I'm trying to hit /pi-info/{userId} GET API by encoding the username using Base 64 encoder and given that value as userId. The response which we are getting is <!doctype html>HTTP Status 500 – Internal Server Errorbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}HTTP Status 500 – Internal Server Error
The username and userId values which we are using are follows:
Username: abcd#yopmail.com
Encoded value(userId): YWJjZEB5b3BtYWlsLmNvbQ==
Can you suggest what is causing this issue??
If you are using emails as usernames in the server append the tenant domain to username and encode that value to use as the userId in /pi-info/{userId} GET request
eg:
If username = abcd#yopmail.com and the user is in carbon.super tenant,
tenant domain appended username = abcd#yopmail.com#carbon.super
encoded id to be used in /pi-info/{userId} API =
YWJjZEB5b3BtYWlsLmNvbUBjYXJib24uc3VwZXI=
NOTE: If the username is not an email, you can use either tenant domain appended or not appended username to encode as the useId in /pi-info/{userId} GET request
Related
I'm thinking about using firebase to authenticate users. Users could sign up via a pyqt app. Their email address and password would be sent via a POST request to my server (Django). On my server, I would use firebase (pyrebase) to sign them up. I would then store the firebase token in the database on my server, and also return the token to the user and save it there locally. Afterwards, I would always (or until the user logs in again which would return a new token) use this token to authenticate the user and let them access my database. Would this be secure? Something like this:
On sign-up:
User:
token = requests.post(url, {"email": email, "pwd": pwd)
Server:
response = auth.create_user_with_email_and_password(email, pwd)
token = response['idToken']
c.execute('INSERT INTO Tabel (email, token) VALUES(?, ?)', (email, token))
return token
After sign-up:
User:
some_data = requests.post(url, {"token": token, "email": email)
Server:
token_in_database = c.execute("SELECT token FROM Tabel WHERE email = (?)", (email,)).fetchone()
if token == token_in_database:
return some_data
What you're describing is somewhat similar to what Firebase does with its Authentication tokens, so it can indeed work quite well. :)
A few things to keep in mind:
Be sure to only send the credentials from the client to the server, and the ID token from the server to the client, over a secure connection. This reduces the chance of a man-in-the-middle gaining access to either the credentials or the token.
If you want the authentication state of the user to be available to other Firebase products, don't forget to sign the user in with the custom token on the client.
Do you really need to store the token in your database? The Firebase servers do typically not do this, and instead verify the token when they first get it. They do cache the verification state locally, but there's no central database of current ID tokens which helps scalability.
You'll want the token to have a reasonably short expiration time, just in case a malicious actor gets access to it. Firebase itself uses ID tokens that are valid for 1 hour, and the SDKs automatically renew then after about 55 minutes.
If you want a shorter or longer lifetime for your tokens, consider using a session cookie which can be valid anywhere from 5 minutes to 2 weeks.
I getting back into Python and wanted to use the pyfoursquare package to access the Foursquare API. I'm trying to get information about venues using the venues method in the API class. I'm primarily trying to find out whether a venue page is verified with Foursquare or not. When I provide my client id, client secret, and venue id I keep getting back an error that states "Authentication required", which doesn't makes sense because I'm providing that information. Any help would be great. Thank you.
import pyfoursquare as foursquare
client_id = ""
client_secret = ""
callback = ""
auth = foursquare.OAuthHandler(client_id, client_secret, callback)
api = foursquare.API(auth)
result = api.venues("4e011a3e62843b639cfa9449")
print result[0].name
Let me know if you would like to see the error message. Thanks again.
I believe you are skipping the step of grabbing your OAuth2 access token, so you're not technically authenticated.
Have a look at the following instructions, under "How to Use It":
https://github.com/marcelcaraciolo/foursquare
The lines that might be useful to you are:
#First Redirect the user who wish to authenticate to.
#It will be create the authorization url for your app
auth_url = auth.get_authorization_url()
print 'Please authorize: ' + auth_url
#If the user accepts, it will be redirected back
#to your registered REDIRECT_URI.
