I want to use the wso2 SCIM2.0 API for CRUD operations on my users.
When I call the API to get ALL the users, it works, but when I try to call the API to get a specific User by its ID, it returns a 403 forbidden error.
The API I'm calling is this one:
https://localhost:9443/t/carbon.super/scim2/Users/29ae81f4-37eb-4e5c-a3c9-33cba98f4f47
and I'm passing the access token generated with the scope: internal_user_mgt_list
and the users logged in that is trying to call the API has all the User Managment permissions.
I solved the problem. The documentation specifies the wrong scope. The required scope is not internal_user_mgt_list but internal_user_mgt_view
Related
I am trying to automate the creation of users and roles in wso2 by way of the included api's. I can list the wsdl with no problem. I can call the api authenticate with no problem. But if I call any other api endpoint such as isExistingUser I get a UserStoreException returned and a "Error occurred while accessing java Security Manager Privilege Block" in the logs. How exactly do I make an api call to check the existence of a user, add/remove a user, add/remove a role to a user?
an example of an api call that works is
https://ip address:9443/services/RemoteUserStoreManagerService/authenticate?userName=admin&credential=admin
and example of an api call that does not work is
https://ip address:9443/services/RemoteUserStoreManagerService/isExistingUser?admin
The request seems to be wrong. Try with parameter name as mentioned below:
https://ip address:9443/services/RemoteUserStoreManagerService/isExistingUser?userName=admin
i want to read all Users from a realm via rest api and postman. If I send http://localhost:8080/realms/{realm}/users i get no response.
Does anyone know a tutorial on how to use the api? I also want to add users, which does not work with the api.
I read the keycloak api description, but I don’t understand what I have todo.
Thx
The official documentation does not describe it very accurately.
You can try this api
http://localhost:8080/auth/admin/realms/{realm}/users
add "auth/admin" after your host address.
Access to this api requires admin access_token.
The process of getting an access to Keycloak REST API is described in the Server Development Guide - Admin REST API.
https://www.keycloak.org/docs/latest/server_development/index.html#admin-rest-api
You need first to obtain an access token from Master realm and then using this access token submit a request to realm you want to get users from.
Make sure to use "client_id=admin-cli" parameter when requesting the access token from Master realm.
I follow link
I created API for CheckPhoneNumber 'POST' and 'GET' type request as given documentation.
How to test that API?
I searched many sites they are using 'API Console' tab in store. There is required Access Token. I am creating Access 'Production Keys' from DefaultApplication. that Access token am using it is giving error
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900908</ams:code>
<ams:message>Resource forbidden </ams:message>
<ams:description>Access failure for API: /phoneverify/1.0.0, version: 1.0.0 status: (900908) - Resource forbidden </ams:description>
</ams:fault>
If there is another way to create Access Token?
Or tell me if am doing something wrong for testing API.
You need to subscribe the Application to the API.
Ref: https://docs.wso2.com/display/AM260/Subscribe+to+an+API
As #Bee pointed out above, you don't have issues with access token, the problem is you have not subscribed to your api in the api manager. error code 900908 implies the API is not subscribed to by the app trying to invoke it.
There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]
I am using Identity server 5.2.0 and api manager 2.0.0. I have implemented a method to use refresh token to get the new access token for a user if the token has expired. But after implementing this some of the users will be unauthorized. When the user tries to login, token and scopes will be returned correctly but when calling the an api with the token, the user is unauthorized. Deleting and adding the user with same username also does not solve the issue. Is there any setting that blocks a user that may cause this issue?
Are you sure, the application in APIM is subscribed to the API you're trying to invoke? If not, you need to do that.