I am trying to integrate Tigase to use my custom MySQL database to authenticate users, gets rosters and vCards. I setup the "Custom Authentication Connectors" as described at https://docs.tigase.net/tigase-server/8.0.0/Administration_Guide/html/#customAuthentication however, it only seems to authenticate users I've already added to the local Tigase database. Is it possible for Tigase to automatically create the user when the user has successfully authenticated? And, how can I setup Tigase to get the user's roster and/or vCard from my custom database?
I've tried setting up the "Custom Authentication Connectors" as described at https://docs.tigase.net/tigase-server/8.0.0/Administration_Guide/html/#customAuthentication, however, for users that only exists in my custom database, it allows login, but throws an error when I try to create a room or add a user to my roster as "tigase.db.UserNotFoundException: User does not exist" and "WARNING: NotAuthorizedException for packet."
Here is the config I am using based on https://docs.tigase.net/tigase-server/8.0.0/Administration_Guide/html/#customAuthentication:
authRepository {
default () {
cls = 'tigase.db.jdbc.TigaseCustomAuth'
'data-source' = 'db-custom'
'conn-valid-query' = 'select 1'
'user-account-status-query' = 'select onlineStatus AS account_status from tbl_contacts where id = ?'
'user-login-query' = "select vUserId AS user_id from tbl_contacts where vUserId = ? AND vPassword = ?"
}
}
I expect to be able to integrate Tigase with my custom database so that it authenticates, gets roster and vcard information from my database.
The answer to your question: " Is it possible for Tigase to automatically create the user when the user has successfully authenticated" is actually answered in the linked documentation:
To keep user accounts in sync between the authentication database and the main user database you have to add following option to the end of the database connection URL: autoCreateUser=true
Currently it's not possible to retrieve user data from custom repository by only changing / adjusting configuration.
If you want to completely manage the users using your own database, then you'd have to implement UserRepository interface by yourself (you may take a look at JDBCRepository implementation to get an idea how to go about that)
Related
My requirement is enable 2FA using email in Keycloak.
When enabled, if user tries to login through email & password ,after user is successfully authenticated ,time based token will be sent to email .
User will do this action from custom UI i.e in our product we have UI to enable/disable 2FA for user.
We are using Keycloak & we want to achieve this using Keycloak API.
I am using keycloak-admin-client to interact with Keycloak API but I did not find sufficient resources to achieve this using keycloak-admin-client.
I am looking a way using keycloak-admin-client how to enable 2FA for user.
Any help will be highly appreciated.
Thank You
You should add custom REST endpoints to Keycloak to be able to enable 2FA from your custom UI. We have done this before. It's not that much complicated, but it requires you to have a look at Keycloak source to see what it's doing when OTP gets activated. Some important classes to check/use are TotpBean, OTPCredentialModel and OTPPolicy.
In order to enable the 2FA, we needed to show the QR code image in our custom UI. So we added an endpoint to Keycloak that instantiates an instance of TotpBean. It's the one that gives you access to the QR code image and the secret value that are required to generate the equivalent string representation of the image so that it could be scanned/entered in the 2FA app (e.g. Google Authenticator). Here is an example of how such an endpoint would look like:
#GET
#Produces({MediaType.APPLICATION_JSON})
#Path("/o2p-enable-config/{email}")
#NoCache
public Response fetchOtpEnableConfig(#Email #PathParam("email") String email) {
UserModel user = session.users().getUserByEmail(email, realm);
TotpBean totp = new TotpBean(session, realm, user, session.getContext().getUri().getRequestUriBuilder());
return Response
.ok(new YouOTPResponseClass("data:image/png;base64, " + totp.getTotpSecretQrCode(), totp.getTotpSecret(), totp.getTotpSecretEncoded()))
.build();
}
Then on your own backend, you call this endpoint and send the user's email to it and receive the image and the secret value. You can just display the image as is in your UI and keep the secret value on your backend (e.g. in user's session). When user scans the image using the app and enters the totp value provided by the app in your custom UI, you send the totp value and the secret to another endpoint that you should add to the Keycloak. This second endpoint is the one that does that verification of the value and enables 2FA.
