After retrieving a page access token using a user access token, some scopes are missing.
I use the user access token with these details:
"app_id": "123",
"type": "USER",
"application": "lorem",
...
"scopes": [
"pages_show_list",
"pages_messaging",
"pages_messaging_subscriptions",
"pages_manage_metadata",
"public_profile"
],
Then I request the page access token from endpoint:
https://graph.facebook.com/me/accounts
I receive a page access token:
"app_id": "412378670482",
"type": "PAGE",
"application": "lorem",
...
"profile_id": "123",
"scopes": [
"pages_show_list",
"public_profile"
],
Can anybody explain why the scope has been reduced?
The user that created the USER token has "full page" access to the page.
EDIT Full page token debug:
The most remarkable thing is here, that the profile_id is not listed in the granular scopes of e.g. "pages_manage_metadata". So the reduced scope reflects the missing ids.
"app_id": "3926422237",
"type": "PAGE",
"application": "lorem",
"data_access_expires_at": 1639517367,
"expires_at": 0,
"is_valid": true,
"issued_at": 1603451677,
"profile_id": "1023865413",
"scopes": [
"pages_show_list",
"public_profile"
],
"granular_scopes": [
{
"scope": "pages_show_list"
},
{
"scope": "pages_messaging",
"target_ids": [
"2053841064733",
...
]
},
{
"scope": "pages_messaging_subscriptions",
"target_ids": [
"2053841064733",
...
]
},
{
"scope": "pages_manage_metadata",
"target_ids": [
"2053841064733",
...
]
}
],
"user_id": "16954674",
"expires_at_dt": "1970-01-01",
"data_access_expires_at_dt": "2021-12-14"
}
Related
I am using WSO2 identity server 5.7.0, i am calling the api https://[url]:[port]/t/tenantName/scim2/Users GET. The response received is the following with HTTP status 200:
{"totalResults":0,"startIndex":1,"itemsPerPage":0,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"]}
However, the user is not being returned, the tenant has its own admin user only. The expected response (working fine on another environment) is:
{
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 1,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [
{
"emails": [
"user1#gmail.com"
],
"meta": {
"created": "2023-01-05T13:01:12Z",
"lastModified": "2023-01-05T13:01:12Z"
},
"roles": [
{
"type": "default",
"value": "Internal/subscriber,Internal/creator,Internal/publisher,Internal/everyone,admin"
}
],
"name": {
"givenName": "user1",
"familyName": "user1"
},
"id": "2e86d8e6-7db8-4600-a8bc-f3h1d54d8h6a",
"userName": "user1"
}
]
}
How to fix this? Are there any configuration that should be changed to return all users?
Note: SCIM is enabled in user-mgt.xml file
Recreating a new tenant after enabling the SCIM solved the issue, but the issue remains for the tenant that was created prior to enabling the SCIM.
I'm not seeing my posixAccounts information from the following link:
https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/get
{
"kind": "admin#directory#user",
"id": "8675309",
"etag": "\"UUID\"",
"primaryEmail": "email#example.com",
"name": {
"givenName": "Email",
"familyName": "Account",
"fullName": "Email Account"
},
"isAdmin": true,
"isDelegatedAdmin": false,
"lastLoginTime": "2021-08-04T21:11:17.000Z",
"creationTime": "2021-06-16T14:32:35.000Z",
"agreedToTerms": true,
"suspended": false,
"archived": false,
"changePasswordAtNextLogin": false,
"ipWhitelisted": false,
"emails": [
{
"address": "email#example.com",
"primary": true
},
{
"address": "email#example.com.test-google-a.com"
}
],
"phones": [
{
"value": "123-456-7890",
"type": "work"
}
],
"nonEditableAliases": [
"email#example.com.test-google-a.com"
],
"customerId": "id12345",
"orgUnitPath": "/path/to/org",
"isMailboxSetup": true,
"isEnrolledIn2Sv": false,
"isEnforcedIn2Sv": false,
"includeInGlobalAddressList": true
}
As you can see from the above output, there's no posixAccount information. I can open the ldap information in Apache Directory studio, so I know it's there, but I can't see it from the above output. Since I can see it though, I tried to update this using the update function in the API.
https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update
I used this for the payload as I'm just testing updating the gid information. I used the documentation below to get the entry details needed. At least as far as I could tell.
{
"posixAccounts": [
{
"gid": "12345",
}
]
}
https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
I'm getting a 200 response, but nothing is actually changing for the user when doing a PUT to update.
