfd-67fe6b784d22
Request Body (JSON) :
{
"attributes": {
"DOB": "1984-07-01"
}
}
Authorization (Bearer Token) :
Use Admin user access_token for authorization.
If you want to allow User to update their own profile then you have to grant manage-users role in Keycloak. (That user will be able to update other users info hence it is not recommended)
You can use the API for user update with sending only the attribute to be changed:
PUT ../realms/{realm}/users/{userID}
Body:
{
"attributes": {
"myAttribute": [
"NewValue"
]
}
}
It Cause "ID" change when you update user custom attribute via Keycloak REST API PUT ../realms/{realm}/users/{userID}
and you need to GET /{realm}/users two times to get new value in the response
Related
Just want to ask how we can create a user using Asgardeo User Management API without providing a password?
Basically we want to replicate this flow but instead of manually doing it on the console, we want to do it from the User Management API.
enter image description here
Here are some of the Endpoints that we tested
POST
https://api.asgardeo.io/t/asgardeo/scim2
/Users
POST
https://api.asgardeo.io/t/asgardeo/scim2
/Bulk
The password field seems to be a required field.
Setting the urn:scim:wso2:schema with "askPassword":"true" should allow you to create the users without providing the password.
Sample Payload of the scim https://api.asgardeo.io/t/tenantName/scim2/Users:
{
"emails":
[
{
"primary":true,
"value":"<User Email>"
}
],
"name":
{
"familyName":"",
"givenName":""
},
"urn:scim:wso2:schema":
{
"askPassword":"true"
},
"userName":
"DEFAULT/<User Email>"
}
The will receive the invite request similar to the UI function.
Same approach can be taken with the Bulk endpoint too as mentioned this medium blog
I'm trying to synchronize user names and primary emails with AD via the Github API. I make a call to /user/emails using an oAuth token with scope user:email and I get back their primary email. I then try to use PATCH /user per this doc with the payload:
{
email: newemail#ourcompany.com
}
And I get back a 404.
Is this the correct method to set the primary emails for users?
This is due to your API request is not properly authenticated or your OAuth token does not have the required scopes. As per your question, you have set user:email scope which does not allow modification of the profile. Use user scope intead.
See more: Why am I getting a 404 error on a repository that exists?
It requires authentication and it will return 404 Not Found, instead of 403 Forbidden, in some places. This is to prevent the accidental leakage of private repositories to unauthorized users.
You can try to make your email visibility to be public
[
{
"email": "newemail#ourcompany.com",
"primary": true,
"verified": true,
"visibility": "public"
}
]
Turns out the issue was a typo in the PATCH URL.
I have a web site (gigsnet) with a Facebook login. I did it using Passport/oauth.
I want to implement a chatbot, so that our users can chat to the "Gigsnet" page, and get personalised responses from the chatbot.
I realise that the IDs won't match, and that some "magic" is necessary here. So, here we go.
SOME IDS
This is what my server receives when a message by myself (page admin) arrives:
Requested: /app/chatbot
REQUEST BODY: { object: 'page',
entry:
[ { id: '1130858117040228',
time: 1495584613258,
messaging:
[ { sender: { id: '119XXXXXX7137093' },
recipient: { id: '1130858117040228' },
timestamp: 1495584613013,
message:
{ mid: 'mid.$cAAQEgkm16DpiaQ9qlVcN8ohagocY',
seq: 290123,
text: 'd' } } ] } ] }
POST /app/chatbot 200 1.581 ms - -
This tells me that my user ID for the chatbot is 119XXXXXX7137093.
Also, this is what I have on my DB for authenticated users:
{ "_id" : ObjectId("5924c947b0d5a1095c8f326c"), "strategyId" : "facebook", "field1" : "636379230", "field3" : "EAAGcvqGZBOtkBAFuHIC4U9CxB8vEFcL25iQ6vsVkT9s1CKfJtqPPg6YhJjZAepu2v6EqtOjj6UDCaTYxca9UbRReIhKeIu4UGmEW4L9lJcGDXXXXXXXXXXXXXXXl4YgoMx8ExmI0zZCEsbZBYtZA9SR3PW9FkMdZCkgZD", "userId" : ObjectId("59239720a04b2e1de8e103d8"), "id" : ObjectId("5924c947b0d5a1095c8f326b"), "_children" : { }, "_clean" : true }
This particular user happens to be admin of the pages, the app, and owner of the company that owns page and app.
