I tried to add a user using the Web API via client credentials and via identity provider. Neither resulted in the invited user receiving an email or seeing the granted lock in his app.
I called /api/v1/Owners to get the owner account's ID for the locks I want a new user to grant access for.
I created a new contact by posting to /api/v1/Owners//Contacts only setting email as identifier (not posting any other data) and using the ownerAccountId from step 1
With the newly created contact id from step 2, ownerAccountId from step 1 and boundlock id I did a put request to /api/v1/Owners//Grants
This resulted in a 200 response, but the new contact did not get any notify or invite email.
When I login to my.portal.nl as owner of the lock I do see the the added user as smartphone user with correct lock and validFrom and validBefore
I expect the invited user in step 4 to be emailed. What am I missing? In your comment you say : Generally speaking, Tapkey will usually not send emails to users.
But how do new users get notified about new locks the can open?
Via the API I do see the users and grants are actually added. I have checked spam folders, but no emails.
When I register as one of these user by using the emailadress I setup as identity and login into the tapkey app, still no locks.
The client ID I'm using is c2f11e47604639323320d08f8e4038f4 and the owner account id is e12e4145-3afb-45ae-81f5-2cdd57d89fb5
I will just summarize what was already explained by Markus in his answer:
Regarding the question about the email:
User will not be informed by email if you create a grant for him.
Regarding the permissions:
If you have created permissions for an user with an identity provider tapkey then these grants are visible for the user once he logs in into the Tapkey app and navigates to his smartphone keys.
If you have created permissions for an user with your own identity provider, these are not displayed in the Tapkey app for a granted user and you need to implement your own application to handle these keys.
We had a look on the grants you have created and as you correctly said, they were created successfuly. All, but one, have been created with your own identity provider and therefore they are not visible in Tapkey app for the granted user. Due to the privacy reasons, I don't want to share anymore details regarding your data here.
Related
On the TapKey Integrator Portal I have a Client Credentials OAuth client, which I created after logging into my owner account.
I can use this to successfully authenticate against https://login.tapkey.com/connect/token with the following scopes:
write:ip:users read:ip:users read:owneraccounts write:owneraccounts read:core:entities write:core:entities read:grants write:grants
However, when I try and call GET https://my.tapkey.com/api/v1/Owners/{my-owner-id}/BoundLocks using the bearer token returned from the connect/token endpoint, I am getting a 403 back.
The locks are owned by the same account I logged into the Integrator portal and created the OAuth client with.
What am I doing wrong?
Thanks
First thing to check in this case is, if the Client Credentials client has administrator rights to the owner account.
As you most likely know, this client acts as its own user and the user identified with an email address in format {oauth_client_id}#iam.serviceaccount.tapkey.com must be added as a co-administrator of the desired owner account.
The option to do this automatically is available when you are creating such OAuth client (as a checkbox), but can assigned manually later as well.
The reason for this not being done always automatically is, that the OAuth client doest not necesarrily need to manage the owner account it has been created in.
We're currently working with WSO2 IS server, version 5.7.0. At this time, everything seems to be ok excepting one thing.
We activated self-provisionning and we added a "Service provider" with oauth2 authentication enabled.
It created the role named "Application/myapp".
Then, going on the "authorize" form, we press "Register now" button and we can create a user. It sends validation mail, and the user is created.
But, the user is not assigned to Application/myapp role.
Is there something we can do to assign user role at registration time ?
Thanks !
I think you have confused. The register now will be redirected to the self sign up form. The users created there will be automatically assigned to the 'Internal/selfsignup' role.
There is no link with the created application and the self sign up process. The automatically created application role (Application/myapp) is for a different requirement. The users with that application role can perform the update and delete operations of the application.
Is there something we can do to assign user role at registration time?
No, you can't create a role. If you want to have this functionality, we need to have your own self sign up for the application and send the user registration request to the IS using SCIM. Here you can find the API definitions. You can use the oAuth tokens to access these APIs.