I tried a similar update method from another user on here, but no avail: Google Admin SDK - Create posix attributes on existing user
I was able to get this resolved by supplying additional details in my PUT request:
{
"posixAccounts": [
{
"username": "email(excluding #domain.com)",
"uid": "1234",
"gid": "12345",
"operatingSystemType": "unspecified",
"shell": "/bin/bash",
"gecos": "Firstname Lastname"
"systemId": ""
}
]
}
The above wouldn't reflect in LDAP until I put "systemId" in there. So that part is required.
I've been running my web API under AWS Windows VM with IIS using Asp.Net Core and IdentityServer4.
The Identity Server is running on the same application of my secured controller.
This is running perfectly with no issue using my external domain of 'http://{my-external-domain}'.
My StartUp.cs relevant portion looks like the following:
.AddJwtBearer(options =>
{
options.Authority = xyzConfig.Authority; //http://{my-external-domain}
options.Audience = "xyz";
options.RequireHttpsMetadata = false;
I'm using http://{my-external-domain}/connect/token and then I can request the authorized content successfully.
However, when setting this flow using the AWS PrivateLink some combinations aren't working including the desired one of http://{my-internal-domain} as the issuer/authority and the secured controller.
Using the StartUp settings above I get a 500 error saying the following:
IOException: IDX20804: Unable to retrieve document from: 'http://{my-internal-domain}/.well-known/openid-configuration'.
However, from the same machine it's possible to retrieve this information:
{
"issuer": "http://{my-internal-domain}",
"jwks_uri": "http://{my-internal-domain}/.well-known/openid-configuration/jwks",
"authorization_endpoint": "http://{my-internal-domain}/connect/authorize",
"token_endpoint": "http://{my-internal-domain}/connect/token",
"userinfo_endpoint": "http://{my-internal-domain}/connect/userinfo",
"end_session_endpoint": "http://{my-internal-domain}/connect/endsession",
"check_session_iframe": "http://{my-internal-domain}/connect/checksession",
"revocation_endpoint": "http://{my-internal-domain}/connect/revocation",
"introspection_endpoint": "http://{my-internal-domain}/connect/introspect",
"device_authorization_endpoint": "http://{my-internal-domain}/connect/deviceauthorization",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"openid",
"email",
"profile",
"xyz",
"offline_access"
],
"claims_supported": [
"sub",
"email",
"email_verified",
"name",
"family_name",
"given_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"request_parameter_supported": true
}
When I changed the StartUp.cs settings to the following:
var key = System.Text.Encoding.ASCII.GetBytes(xyzConfig.Secret);
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
//options.Authority = xyzConfig.Authority;
options.Audience = "xyz";
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false
};
});
Now I get 401 with the following message in the response header:
Bearer error="invalid_token", error_description="The signature key was not found"
This was pretty interesting as the token used here seems valid when parsed in jsonwebtoken.io:
{
"nbf": 1602077163,
"exp": 1602080774,
"iss": "http://{my-internal-domain}",
"aud": [
"http://{my-internal-domain}/resources",
"xyz"
],
"client_id": "789456",
"sub": "23de9244-86ba-4553-845f-1cbe6bac0536",
"auth_time": 1602077162,
"idp": "local",
"given_name": "gname",
"email": "email#white.com",
"scope": [
"openid",
"xyz"
],
"amr": [
"pwd"
],
"jti": "921552fd-da9b-49b0-98a6-c7c0dcb2d865",
"iat": 1602077174
}
That also comes with the Signing Key Verified so now I don't know which way should we go now and if anyways we can run the JWT authentication using AWS PrivateLink that uses their Network Load Balancer (NLB)
If any other info is required I'll be happy to provide here.
Any help is appreciated here, thanks!
As per the documentation, I should be able to get a list of users with a custom schema as long as the field in the schema has a value of ALL_DOMAIN_USERS in the readAccessType property. That is the exact set up I have in the admin console; Moreover, when I perform a get request to the schema get endpoint for the schema in question, I get confirmation that the schema fields are set to ALL_DOMAIN_USERS in the readAccessType property.