So:
USER ID (CHATBOT SCOPE): 119XXXXXX7137093
USER ID (LOGIN APP SCOPE): 636379230 WITH ADMIN ACCESS TOKEN: EAAGcvqGZBOtkBAFuHIC4U9CxB8vEFcL25iQ6vsVkT9s1CKfJtqPPg6YhJjZAepu2v6EqtOjj6UDCaTYxca9UbRReIhKeIu4UGmEW4L9lJcGDXXXXXXXXXXXXXXXl4YgoMx8ExmI0zZCEsbZBYtZA9SR3PW9FkMdZCkgZD
PAGE ID: gigsnetco
APP ID (LOGIN APP): 453817548028633
The access token is important as I am the admin for the pages.
USER ID IN MESSENGER BOT -> USER ID IN LOGIN APP (with extra step)
To make this call, I need FIRST an access token for the page. So, here I am using my user's oauth access token from the database in order to get another access token, the one to administer pages.
curl "https://graph.facebook.com/v2.9/gigsnetco?access_token=EAAGcvqGZBOtkBAFuHIC4U9CxB8vEFcL25iQ6vsVkT9s1CKfJtqPPg6YhJjZAepu2v6EqtOjj6UDCaTYxca9UbRReIhKeIu4UGmEW4L9lJcGDXXXXXXXXXXXXXXXl4YgoMx8ExmI0zZCEsbZBYtZA9SR3PW9FkMdZCkgZD&fields=access_token"
{"access_token":"EAAGcvqGZBOtkBAMeNZAE09EsRndMYvDlVpNeE6HT05zxqeL2XXXXXXXXXXXXXXXXDs2vdiSYlErrdw8ZAF3uBdUiIjnioXxohljA3mLjlKbgFZC5tfz7ivGHCHb4LubXHBNx7wLMMLcl7WrZC627uca2HW18dQZBH5MGhOqvHRyYXQZDZD","id":"1130858117040228"}
I now use the token for the page ID above to make a request on the user 119XXXXXX7137093 (chatbot) asking it the list of ids for linked pages.
Note: I am using the user id 119XXXXXX7137093, filtering by app ID, using the page's access token.
curl "https://graph.facebook.com/v2.9/119XXXXXX7137093/ids_for_apps?app=453817548028633&access_token=EAAGcvqGZBOtkBAMeNZAE09EsRndMYvDlVpNeE6HT05zxqeL2XXXXXXXXXXXXXXXXDs2vdiSYlErrdw8ZAF3uBdUiIjnioXxohljA3mLjlKbgFZC5tfz7ivGHCHb4LubXHBNx7wLMMLcl7WrZC627uca2HW18dQZBH5MGhOqvHRyYXQZDZD"
{"data":[{"id":"636379230","app":{"link":"http:\/\/www.gigsnet.com\/","name":"Login","id":"453817548028633"}}],"paging":{"cursors":{"before":"NDUzODE3NTQ4MDI4NjMz","after":"NDUzODE3NTQ4MDI4NjMz"}}}
Bingo! I have 636379230. When a user types anything to the chatbot, I can now cross-reference them with a user who has previously logged in, and provide personalised information.
USER ID IN LOGIN ALL -> USER ID IN MESSENGER
Here I am using the access token from the screen https://developers.facebook.com/apps/453817548028633/messenger/ in "Token generation".
curl "https://graph.facebook.com/v2.9/636379230/ids_for_apps?app=453817548028633&access_token=EAAGcvqGZBOtkBAKycZAeDI4D13sOVZAZAlNJqZCTXXXXXXXXXXXXXXXxsyaOs9WgQO2jcnHJeEYAbUlEdCU1xejYjTlWE1w4tEfe7IZAAw8i3X2qn1AKwDlHhwHbQsoylxPZAcPagVKemSd6KQwUP2gB8pkm61PumqLiVuIw3B3lQZDZD"
{"data":[{"id":"636379230","app":{"link":"http:\/\/www.gigsnet.com\/","name":"Login","id":"453817548028633"}}],"paging":{"cursors":{"before":"NDUzODE3NTQ4MDI4NjMz","after":"NDUzODE3NTQ4MDI4NjMz"}}}
Note that my own access token (I guess because I am the page admin) ALSO works:
curl "https://graph.facebook.com/v2.9/636379230/ids_for_apps?app=453817548028633&access_token=EAAGcvqGZBOtkBAFuHIC4U9CxB8vEFcL25iQ6vsVkT9s1CKfJtqPPg6YhJjZAepu2v6EqtOjj6UDCaTYxca9UbRReIhKeIu4UGmEW4L9lJcGDXXXXXXXXXXXXXXXl4YgoMx8ExmI0zZCEsbZBYtZA9SR3PW9FkMdZCkgZD"
{"data":[{"id":"636379230","app":{"link":"http:\/\/www.gigsnet.com\/","name":"Login","id":"453817548028633"}}],"paging":{"cursors":{"before":"NDUzODE3NTQ4MDI4NjMz","after":"NDUzODE3NTQ4MDI4NjMz"}}}
Bingo! 636379230 is the user ID for messenger.
