How to get password reset frequency from Gsuite Admin SDK Apis - google-admin-sdk

I need the to get password policy and password reset frequency of the Gsuite account through the gsuite Admin SDK Apis. But, I dont find any api doc regarding this.
https://developers.google.com/admin-sdk/
I need to fetch the password expiration time and policy using Oauth 2.0 google admin Sdk apis.

You can use the Reports API to query various Login Audit Activity Events including Account password change
For this:
Use the method activities.list()
Set userKey to either all or a specific user email
Set applicationName to login
Set eventName to password_edit
If desired, you can narrow down the results by specifying additoinal parameters, like e.g. startTime, endTime or filters

Related

AWS Cognito sign up without password to get email confirmation link

I want to make a simple flow for registration app.
User sign up with only email -> The verification/registration link is sent to the email -> People register (putting in their password) on that link
I've googled anything but haven't found any way to make it with AWS Cognito.
Looks like Cognito is forcing users to sign up with at least email AND password to get the confirmation link
You can sign up users with adminCreateUser API call. They will receive an email with temporary passwords. This approach is configurable.
See: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
Use: AdminCreateUser
Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API. Specify the temporary password(will be your user's password) or allow Amazon Cognito to automatically generate one.
Specify whether provided email addresses and phone numbers are marked as verified for new users.
Specify custom SMS and email invitation messages for new users via the AWS Management Console.
Specify whether invitation messages are sent via SMS, email, or both.
After successful user creation,
1. authenticate user using same user credentials
Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)
2. After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.
3. Use RespondToAuthChallenge(Username, <SRP variables>, PASSWORD_VERIFIER
4. Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.
5. The user is prompted and enters a new password and any missing values for required attributes.
6. Call RespondToAuthChallenge(Username, <New password>, <User attributes>).
7. After successful password change user can be able to login using same credentials added by you.
Short answer
- In that case, you can specify the temporary password(will allow Amazon Cognito to automatically generate one.).
- all user users will be forced to change their password only at first login.

Display something else than username in Cognito Built-In Sign-In Page

In AWS Cognito, username is unique and cannot be changed, that's why I'm using it with an internal auto-generated ID. Most of Cognito API requests like adminGetUser only uses username as the user identifier.
And this is recommended by AWS:
If your application does not require a username, you do not need to ask users to provide one. Your app can create a unique username for users in the background. This is useful if, for example, you want users to register and sign in with an email address and password.
Everything is working nicely, but I've got problems with the Cognito Built-in Sign-in page:
This page is intended to be viewed by the end user, and it is displaying username, which I'm using as an internal ID 🤔
The Built-in Sign-in page can be customized but only CSS and logo, I cannot see any option to display preferred_username or email instead of username.
Is there a way? A workaround for my use case? Am I using Cognito the wrong way?
It's finally working with preferred_username
The only thing is that the really first time username is used instead of preferred_username 🤔
Probably an AWS bug

How to map phone number with Cognito User Pool Federated to Google

According to Scopes for Google SignIn, there is no 'phone' scope, the only scopes are openid, email, profile.
My Cognito User Pool has a phone user attribute, and it is required.
For users who sign-up directly with the user pool, they enter their phone number in Amazon's hosted UI which displays a phone field in the sign up form, all good.
For users who sign-up with Google, they get an error. I've traced it to the fact that Google doesn't send over a phone_number and the mapping from Google to User Pools attribute fails. If I create a new pool, which does not require a phone_number federation to Google works, the moment I require that attribute it fails, despite the fact that the Google Account I test with has a phone_number.
Is mapping phone really not possible when sign in with Google federated to Cognito User Pool?
Is it possible for the the hosted SignUp UI to show a field for my Google users asking them to fill in the phone number between them authenticating with Google and the hosted UI redirecting to my redirect URL?
Alternate solutions?
I also faced the same issue. To get this to "work" I had to sadly remove the phone number requirement which also meant I had to make a new user pool.
Now AWS provides phone scope
Step-1 Go to user pool's App client settings page.
Step-2 click the phone option.
Step-3 Go to user pool's Attribute Mapping page page.
Step-4 Map external identity provider's attribute to user pool attribute. (I am using Google)

Facebook Ads API : Error 272 This Ads API call requires the user to be admin

I am using Facebook Ad Api to create ads. How ever when i grant a user Administrator Role (1001) with the following api call:
https://graph.facebook.com/v2.5/<AD_ACCOUNT_ID>/users?role=1001&uid=xxxxx
it successfully creates the user, and when i get all the users using the following request:
https://graph.facebook.com/v2.5/<AD_ACCOUNT_ID>/users
it successfully returns the array as:
"{"data":[{"name":"firstname lastname","permissions":[1,2,3,4,5,7],"role":1001,"id":"101xxxxxxxxxx352"}}"
but when i try to create an Ad campaign or Adset with the newly added user the following exception is thrown:
[FacebookAds\Http\Exception\AuthorizationException]
(#272) This Ads API call requires the user to be admin of the application. User 16xxxxx351 not admin or developer for application 109xxxxxxxx0403.
And when i go to my app and assign the user with an Administrator or Developer Role, I can make requests successfully.
Why is facebook not allowing a user created with administrator role from the api not make api calls to its Ad Api ? And why does it allow when the user is granted Administrator/Developer role make requests ?
This is because the objects you can promote are not based upon an adaccount but are based upon your user.
You can see the connection objects a user has access to by make the following request:
<API_VERSION>/act_<AD_ACCOUNT_ID>/connectionobjects?access_token=<ACCESS_TOKEN>
The documentation states:
this call returns the IDs of all objects for which the current session
user is an administrator, and the IDs of apps for which the user is
listed as a developer or advertiser.
If you don't want to make additional administrators for your app, you can create system user in Facebook Business Manager, grant him administrator (or even advertiser) rights for Ad Account.
https://developers.facebook.com/docs/marketing-api/business-manager-api
And use his token to manage ads. In my case I used it to retrieve targeting of ads, to find where leads came to lead form from.
https://www.facebook.com/marketingdevelopers/videos/vb.606699326111137/883648801749520/

How do I check if a Twitter OAuth access_token is still valid?

I'm writing a Django app and I want users to be able to supply their Twitter username and connect their Twitter account with their User in my app. (I'm not using Twitter to log them into my site; I just want them to connect their Twitter account with their account on my site, and give permissions for certain actions.)
Assuming I do that successfully, and I get back and store an access_token for the user, what's the best way to subsequently check that the access_token is still valid? i.e., if the user has later revokes access to my service on their Twitter account, I want to be able to check the access_token and, if it's invalid, delete it and prompt the user to re-authenticate.
The Flickr API has flickr.auth.checkToken and I guess I'm looking for the equivalent functionality with the Twitter API.
using python-twitter, you can verify if the credentials are ok using:
if api.VerifyCredentials() is not None: