I set up keystone v3, and then created a domain dom1, a user adm1 and grant this user to admin role. Authenticate this user with domain scope. Then create a project under dom1. I tried to list projects with the same token that created the project. All I got is "You are not authorized to perform the requested action: identity:list_projects".
If I take out the rule domain_id:%(domain_id)s in policy.v3cloudsample.json for "identity:list_projects", everything works well.
Why cannot I list projects with the rule domain_id:%(domain_id)s?
Thanks.
According to OpenStack API document, the API URL of listing projects must be filtered with domain ID. So in policy,json, domain_id:%(domain_id)s of identity:list_projects means the domain ID in URL filter must be equal to the domain ID that the token is scoped.
Related
I'm using Google Cloud Platform's Identity Platform product in multi-tenancy mode. I have one GCP project with two web apps and each app has a tenant in Identity Platform:
Tenant A with the tenant ID tenant-a-1234 at a.example.com
Tenant B with the tenant ID tenant-b-5678 at b.example.com
I need to generate password reset links for users in these tenants. The Firebase Admin SDK generates links using the Action URL that is defined in the Firebase console under Authentication > Templates. That works fine when it's vanilla Firebase with a single tenant but I'm using Identity Platform and multi-tenancy so I need an Action URL for each tenant so that links for Tenant A point to a.example.com and links for Tenant B point to b.example.com.
Here's an example of how I'm generating the links:
let tenantId = 'tenant-b-5678';
let email = 'foo#b.example.com';
const auth = admin.auth().tenantManager().authForTenant(tenantId);
auth
.generatePasswordResetLink(email)
.then((resetUrl) => {
console.log(resetUrl);
});
resetUrl is forever stuck using whatever domain name is set in the Firebase console and it enforces this for all tenants in the project.
It's not feasible for me to have one email action handler page that handles both tenants. Ideally, I would be able to call the Firebase API and pass in a custom Action URL to have the generated link use it. That doesn't appear possible.
One alternative would be to have my Cloud Function generate the link and then find and replace the domain name. I'd rather not maintain a static mapping of sites to tenant ids in my code, and it seems like this is something Identity Platform probably can do for me, so I'm hoping there's an alternative.
How do I use a unique Action URL for each Identity Platform tenant when generating email action links with the Firebase Admin SDK?
I created a user with username:aggr1. When I log in to the dev portal with aggr1 credentials, I can access all of the published APIs. How can I force this particular user to only see two or three APIS in Dev Portal?
Thanks
You can maange access to APIs through roles.
When creating an API, on the first page you have a dropbox "Access" (or "Visibility" orsomething like that) with default value All.
You can list roles, which are required to see the Api in the dev portal. And then assign (or not) the roles to the user.
By default APIs are set to public and any user who logs into the devportal can see the APIs. You can set role-based visibility or based on domain. Please refer the documentation - https://apim.docs.wso2.com/en/latest/learn/design-api/advanced-topics/control-api-visibility-and-subscription-availability-in-developer-portal/#control-api-visibility-in-the-developer-portal
I read this Firebase Showing a custom domain during sign in and I don't understand in the doc where it say:
Go to the Identity Providers page in the Cloud Console, and select your SAML provider.
I can't see that I have SAML provider am I suppose to create one?
I have a new Firebase project just created a billing account today.
Under 4) it say:
Update the Callback URL with your identity provider to use your custom
domain instead of the default domain. For example, change
https://myproject.firebaseapp.com/__/auth/handler to
https://auth.mycustomdomain.com/__/auth/handler.
But when I create the SAML provider there no way to change that Callback URL, only place where I see this to be changeable and I already have my domain as a authority handler, is in the Web client (auto created by Google Service):
Finally as this image show, should I add the 'auth'(I made a ring on the image) as a prefix for my domain only there or should I do that also when creating the domain as in this doc Connect a custom domain. I can't see anything about this in the doc do!
I'm developing a plugin based on WP Rest API and i need to make sure only authorized users access it. I will be providing an API key to authenticate. However, I also want to associate the API key to a certain domain (meaning, it should only work if it's being used from the authorized domain(s)).
How do I check on the API side if it is being accessed from an authorized domain?
I know that when i do a "register_rest_route" i can set a function that check user permission via "permission_callback" argument. However i don't know how i can check from what domain makes the API Request.
Thanks
We use the LinkedIn API to list companies that a user admins.
We have our App set to get r_fullprofile and rw_company_admin when the user grants permission.
We're trying to list all of the companies the user has admin access to via:
http://api.linkedin.com/v1/companies:(id,name,square-logo-url)?is-company-admin=true
<error>
<status>403</status>
<timestamp>1432323149224</timestamp>
<request-id>XXXXXXXXXX</request-id>
<error-code>0</error-code>
<message>Member [user id] does not have permission to get companies as admin.</message>
</error>
According to the Manage Company Pages docs, as long as we have the rw_company_admin scope, we should be able to call this endpoint.
I've read through the Developer Program Transition docs (https://developer.linkedin.com/support/developer-program-transition) but it doesn't seem to affect this usage of the API.
ETA: This has been flagged as a possible duplicate of LinkedIn API unable to view _any_ company profile
That question is about fetching details for a single company (which the user may or may not administrate). My question is about listing companies that the user specifically does administrate.
According to new api changes user should be administrator of target company. Read this .
All calls to Companies API endpoints will require the authenticated user to be flagged as an administrator of the LinkedIn Company Page that is the target of the API call. You become the administrator of a page when you create it. If the page already exists, you will have to contact the existing administrator to grant admin access to other LinkedIn members.
I faced the same problem and the problem was with the initial authorization code. You should mention the scope=rw_company_admin while doing the initial redirect URL call. Something like this -
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=your_client_id&redirect_uri=https%3A%2F%2Fwww.google.com/&state=12345&scope=rw_company_admin%20r_emailaddress%20w_share%20r_basicprofile