QUESTIONS
The API documentation mentions that I should provide appsecret_proof in order to get ids_for_pages to work. However, I didn't have to (plus, you only provide a PHP example, and I couldn't find an example in node). Is it OK not to provide appsecret_proof?
In order to make calls, I am using my own access token (as the page admin); I obtained this access token using oauth, using my app (I am using passport on nodejs).
Will this token expire after 60 days?
If so, does that mean that I ought to link/unlink my account so that I generate a new access token? (Or, use an API command to get a new access token? (If so, which one?)
Since the access token expires, shall I keep on refreshing it for logged in users as well? The problem is that once a user is logged in, they are alogged in.
Does the page access token also expire? How often shall I re-generate it? Surely, regenerate it for every received message would be wasteful on my end and your end...!
Are scoped IDs stable? Do I absolutely know that the IDs will never change? Once I make the connection, can I save it and have it like that forever? Even if a user unlinks themselves with oauth and then link themselves back? Or in case the access tokens expire for example. If they do change, how do I know if they are expired/?
Thank you!
I'm trying to make a Gogle Chrome extension that requires user authorization to a SugarCRM 7.5 instance with OAuth 2.0 and I need to store the access token that's retrieved. I may need more clarification on how launchWebAuthFlow works.
Firstly, I can retrieve an access token from SugarCRM by using a POST request (not a GET request) that returns an access and a refresh token.
When I tried using the code below I kept getting the error: "authorization url can not be loaded" and when I checked the background console (I already know that my auth URL is wrong). Any help is appreciated even if you don't know SugarCRM. Just a general answer that can get me started is much appreciated.
manifest.json
{
"name": "Auth Sample",
"version": "1",
"manifest_version": 2,
"minimum_chrome_version": "29",
"key": "<long key>",
"app": {
"background": {
"scripts": ["background.js"]
}
},
"permissions": [
"identity",
"https://<sugar instance>/*"
]
}
Background.js
chrome.identity.launchWebAuthFlow(
{'url': '<url-to-do-auth>', 'interactive': true},
function(redirect_url) { console.log(redirect_url); });
My URL is definitely not gonna work here but it's something like this:
var client_id = '<client id from Oauth 2.0>';
var redirectUri = chrome.identity.getRedirectURL("sugarcrm");
var url = "https://<sugar instance base url>/rest/v10/oauth2/token?client_id=" + client_id + "&callbackURL=" + redirectUri + "&response_type=token"
What's the url-to-do-auth (is this the URL to do a regular login (username and password) to SugarCRM or is it a GET request through the REST API to do login)
I don't have a UI web auth flow for my SugarCRM instance. Is it possible to create one from the application or should that be on the server?
I can only make POST requests to get an access token. Will that still work with launchWebAuthFlow?
Update
I ended up storing the token using the local chrome.storage api and only stored the refresh token which will keep getting a new access token every time the application is run(I think it's more secure than just storing the access token as that will force it to always keep changing without passing other credentials)
After more search on launchWebAuthFlow. I found out that the url launchWebAuthFlow takes as parameter will launch a web page(with interactive parameter set to true) which is hosted on the server, that will let the user login and will return an access token if success. This url is actually an endpoint on the restful server. You need to create this endpoint that will be a get request with some parameters including a callbackURL, client_id and response_type. Then it will respond with another function that will be a post request and will take the username and password. If credentials are correct, it will return the access token as a parameter in the callbackURL(chrome extension specific url that contains the extension ID).
Please feel free to correct me or add something if I'm wrong.
I'm developing iPhone application, that is based on communication with server, and I want to use Facebook authentication mechanisms.
Basically, I think it should work like this:
In my iPhone app, user logs in to Facebook, using his email and password.
User allows access to his data for related Facebook application.
My iPhone app receives access token, after successful log in.
In further communication with my server, my iPhone application should use the received Facebook access token (for example: in queries).
