I'm trying to delete a consent purpose that I created. I understand that I cannot delete a consent purpose if there are users associated with it.
I have already deleted all the users from the database, but when I print all the consents with the REST API there is a register of a user (but the database is empty).
How can I delete the user record that no longer exists in the database but is still related to consent?
How can I clean all the data related with the consents?
How can I revoke all the consents?
Am I missing something?
WSO2 IS v5.10.0
WSO2 Doc - https://docs.wso2.com/display/IS590/apidocs/Consent-management-apis/index.html#!/operations#Consent#consentsGet
I have been trying the WSO2 REST API to solve this issue, but without success.
When I try to delete a purpose with the WSO2 REST API - {"code":"CM_00079","message":"Bad Request","description":"Purpose Id: 29 is associated with one or more receipt(s)."}
Here you had to face this issue because of deleting users directly from the database/user store. It's not recommended to delete users directly from the database. If you use user deletion REST API/SOAP API, in addition to clearing user data from the userstore, it will invoke different user deletion pre-listeners/post-listeners and clear out the other associates/bindings to the deleting user which are stored in different tables/different DBs.
Clearing the consent recipient data is such a case and there are many more (eg: deleting the user from assigned roles).
Since you have removed the user directly from DB, the consent associated with the deleted user has not been cleared.
To delete the consent data of the user, clear the records in the following tables stored in Identity DB in the same order(due to foreign key constraints):
CM_SP_PURPOSE_PURPOSE_CAT_ASSC
CM_SP_PURPOSE_PII_CAT_ASSOC
CM_SP_PURPOSE_ASSOC
CM_RECEIPT_SP_ASSOC
CM_RECEIPT
Then try the REST API request to delete the consent purpose.
Related
I'm trying to understand what is the best way to work with facebook user login. In my app in profile section it's possible for user to sync with facebook, and store it (I'm storing facebook user id in application database), and use GraphApi with provided access token in app afterwards. At this point all is fine.
But when user back to app some time later, to run some GraphApi call he need new access token, and I do not see a way how to get that access token without running user through the same facebook authentication logic with that facebook confirmation dialog.
So the question is it possible to get access token having pre-stored user id without running user again through authentication??? It's a bit weird from user perspective to see all the time that facebook dialog after he already login with facebook and save that once. Also, if facebook require always to confirm login, it seems like from app perspective it does not make sense to store id at all (any way it's possible to get it with each login)???
Also, what if I do not want for users of my app to easily change linked facebook account, but with that facebook pop up, user each time can login through different account. Is that means I need on app side afterwards compare returned id with a stored id and alert user, that he can't change already synchronized facebook account to some other?
I have a public provisioned Elasticsearch endpoint created on AWS. This gets me a public Kibana login endpoint. I got a default master username with it and a password. I can login, I created an index pattern, and I can see my data.
So far so good.
Now I wanted to give some users access. I created a couple of new users. Then in the user management section, gave them roles all_access, in the hope they should be able to see everything.
They can login, but instead of using my already created index pattern, they are prompted to create a new one.
Is that how it works? Do they need to create their own index pattern? Can't they just re-use my already created index pattern and directly go to discover and query the data?
Obviously, I am a newbie with Kibana and ES.
The issue here is that Kibana tracks index patterns within tenants. When users log in, they default into their private tenant. In order to have shared index patterns they need to exist in the Global tenant or else in a custom tenant. Additionally, the user will need to switch into the shared/public tenant where the objects exist.
We are using WSO2 for authentication (SAML/SSO).
I don't know how to tell if a user is already logged in (in order to prevent concurrent logins). Other SO questions have indicated this is possible to know both with WSO2 IS Analytics and without. I would prefer to not have to run WSO2 IS Analytics as well (this is alluded to here, but never clarified. Further, I can see the IDN_AUTH_SESSION_STORE table being populated and referred to during login, but that is using SESSION_ID (which is passed by the commonAuth cookie).
So I'm looking for a direct answer to this question: during the Auth flow, how can we tell if the given user is already logged in?
Without using the analytics, querying logged in user sessions by a user is not supported out of the box in WSO2 Identity Server. Let me explain why.
When a user authenticates with the WSO2 Identity Server, a session is created. These sessions are stored as session context objects, against the commonAuthId cookie in WSO2 implementation. Information about the logged in user is inside these session objects. Therefore if we want to get the session for a particular user, we have to query all active sessions and go through all of them one by one matching the user.
As an alternative, you can write a custom data publisher module which persists session data against each user and then you can use these data to prevent concurrent logins. I have a blog post written for this exact use case.
Hope this helps.
We're using Google Analytics API in our application and perform actions (read data) on behalf of our users (we get their tokens via OAuth2). We use a client id and client secret to authorize our Google API project (application).
The problem is that we're unable to reach this project in Google's developer console, because the user in our Google App account who created this project was deleted. Regardless, the Google API still works (we have the key and the client secret) but we're unable to reach it in the admin section in the browser, but we can't access it because the owner was deleted.
What are the options to recover access to this API project? Is it possible to transfer ownership of this project using Google API? It's running in production so we can't afford to generate a new API project.
Is it perhaps possible to generate a new API project by keeping all our users consents (they authorize their accounts using an authorization popup in our web app)?
EDIT: it's also possible the user still exists, but we don't know who's the owner. Is it possible to retrieve this info using the app's api key/secret?
How to find out who owns your credentials.
Authenticate your application the pop up window will appear. Click on the name of the application the little arrow and a drop down will apear with the email address of the developer who owns the project.
If you have lost access to this account i am not aware of any way of getting access back. However for the sake of curiosity i am going to contact someone at Google and find out if they have a procedure for account recovery or not. I will update this when i hear back.
If the account that has a credential was a gsuite user then we can transfer the project to the admin of the domain.
Have the admin of the GSuite contact me with information on the project, client id, email of the user who was deleted. We can then add the admin of the gSuite as the owner of the project.
From the question, this was likely a gsuite user because even after the account is deleted, the project was not deleted.
I am working on SPA AngularJS application which allows users to collaborate on projects and stores history of edits for each user. The requirement is to allow unauthenticated users to manipulate data too. Once the user registers, I need to associate her history of edits with the newly created account. The backend is Django.
What is the best option to track actions of anonymous users?
I can create “anonymous” user at the firs visit, issue JWT, store it in the browser and use to track all the user’s activity. Later on when registering user, just update her profile.
The drawback is that there is a potential to get a lot of orphaned users that need to be periodically cleaned up.
This is similar to https://github.com/danfairs/django-lazysignup, but adapted to work with https://github.com/GetBlimp/django-rest-framework-jwt.
Use JWT or cookie to track user session. Allow using session identifier instead of user key to track user’s activity. When creating real user update all references to the session with user’s pk.
Anything else?
From my experience go for solution 1. The orphan user is often not a problem because from business plan point of view it's user and the more is better.
Also having only a notion of user is really simpler. They are users who haven't fully completed their profile that's all.