I have a Lambda function which creates users using adminCreateUser Cognito function. My app is basically an invite only app where the admin can only invite certain users. Everything is working great so far, and I am able to resend invitation email notifications as well. However, I am trying to figure out how I can find out if a user created by adminCreateUser method has "expired" i.e. the user has not accepted the invite and changed the temporary password.
When the admin creates a user using adminCreateUser the status is FORCE_CHANGE_PASSWORD by default. When the user with this status attempts to Log in using the temporary password (from the verification email), Cognito sends a challenge back in the challengeName attribute of NEW_PASSWORD_REQUIRED, based on which the user is forced to change their password through the application and upon successful reset the status would change to CONFIRMED in Cognito for that user. This is working great so far, but I also need to handle scenario where the invited user never really changed their password by attempting to log into the application.
Now, I have set the - "How quickly should user accounts created by administrators expire if not used?" - to 7 days (default). What would be the status of the user account after 7 days if the user doesn't reset their password? I tried to find out from the documentation but it's not clear what the status of the user account would be in this situation.
NOTE: This is not about Token expiration in the client but rather expiration of an account created via the adminCreateUser method.
Annjawn,
According below link: "After the account expires, the user cannot log in to the account until the administrator updates the user's profile by updating an attribute or by resending the password to the user"
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-admin-create-user-policy.html
All tthe best,
Guto
Looking for alternatives on how to use the events API since the Facebook changes.
https://developers.facebook.com/blog/post/2018/04/04/facebook-api-platform-product-changes/
Our app currently uses /search endpoint, pulling events based on a /location (miles radius). Is this totally revoked or is there a way to work around?
Thanks.
You can no longer use the /search endpoint with the following object types: event, group, page, user
Please read: https://developers.facebook.com/docs/graph-api/changelog/breaking-changes#search-4-4
Currently to access events you can use a user endpoint such as ‘/me/events’ or ‘/me/events/not-replied’ using an access token valid for that user. you can get the events that the user was invited to or is going/interested
You can access an event endpoint /{event-id} with an user access token if that user has been invited or is going/attending or is the creator of that event.
I believe its possible (but didn’t test it yet) to access to a specific page events endpoint, such as /{page_id}/events with a page access_token such as manage_pages, if Facebook already approved that permission and the page owner accepted the permission.
I am using Facebook Ad Api to create ads. How ever when i grant a user Administrator Role (1001) with the following api call:
https://graph.facebook.com/v2.5/<AD_ACCOUNT_ID>/users?role=1001&uid=xxxxx
it successfully creates the user, and when i get all the users using the following request:
https://graph.facebook.com/v2.5/<AD_ACCOUNT_ID>/users
it successfully returns the array as:
"{"data":[{"name":"firstname lastname","permissions":[1,2,3,4,5,7],"role":1001,"id":"101xxxxxxxxxx352"}}"
but when i try to create an Ad campaign or Adset with the newly added user the following exception is thrown:
[FacebookAds\Http\Exception\AuthorizationException]
(#272) This Ads API call requires the user to be admin of the application. User 16xxxxx351 not admin or developer for application 109xxxxxxxx0403.
And when i go to my app and assign the user with an Administrator or Developer Role, I can make requests successfully.
Why is facebook not allowing a user created with administrator role from the api not make api calls to its Ad Api ? And why does it allow when the user is granted Administrator/Developer role make requests ?
This is because the objects you can promote are not based upon an adaccount but are based upon your user.
You can see the connection objects a user has access to by make the following request:
<API_VERSION>/act_<AD_ACCOUNT_ID>/connectionobjects?access_token=<ACCESS_TOKEN>
The documentation states:
this call returns the IDs of all objects for which the current session
user is an administrator, and the IDs of apps for which the user is
listed as a developer or advertiser.
If you don't want to make additional administrators for your app, you can create system user in Facebook Business Manager, grant him administrator (or even advertiser) rights for Ad Account.
https://developers.facebook.com/docs/marketing-api/business-manager-api
And use his token to manage ads. In my case I used it to retrieve targeting of ads, to find where leads came to lead form from.
https://www.facebook.com/marketingdevelopers/videos/vb.606699326111137/883648801749520/