Getting `ownerAccountId` - tapkey

I'm using this endpoint /api/v1/Owners/{ownerAccountId}/BoundLocks to get boundlocks belonging to a certain account that earlier granted access to my application.
The issue is, every account has a different ownerAccountId, how can I get the one associated with a particular lock system?

I think what you are trying to archive is:
You are using the oAuth2 authenticate code flow. So users grant your services access to their tapkey owner account (locking system).
If this not the correct assumption, the answer might not be correct. Please then update your question with more details and we will provider a matching answer.
You can get all owner accounts of such a user with the GET /api/v1/Owners endpoint.
For more informations about this endpoint visit https://developers.tapkey.io/openapi/tapkey_management_api_v1/#/Owners
In general all public available endpoints are listed and described in details here:
https://developers.tapkey.io/openapi/tapkey_management_api_v1/

Related

How to check for Cognito permissions in API Gateway

Trying to understand how to use Cognito and API Gateway to secure an API.
Here is what I understand so far from AWS documentation and the Cognito user interface:
Clients
www-public - public facing website
www-admin - administrators website
Resource Servers
Prices - for this simple example the API will provide secured access to this resource.
Scopes
prices.read
prices.write
Again, very simple permissions on the API. Public www users can read prices, administrators can write them.
API Gateway
GET /prices - accessible to authenticated users that can read prices.
POST /prices - only accessible to administrators
Users
Administrators - can update prices via the POST method.
Non-administrators - cannot update prices.
Based on this...
Each client will request the scopes it is interested in. So for the public www site it will request prices.read and for the administration site both prices.read and prices.write.
The API Gateway will use two Cognito Authorisers, one for each HTTP Verb. So the GET method must check the user can read prices and the POST method that they can write prices.
The bit I don't see is how to put all of this together. I can make the clients request scopes but how do they now connect to user permissions?
When the token is generated, where is the functionality that says "Ok, you requested these scopes, now I'm going to check if this user has this permission and give you the right token?"
I understand that scopes ultimately related to the claims that will be returned in the token.For example, requesting the profile scope means that the token will contain certain claims e.g. email, surname etc.
I think based on this that my permissions will ultimately end up being claims that are returned when specific scopes are asked for. The fact that the two clients differ in what they request means that the prices write claim an never be returned to the public www client. It would never issue a token if the prices.write claim was requested.
What I can't see is where this fits in Cognito. There is the option to put users into groups but that is pretty much it. Likewise, there is nothing (that I could see) to relate scopes to claims.
I'm coming from a .Net and Identity Server background. Certainly in the last version of Identity Server I looked at there was a handler method where you would work out which claims to put into a token. I guess this would map into one of the custom handler lambda functions in Cognito. From there this would need to query Cognito and work out what claims to issue?
The final piece of the puzzle is how the API Gateway checks the claims. Can this be done in API Gateway or does the token need to be inspected in the Lambda function I will write to handle the API Gateway request?
Certainly using Identity Server and .Net there was a client library you would use in the API to inspect the claims and redact permissions accordingly. Guessing there is something similar in a Node JS Lambda function?
A few assumptions there as I'm basically in the dark. I think the basics are there but not sure how to connect everything together.
Hoping someone has figured this out.

Retrieve user profile in Cognito Federated Identities

I'm currently exploring the AWS stack and am therefore building a simple web app. I plan on using:
S3 to host the static contents
DynamoDB to store user data
Lambda + API Gateway for backend logic
Cognito Federated Identities to authenticate users
I currently have a small tracer bullet application working that allows the user to authenticate with Google (through Cognito) and retrieve some data through a Lambda from DynamoDB. Now I want to extend it.
The next thing I want to do (and am failing to achieve) is to actually store the user name and e-mail of the authenticated user. Storing it shouldn't be a big problem, but retrieving it is. I know I initially got the data from Google because when I inspect the ID token (on JWT.io) I got from Google, I can clearly see my e-mail and name. This is the token I sent to AWS Cognito in exchange for a Cognito token.
I was expecting to be able to access this data again in my Lambda function, but I fail to figure out how actually. I understand Cognito performs a one way hash on the retrieved ID token, but I would expect some options to actually retrieve relevant user data from the token. After all, by authentication through Google (or any other IdP) a user already consented to sharing some personal data.
I feel I fail to see something obvious. Is there any feature in AWS that solves this? Is there a moment (not on the client side) where I can inspect the ID token and do some magic with it? Or should I solve this in some different way?
If the latter is the case: what would be the preferred way? I don't want users to tell me their personal data, because then I would also need some way to validate it.

Stripe identity verification storage

I am reading the documentation regarding stripe verification for managed accounts and I am wondering if it is a good idea to store them as well (as a backup) on a private place where my application has access (like a private bucket on S3 or in a private server)?
I'd recommend against saving any sensitive info on your end such as their SSN, a copy of their government id or their bank account details. The best solution here is to send the details to Stripe directly as they will store it on their end and not log any of it beyond tracking that you provided those info.
You then listen for account.updated events on your Connect webhook endpoint setup in your platform. This will tell you whether Stripe needs more info from that user if fields_needed is set and what delay you have to provide the required details based on verification[due_by].
You can also use properties like legal_entity[ssn_last_4_provided] to know if you've already sent that information to Stripe or if they might need it. This can be found in the docs here

From AWS SDK, how to I get the current logged in username (or IAM user)?

I'm using the Ruby SDK (V2), but I guess my question is more general than the specific implementation as I couldn't find an answer in any of the SDKs.
How do I get the username (and/or IAM user) that my session currently belongs to?
I let the SDK run its default behaviour for choosing credentials (ENV vars, then 'default' profile or other if specified and then machine role). Then I initialize my client and run commands. I'd like to know 'who is running the commands'. I expect to get the AWS username and if the chosen credentials were of an IAM user in it, then this username too.
Any ideas?
The best I got so far was that after I build a Client object, I can query it's actual config and get Credentials. But that only gives me what credentials were chosen (i.e. SharedCredentials profile='default' vs. Credentials key=.. secret=..) and doesn't tell me who is the username behind it.
Many thanks!
Be careful with your terminology -- interactions with the AWS APIs are all over HTTP, and are sessionless and stateless, so there's not really a concept of the currently "logged in" user, or a "session."
However, for a given set of credentials, you can fetch the attributes of the "current" user (the user whose credentials you're using) from Aws::IAM::CurrentUser.
http://docs.aws.amazon.com/sdkforruby/api/Aws/IAM/CurrentUser.html
Apologies for the lack of an example -- I am unfamiliar with Ruby in general -- but found this based on what I knew could be done with the direct query APIs and command line client with aws iam get-user. The available attributes are all the same: user_name, password_last_used, create_date, user_id, path, and arn... so I suspect this is what you're looking for.
From the Query API docs:
it defaults to the user making the request
STS (Security Token Service) provides an API for this:
GetCallerIdentity Returns details about the IAM identity whose credentials are used to call the API.
http://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html

Get access token for specific permissions

How can I modify this to get permissions for offline_access and others
"https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id="+appId+"&client_secret=" + appSecret;
I don't think you can. The url you are using looks like the one used to get an access token for adminstrative actions on behalf of an app. I.e. Graph api calls requiring an app access token such as access to app Insights.
Offline access, as far as I know, applies only to performing actions on behalf of a user e.g. posting to their wall.
Maybe you are looking for something more like this?
https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=offline_access,email,read_stream,etc
Assuming you have already know about the authentication guide, but just in case:
http://developers.facebook.com/docs/authentication/