When my server receives some query from iPhone app, with access token, it should ask Facebook that this token is valid (and for who), and if yes, server should assume that user is authenticated with Facebook.
My question is: how the server should ask Facebook if given access token is valid? I think I should somehow check if the token is valid for my Facebook app.
I've tried many Facebook queries to graph API, that I've found, but nothing worked as I expected. Can you provide me some example?
Here's a two step process you can use to validate that a user access token belongs to your App:
1) Generate an App Access token
(https://developers.facebook.com/docs/howtos/login/login-as-app/)
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&client_secret=YOUR_APP_SECRET
&grant_type=client_credentials
2) Debug the User Access token
(https://developers.facebook.com/docs/howtos/login/debugging-access-tokens/)
https://graph.facebook.com/debug_token?
input_token=INPUT_TOKEN
&access_token=ACCESS_TOKEN
Where INPUT_TOKEN is the user access token you want to verify, and ACCESS_TOKEN is your app's token that you got from step 1.
The debug endpoint basically dumps all information about a token, so it'll respond with something like this:
{
data: {
app_id: YOUR_APP_ID,
is_valid: true,
metadata: {
sso: "iphone-safari"
},
application: YOUR_APP_NAMESPACE,
user_id: USER_ID,
issued_at: 1366236791,
expires_at: 1371420791,
scopes: [ ]
}
}
If that token isn't from "your app" then it will return an error response.
Update: this answer seems insecure since it doesn't validate the token
first as belonging to your app, see the comments, original answer as
follows:
I assume that you already have the access token in hand. In such a case the simplest way to validate an access token is to issue the following request
https://graph.facebook.com/me?fields=id&access_token=#accesstoken
Here replace #accesstoken with the access token you have. I will breakdown the url and will explain each.
We are issuing a graph api request here which will return the Facebook User Id of the owner of the access token as a JSON string. The keyword 'me' represents the currently logged in user or the owner of the access token. For this request access token is a mandatory parameter.
If the provided access token is not valid or expired Facebook will just return an error message of some sort.
For a valid access token the result will somehow look like this
{
"id": "ID_VALUE"
}
Another solution would be to use https://graph.facebook.com/app/?access_token=[user_access_token] as described by Get application id from user access token (or verify the source application for a token).
This appears to be an undocumented feature, but returns JSON containing the id of the app the token was generated for. If the token wasn't for your app, it returns a 400.
In the latest version of facebook (2.2) you can do it this way:
https://developers.facebook.com/docs/graph-api/reference/v2.2/debug_token
Sample output:
{
"data": {
"app_id": "THE APP ID",
"application": "APP NAME",
"expires_at": 1427245200,
"is_valid": true,
"scopes": [
"public_profile",
"basic_info",
"read_stream",
"email",
"publish_actions",
"read_friendlists",
"user_birthday",
"user_hometown",
"user_location",
"user_likes",
"user_photos",
"user_videos",
"user_friends",
"user_posts"
],
"user_id": "THE USER ID"
}
}
private function facebookRequestMe($access_token)
{
include_once "facebook.php";
$facebook = new Facebook(array(
"appId" => "your_application_id",
"secret" => "your_application_secret"
));
$facebook->setAccessToken($access_token);
return $facebook->api("/me", "GET");
}
You can download the Facebook SDK for PHP from GitHub.
If a user has passed you a Facebook UID that they claim is theirs and you want to check if it's legit, this is a Python function that will verify it against their access token (an implementation of Robin Jome's answer):
def verify_facebook_id(id, access_token):
import requests
import simplejson
params = {'fields': 'id', 'access_token': access_token}
text = requests.get("https://graph.facebook.com/me", params=params).text
json = simplejson.loads(text)
response_id = json["id"]
return response_id == id
This is the only secure method to verify user token using just one request:
https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app_id}|{app_secret}
Note that a sign "|" in the above URL isn't used as OR but as separator and must be there after fill the other fields.
The response will be JSON looking like that:
{
data: {
app_id: {app_id},
application: {app_name},
expires_at: {some_number},
is_valid: {true|false}
scopes: {array_of_permissions},
user_id: {user_id}
}
}
Reference: https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens
(above method is mentioned at the bottom of this section)
Along with an access token Facebook also sends an "expires_in" parameter, which is an offset value. Use that to compute for when the access token will expire as an NSDate. Then when you need to do a request compare the current date with the expiration date.
Also try to inspect the status codes and response strings Facebook sends back.