Zimbra - How to change user password by username using SOAP API? - email

As an admin, I need to set user passwords through SOAP API but I could not find a service addresses my need. The closest service to mine is SetPassword that enables setting passwords through ZimbraID. Are there any ways to set passwords through usernames? Or how can I retrieve ZimbraIDs for existing accounts?

That's the only method available. However, you can get the zimbra id using GetAccount and using username.

Related

Custom username in Keycloak

I want usernames (created using an algorithm) to be automatically assigned to users and want to allow login using both this username and email address. How do I do that in Keycloak?
You can use rest api to create user. This way you can use alghoritm to generate username. Documentation is here:
https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_users_resource
In the realm settings go to Login tab and enable Login with email

Is it possible to add more than one email per user in Keycloak?

I'm using Keycloak for Identity Brokering through Google, Microsoft, etc. But Keycloak only allows one email per user. So the user can be authenticated only through one of the social login options (Google if gmail is added as user's email address, etc.). Is there any way to include more than one email per user, or any other workaround?
EDIT: (Editing based on comments to make scenario more clear)
In my scenario, I'm using a federated user store which contains a large number of users and and I need Keycloak to access all the emails linked to a user when that user is logging in using Google,Azure,etc. because Keycloak is using the email as the unique identifier for the authentication response from the social login provider. Without having the required email as the main email, Keycloak won't allow that user to log in through social IdP
Although, Keycloak emphasises on keeping a unique email,but there are certain scenarios where you may want to keep , say, secondary email.
This can be achieved in a couple of steps:
1. Add a custom attribute for secondary email in user like this:
2. Next , in your client create attribute mapper like this:
When I generated the token after above configuration, the new attribute was avialble in token. You can use this attribute in your app as you desire.
Parsed JWT:
I figured out the best way to deal with this is through the custom user provider (federated user store). Even though we can't add multiple emails per user through the Keycloak admin console, we can write the user provider in such a way that it can get all the emails linked to a user from our database and assign them to the email attribute of each user. Once this is done, all the emails will appear on the admin console as well.
For the social login to recognize those emails, we have to get all the emails linked to a user in the provider to an array and iterate through it until the authentication is complete. This would help to create the social login link to the user through First Login Broker authentication flow.
This is a crude way to approach this, but nevertheless it works!

Shiro: Is it possible to get the URL in doGetAuthenticationInfo(AuthenticationToken token)

I am trying to create a RESTful web service using Jersey framework on google appengine. I am using apache shiro for authentication.
Let's say I have the following scenario:
There is a admin user pre-configured which creates other user and provides the username and password offline to each of those users.
For the normal users, there are a number of REST APIs. There is one API:
GET /tokenInfo which should use username and password for authentication and return a UserId and token as response.
For all the other REST APIs, I want the credential used for authentication to be the UserId and Token instead of Username and password.
So basically it a scenario where the credential pair used for authentication varies based on the API.
How can I achieve this in shiro. From what I understand, doGetAuthenticationInfo() passes the credentials sent by the client and expects you to validate, but in this case, I need to know which API is called. So is there a way to get the URL?
If no then what other way is there to achieve this?
Sounds like you would need to create a custom filter, to build the type of token you want to pass to your realm, take a look at one of the defaults as an example:
https://shiro.apache.org/web.html#default-filters

Password for Azure AD User

I am using Graph API to read user information from Azure AD. I am getting all the user information in the response except the password. Is there anyway I can get that?
I am calling this API. (Reference)
https://graph.windows.net/myorganization/users/{user_id}?api-version
As noted in the Graph API References:
The passwordProfile property always returns null. This is to prevent the user’s password from being displayed. You can reset the user’s password by updating the passwordProfile property.
If you are looking to have someone authenticate to your service using their AAD Account, you should either use Federation to have your authentication provider trust the AAD authentication provider, or you can even register your application in our system, and use AAD as your authentication provider.
I hope this helps!

Machine to machine REST authentication

If you have multiple RESTful web services running on different subdomains (accounts.site.com, training.site.com, etc) what is a good authentication mechanism when one service needs to consume another?
Human authentication is easy because they supply their login credentials and get back a JSON Web Token which is then sent with every request to authenticate them.
A machine having a username and password just seems odd so I was wondering what are some proven ways of solving this problem?
It depends on... From the service perspective the other service is just a REST client, so let's stick with these terms.
If you want access different user accounts with your REST client, then you must register your client by the service and you will get an API key. The user can give privileges to that API key, so you can do things in the name of the service users if they allow it.
On the other hand if your client wants to access only its own account, then it is just a regular user of the service and it can have username and password just like the other users.