#It will give you a code as
#https://YOUR_REGISTERED_REDIRECT_URI/?code=CODE
code = raw_input('The code: ').strip()
#Now your server will make a request for
#the access token. You can save this
#for future access for your app for this user
access_token = auth.get_access_token(code)
print 'Your access token is ' + access_token
Can I restrict actions of my API to specific users if I generate a token like this:
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
expiration = 600
s = Serializer(current_app.config['SECRET_KEY'], expires_in = expiration)
return s.dumps({ 'id': kwargs.get('user_id') })
And the verification
#staticmethod
def verify_auth_token(token):
s = Serializer(app.config['SECRET_KEY'])
try:
data = s.loads(token)
except SignatureExpired:
return None # valid token, but expired
except BadSignature:
return None # invalid token
user = User.query.get(data['id'])
return user
I don't understand how this works and achieves security. The way I'm used to securing an API for example, a user wants to do HTTP PUT to /posts/10 I'd usually get the post's author ie user_id then query the database get the token for that user_id, if the request token matches the queried token then it is safe for the PUT. I've read this article and don't fully understand how it achieves security without storing anything in a database. Could someone explain how it works?
By signing and sending the original token upon login the server basically gives the front end an all access ticket to the data the user would have access to, and the front end uses that token (golden ticket) on all future requests for as long as the token is not expired (tokens can be made to have expiration or not). The server in turn knows the token has not been tampered with, because the signature is basically the encrypted hash of the users recognizable data (user_id, username, etc). So, if you change the token information from something like:
{"user_id": 1}
to something like:
{"user_id": 2}
then the signature would be different and the server immediately knows this token is invalid.
This provides an authentication method that exempts the server from having to have a session, because it validates the token every time.
Here is an example of what a token could look like (itsdangerous can use this format of JSON web tokens)
We have a website integrated with ADFS 3 for authentication. Website allows users to change their usernames, which in turn changes their usernames in AD. If users changes their usernames we log them out using WSFederationAuthenticationModule.FederatedSignOut. However the page redirects to adfs url and throws an error. The event log shows that "either username or password is wrong".
MSIS7066: Authentication failed for the request. ---> System.Security.SecurityException: The user name or password is incorrect.
I wonder it is because of user name change. I tried with both lsalookupcachemaxsize set to 0 in registry and without the key. By the way does ADFS 3 even consider this registry key?
The code used is below -
FormsAuthentication.SignOut();
FederatedAuthentication.SessionAuthenticationModule.SignOut();
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
Response.Expires = 0;
Session.Abandon();
var authenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
WSFederationAuthenticationModule.FederatedSignOut(new Uri(authenticationModule.Issuer), new Uri(authenticationModule.Realm));
I'm doing an agent SAML2.0 SSO using the code that is in this url:
http://svn.wso2.org/repos/wso2/people/asela/wso2-samples/sso_webapp/
but it does not work the logout. Excuse my English.
I am told, when the identity server sends responses of the authentication, sends a session index value in it and you need to return exactly the same value in the logout request to the identity server. How I can get the index value of the session with SAML 2.0?
This is the code of my class LogoutRequestBuilder
public LogoutRequest buildLogoutRequest(String subject, String reason) {
Util.doBootstrap();
LogoutRequest logoutReq = new org.opensaml.saml2.core.impl.LogoutRequestBuilder().buildObject();
logoutReq.setID(Util.createID());
DateTime issueInstant = new DateTime();
logoutReq.setIssueInstant(issueInstant);
logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject();
issuer.setValue(Util.getProperty(SSOConstants.ISSUER_ID));
logoutReq.setIssuer(issuer);
NameID nameId = new NameIDBuilder().buildObject();
nameId.setFormat(SSOConstants.SAML_NAME_ID_POLICY);
nameId.setValue(subject);
logoutReq.setNameID(nameId);
SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
sessionIndex.setSessionIndex(Util.createID());
logoutReq.getSessionIndexes().add(sessionIndex);
logoutReq.setReason(reason);
return logoutReq;
}
}
If single logout is enabled in service provider registration in WSO2IS. Within the SAML response you get will contain the SessionIndex.
So that value has to be stored somewhere to send back in the logout request.
This is an old sample you are using. [1] This document contain the sso sample which has single log out enabled.
[1] https://docs.wso2.com/display/IS500/Configuring+SAML2+SSO