#POST
#Consumes(MediaType.APPLICATION_JSON)
#Path("/enable-2fa/{email}")
#NoCache
public Response enable2Fa(#Email #PathParam("email") String email, OtpDetails optDetails) {
OTPPolicy policy = realm.getOTPPolicy();
String totp = optDetails.getTotp();
UserModel user = session.users().getUserByEmail(email, realm);
OTPCredentialModel credential = OTPCredentialModel.createFromPolicy(realm, optDetails.getSecret(), optDetails.getUserLabel());
if (CredentialValidation.validOTP(totp, credential, policy.getLookAheadWindow())) {
CredentialHelper.createOTPCredential(session, realm, user, totp, credential);
return Response.noContent().status(204).build();
} else {
return Response.status(BAD_REQUEST).build();
}
}
Keycloak supports multiple 2FA for each user. That's why it also has a property named label that allows user to name them so that it would be displayed in the 2FA login scenario with given name. You can also allow user to enter the label value in your custom UI and pass it to the second endpoint (or just pass an empty value to Keycloak if you're not going to allow your users to setup multiple 2FA).
I know it seems complicated, but it's actually not that much. The Keycloak domain model is well designed and when you get familiar with it, you can easily find what you need to do and wrap it in custom APIs. But always ensure that exposing a functionality would not compromise the overall security model of the system.
Take a look at keycloak two factor email authenticator provider
https://github.com/mesutpiskin/keycloak-2fa-email-authenticator
I agree that is necessary to write a custom provider for this use case.
Take a look at https://www.n-k.de/2020/12/keycloak-2fa-sms-authentication.html and https://www.youtube.com/watch?v=GQi19817fFk for a look at how to implement that.
That is an example via SMS, but via e-mail would be very similar, changing just the way of sending the code to the user.
I'm working on a Sitecore 8 Update 2 site.
I'm also using the web forms for marketers.
I've set up a login and register form using WFFM. I was able to link fields on the form with the fields of the user profile ( the one used in User Management )
However when i want to make a "Update Contact Details" i can't link the fields on the form with the profile fields as before. Now i have to select a "contact facet". I added one of these and WFFM picked up on this, so now i can link the field on the form with a facet.
The last link i'm missing is linking this facet ( stored in Analytics - MongoDB ) to the profile field.
Does anyone know how to achieve this ?
Bonus: This started off as a slighty different question, you can read more about this issue here:
How to update sitecore user with webforms for marketers ( Update Contact Details )
First you need to add the Create User Save Action and setup the email address as the username.
Then you need to add the User login Save Action straight after that. This is because the Update Contact Details Save action only applies to logged in users.
Then you can use the Update Contact Details Save Action. This action will create data in MongoDB under the logged in user name - so if you go to the Identifiers collection MongoDB a new entry will be created (See screen shot below).
So in short the aspnet_membership data and the MongoDB data is linked via the username in WFFM. In aspnet_users - UserName and in MongoDB by way of an identifier. You can't mix the MongoDB and aspnet_profile data they belong in two separate places.
So once you have created this user in WFFM you could call up their details using the analytics API using the identifier:
Tracker.Current.Session.Identify(username);
var personalInfo = Tracker.Current.Contact.GetFacet<IContactPersonalInfo>("Personal");
Hope that makes sense :)
I was trying out the new enhanced revocable sessions in Parse on my Android app. It works well when logging in or signing up via email password or facebook but doesn't work well for custom authentication, e.g. google+.
I'm currently logging in the user using the cloud code which also creates the new user when signing up. This does not create a new Session object, that means the new enhanced sessions are not used and it still uses the legacy sessions.
I pass the session token back to client where using the become method the user logs in but it's the legacy sessions.
This feels like the feature is not complete but I would really like to move to the new enhanced sessions with my app. Has anyone worked with them yet? Are there any workarounds using the REST API or by creating the sessions manually and handling them manually? I looked into the JS API but it says it's only read only.
Here's the Blog post on Enhanced Sessions.
Where should I go next?
Yes, I found a solution but it's a workaround, works for my case because I don't support signing up with user/password.
Basically, the solution (cloud code) in semi pseudo-code is:
Fetch the user with master key
Check if user.getSessionToken() has value
if it has, return the session token and do a user.become() in the client as usual
if it's not, here the workaround, do the following:
yourPreviousPromiseInOrderToChainThem.then(function(user)
password = new Buffer(24);
_.times(24, function(i) {
password.set(i, _.random(0, 255));
});
password = password.toString('base64')
user.setPassword(password);
return user.save();
}).then(function(user) {
return Parse.User.logIn(user.get('username'), password)
}).then(function(user) {
var sessionToken = user.getSessionToken();
// Return the session token to the client as you've been doing with legacy sessions
})
That means, I'm changing the user password each time in order to make a remote login and, of course, I know thist can't be applied to all cases, it's enough for app because I don't support login with user/password (only third party logins) but I understand that maybe it's not for all cases.
I got the idea from this official Parse example.
I don't like this solution because I think is not a workaround, it's a mega hack but I think there is no other way to do it currently (either Parse.com or Parse-Server)
If you find other workaround, please, share it :)
I have configured request tracker4 to be an interdepartmental helpdesk solution. The current setup is that users will login to RT using LDAP. Once logged in there account is automatically created. However, their account is created with no privileges.
To fix this I have been having to go to Tools-->Configuration-->Select then put in the users DN name and clicking add I then have to check the box "Let this user be granted rights (Privileged)" I have also tried setting Set($AutoCreate, Privileged); but no luck.
I looked at the user accounts in the sqlite database and noticed that when new user logs in they are indeed created in the database. But with no privileges.
709|tuser3|*NO-PASSWORD*|||||||tuser3|||||||tuser3||tuser3|||||||||||||1|2013-03-08 13:47:38|1|2013-03-08 13:47:38
791|Mayra|*NO-PASSWORD*||||Mayra#**************||Main Office|Mayra Hernandez|||||||Mayra||Mayra||**************|||||||||||1|2013-04-03 21:46:36|1|2013-04-03 21:46:36
797|sdrakeford|*NO-PASSWORD*||Autocreated when added as a watcher||sdrakeford#**************|||Sophia C. Drakeford|||||||sdrakeford||sdrakeford|||||||||||||1|2013-04-04 13:18:58|1|2013-04-04 13:18:58
827|Robert.Troy|*NO-PASSWORD*||||Robert.Troy#*******************||Main Office|Robert Troy|||||||Robert.Troy||Robert.Troy||***************|||||||||||1|2013-04-04 16:11:58|1|2013-04-04 16:11:59
Am I missing something, because usually these things are quite obvious.
The $AutoCreate option takes a hashref with all of the default options you want to pass to the User Create method. Try something like:
Set($AutoCreate, {
Privileged => 1
});
(As an aside, it's generally not recommended to run a production instance on sqlite. You might want to consider converting to MySQL or Postgres.)
I am using Npgsql and I was wondering whether there was a way to connect to a PostgreSQL server using integrated security that automatically falls back to a public login? Or maybe there is another way to do what I am trying to achieve.
I have an ASP.NET web site (IIS7.5) that uses Windows Authentication, and I have configured PostgreSQL to allow access via SSPI, this works fine as long as there is a role with the right name in the database. The web site is available for everyone on the intranet to view but some users have a few extra abilities (or can see extra data) that everyone else should not be able to do.
Currently, I am using something like the following:
NpgsqlConnectionStringBuilder csb = new NpgsqlConnectionStringBuilder();
csb.Pooling = false; // if true, causes intermittent DB connection issues
csb.Database = "dbname";
csb.Host = "192.168.1.100";
csb.IntegratedSecurity = true;
dbconn.ConnectionString = csb.ConnectionString;
try
{
dbconn.Connect();
}
catch (NpgsqlException ex)
{
if (/* check for authentication failed */)
{
csb.IntegratedSecurity = false;
csb.UserName = "www-read";
dbconn.ConnectionString = csb.ConnectionString;
dbconn.Open();
}
}
This works fine, except for each time it falls back to the "www-read" role, it adds a critical log entry saying that there was an authentication error. The only way I can see around this is always connecting via www-read and querying whether a suitable integrated-security role exists and reconnecting, but that seems even more cumbersome than the above.
I don't see any passwords in your code. Are you using any security at all?
If you don't want to embed password into your source code (and rightly so), you should create ~/.pgpass file in your home directory (%appdata%/postgresql/pgpass.conf on Windows) which has 1 or more lines like this:
hostname:port:database:username:password
This will allow any program that is using libpq (including npgsql) to look up for passwords from .pgpass upon any connection attempt.
If this will run under www-data user, .pgpass should be created in its home directory (but be sure to configure your web server not to serve this file ever!)
I think doing this should also fix problem with connection pooling that you seem to have.