The problem is when I perform a users list request, I don't get the custom schema in the response. The request is the following:
GET /admin/directory/v1/users?customer=my_customer&projection=full&query=franc&viewType=domain_public
HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer fakeTokena0AfH6SMD6jF2DwJbgiDZ
The response I get back is the following:
{
"nextPageToken": "tokenData",
"kind": "admin#directory#users",
"etag": "etagData",
"users": [
{
"externalIds": [
{
"type": "organization",
"value": "value"
}
],
"organizations": [
{
"department": "department",
"customType": "",
"name": "Name",
"title": "Title"
}
],
"kind": "admin#directory#user",
"name": {
"fullName": "Full Name",
"givenName": "Full",
"familyName": "Name"
},
"phones": [
{
"type": "work",
"value": "(999)999-9999"
}
],
"thumbnailPhotoUrl": "https://photolinkurl",
"primaryEmail": "user#domain.com",
"relations": [
{
"type": "manager",
"value": "user#domain.com"
}
],
"emails": [
{
"primary": true,
"address": "user#domain.com"
}
],
"etag": "etagData",
"thumbnailPhotoEtag": "photoEtagData",
"id": "xxxxxxxxxxxxxxxxxx",
"addresses": [
{
"locality": "Locality",
"region": "XX",
"formatted": "999 Some St Some State 99999",
"primary": true,
"streetAddress": "999 Some St",
"postalCode": "99999",
"type": "work"
}
]
}
]
}
However, if I perform the same request with a super admin user, I get an extra property in the response:
"customSchemas": {
"Dir": {
"fieldOne": false,
"fieldTwo": "value",
"fieldThree": value
}
}
My understanding is that I should get the custom schema with a non admin user as long as the custom schema fields are set to be visible by all domain users. This is not happening. I opened a support ticket with G Suite but the guy that provided "support", send me in this direction. I believe this is a bug or maybe I overlooked something.
I contacted G Suite support and in fact, this issue is a domain specific problem.
It took several weeks for the issue to be addressed by the support engineers at Google but it was finally resolved. The behaviour is the intended one now.
I am using the people API to allow users to create entities in my system from their google contacts, via the people API, and am storing the resourceName (i.e 'people/c7760106965272617307') to keep track of the google contact the entity was created from.
I want to be able periodically update the entities to match what is in google. i.e. if the contact updates the phone number the entity gets the updated phone number. So am a calling the list API passing the sync token to get the contacts that have changed since the last call. This works for updates, edits and deletes but I can't find a way to detect when two contacts have been merged in google contacts.
The docs state:
https://developers.google.com/people/api/rest/v1/people#Person.PersonMetadata
previousResourceNames[] Any former resource names this person has had.
Populated only for connections.list requests that include a sync
token.
So if I:
- Call the list API requesting a sync token
- Create Contact A and Contact B
- Call the list API passing the sync token, then I get just the two created contacts and a new sync token:
{
"resourceName": "people/c1465347538402693914",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgxab0lZTFBvUU43bz0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "1455f5d28afc531a",
"etag": "#ZoIYLPoQN7o=",
"updateTime": "2020-02-26T15:35:34.021Z"
}
],
"objectType": "PERSON"
},
"names": [
{
"metadata": {
"primary": true,
"source": {
"type": "CONTACT",
"id": "1455f5d28afc531a"
}
},
"displayName": "Contact A",
"familyName": "A",
"givenName": "Contact",
"displayNameLastFirst": "A, Contact"
}
]
},
{
"resourceName": "people/c4555919836853785218",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgx2WmJHUUtjNTcxQT0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "3f39e0f40cd35282",
"etag": "#vZbGQKc571A=",
"updateTime": "2020-02-26T15:35:44.056Z"
}
],
"objectType": "PERSON"
},
"names": [
{
"metadata": {
"primary": true,
"source": {
"type": "CONTACT",
"id": "3f39e0f40cd35282"
}
},
"displayName": "Contact B",
"familyName": "B",
"givenName": "Contact",
"displayNameLastFirst": "B, Contact"
}
}
If I then merge the two contacts, and then call the API passing the new sync token i get:
{
"resourceName": "people/c4555919836853785218",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgxqNlFVYnIwaU9vVT0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "3f39e0f40cd35282"
}
],
"deleted": true,
"objectType": "PERSON"
}
}
So TDLR; I can find out one of the contacts were deleted, but not that it was merged into another contact.
It seems like the previousResourceNames[] field would do exactly what I want, but I can't seem to make it return in the data, either on the try the API function on the docs:
https://developers.google.com/people/api/rest/v1/people.connections/list
or using the below nodjs code:
const service = google.people({version: 'v1', auth: authClient});
const result = await service.people.connections.list({
resourceName: 'people/me',
personFields: 'names,emailAddresses,phoneNumbers,metadata',
//requestSyncToken: true
syncToken: "insert token here"
});
console.info("Google Returned", JSON.stringify(result.data, null, 4));
I wonder if i need to grant extra scopes, or something else in the requested person fields.
Scopes Requested:
'https://www.googleapis.com/auth/contacts',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile'