I have noticed that the API documentation makes reference to Global Roles and Tenant Roles. e.g.
The link http://developer.openstack.org/api-ref-identity-v2.html#identity-v2-ext has a Get operation on
/v2.0/users/{user_id}/roles
that says 'Lists global roles for a specified user. Excludes tenant roles' when I call this for the admin user using Openstack.net SDK (GetRolesByUser), I can see it makes the call correctly but the response I get back is saying...
{
"error":
{
"message": "User roles not supported: tenant ID required",
"code": 501,
"title": "Not Implemented"
}
}
So what's the difference between tenant roles and global roles. Has this api call been deprecated from openstack or something?
It seems roles are roles, it's just terminology and in the current version you can't assign roles to a user without involving a tenant. See link below for more information.
https://ask.openstack.org/en/question/33488/api-request-returns-user-roles-not-supported-tenant-id-required/
Related
I am using AAM Plugin in our Wordpress instance to be able to use JWT tokens for authentication. We are currently blocked by limited permissions for user roles other than administrator to refresh its token.
In Detail, when calling wp-json/aam/v2/authenticate for user with role administrator and body:
{
"username": "Sampleusername",
"password": "Samplepassword",
"issueJWT": true,
"refreshableJWT": true
}
everything works fine and refreshable token is returned, which can be used with endpoint wp-json/aam/v2/jwt/refresh to refresh the token without the need to provide username and password again.
When using a user with any other role than administrator, and the same body parameters (obviously username and password for that respective user), 400 response is returned with message:
{
"reason": "Current user is not allowed to issue refreshable JWT token"
}
We are trying to search for the respective capability to add to the user role in order to enable refreshable tokens, can anyone help ?
Many thanks in advance
Dirk
I am setting up an instance of WSO2 API manager, and want to give developers access to the API "store" pages by linking it to my existing OpenID Connect identity server (OpenAM). I've added the OIDC configuration into the store configuration file (wso2am-2.6.0/repository/deployment/server/jaggeryapps/store/site/conf/site.json) with all the details of the authorise, token, userinfo endpoints, etc.
When users click login in the store, it is correctly redirecting them to OpenAM to login, and passing an access token back to the store app. I've also ensured some of the required claims are returned from the userinfo endpoint (like preferred_username). I'm also returning a "groups" claim listing the groups the user should be in "subscriber" for example.
The claims I'm returning from userinfo are:
{
"address":{
"formatted":"My House"
},
"given_name":"Danny",
"family_name":"Developer",
"name":"Danny Developer",
"preferred_username":"Danny Developer",
"groups":[
"subscriber"
],
"email":"adam.hatherly#nhs.net",
"sub":"developer1"
}
However, whatever I try with claims and group names, the store still gives the error message "User is not permitted to log in to the Store.". I assume there's something else I need to add in either the access token or userinfo endpoint
claims list to make the store app accept the user, or some other config in the store or carbon console?
The reason for the user login issue is that the user does not have relevant permissions to log in to the store. User needs to have internal/subscriber role assigned to it. Since the user is coming from OpenAM and APIM does not have any information to authorize it, login fails.
For this either you should share the user OpenAM user store with APIM (say a shared LDAP) and assign users with internal/subscriber role or use a custom code to add the user to the APIM user store and assign the role.
Another easiest option is to create a user in APIM side (add a dummy password) with subscriber role. but this is not a suitable solution if you do not know all the users
I am using auth0 for authentication. I want to fetch all users including their roles. I generated token in auth0 and when I try to execute it in Postman or fiddler tool, Sometimes it's giving roles and sometimes not. Same thing is happening in application also.
If I add manually in app metadata in role property as below, Then information is coming.
{
"authorization": {
"groups": [
"Admins",
"Users"
],
"roles": [
"Admin"
],
"permissions": []
}
}
But I fill, that if I change in authorization tab, It should effect here also.
Below is my code,
var apiUser = new ManagementApiClient("<<Token>>", new Uri("https://<<Domain>>/api/v2"));
IPagedList<User> allUsers = await apiUser.Users.GetAllAsync();
Do I need to clear cache in auth0, If yes then how?
Based on the information you provided it seems that you're using the Auth0 Authorization extension to configure user role information.
If this is the case you should notice that the extension logic is run at login time by the means of a rule. When you have that extension installed you should also have a companion rule; in my account the rule is named auth0-authz and should be the same for your case assuming version 2.0 of the extension.
The impact of this is that the roles are surfaced at the user level at login time, so any changes to the configured roles will be seen next time the user logins.
Note: Since this logic is part of a rule it will only be executed in the context of a login. If users are added to or removed from a group this will only be reflected within Auth0 after this user logs in again (eg: in the user's app_metadata or when calling the /userinfo endpoint).
You're querying the users directly through Auth0 Management API which may lead to the situation where the roles currently stored at the user profile are not up-to-date. If you are seeing stale information then this might be the cause.
On the other hand if your problem is not exactly this one, please provide further information and if possible steps to reproduce. For example, do the roles information show for one user but not the other or does it show for user A in one response, but then if you make another request the response does not include role information for that same user A?
I was not using the authorisation extension, but rather the standard role. So I've had to create the below rule.
More info here : http://isbyr.com/return-user-roles-in-auth0/
function (user, context, callback) {
// Get the user roles from the Authorization context
const assignedRoles = (context.authorization || {}).roles;
// Update the user object.
user.rolez = assignedRoles;
callback(null, user, context);```
I'm trying to get a list of groups for a domain in Google Api (https://developers.google.com/admin-sdk/directory/v1/reference/groups/list).
I'm using "domain wide delegation", and have a service account from which the web app makes all its requests to Google.
The admin-sdk requires the requesting user to be an administrator, so i'm impersonating a admin user on the given domain.
This works fine with (https://developers.google.com/admin-sdk/directory/v1/reference/users/get), but when I'm trying to use the group api, it fails like this:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
I have checked the the permissions from the domain administrator have been delegated to the service account. And I have also checked that i can access the list of groups, while being logged in as the domain administrator.
Any help or hints is highly appreciated.
Thanks in advance
You will need to add the scope for reading groups.
First, make sure that you properly followed the steps here in this documentation including this steps on how to Instantiate an Admin SDK Directory service object.
It is important because this one shows you how to make API requests using OAuth 2.0 and your service account's credentials to perform Google Apps Domain-wide delegation.
For more information, check these related SO questions:
Google_Service_Directory - (403) Not Authorized to access this resource/api
Received error “Not Authorized to access this resource/api” when trying to use Google Directory API and Service Account Authentication
I have created a new collection and have added few entities to this collection in the APIGEE BaaS. I am able to run GET query using the admin portal.
I am trying to invoke the same using my REST client.
I am using the following URL: https://api.usergrid.com/myOrg/myapp/mycollection
However, I get below error:
{
"error": "unauthorized",
"timestamp": 1401855388323,
"duration": 1,
"exception": "org.apache.shiro.authz.UnauthorizedException",
"error_description": "Subject does not have permission [applications:get:xxxxxxxxxxx]"
}
I believe I need to add authorization information in the HTTP header for the request. But am unable to find information on what is expected.
How can I invoke the BaaS API?
This is happening because you don't have permission to access the collection without authentication (or in some cases, your authentication token may not have appropriate permission to access that particular collection.
You can read about managing permissions & roles in the Apigee docs.
There are a couple quick ways to solve your problem though:
(The most prevalent) is to authenticate your user account and use an appropriate access token (e.g. https://api.usergrid.com/myOrg/myapp/mycollection?access_token=<token>)
While it's not something you should be doing on the client side, for server-side requests or testing purposes, you can use your app or org-level client_id/client_secret in a similar manner (e.g. https://api.usergrid.com/myOrg/myapp/mycollection?client_id=<id>&client_id=<secret>)
Give the Guest role access to your collection (here's a link to the docs)