In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.
Related
I have made a custom userstore by overriding the UniqueIDJDBCUserStoreManager class, based on this article https://nishothan-17.medium.com/custom-user-store-manager-for-wso2-identity-server-5-11-0-6e23a4ddf1bb . My database has one table which has the username, password, email, name, and phone number.
I was able to authenticate successfully. However, I am unable to send the OTP to the users phone number. Can anyone please guide me on how to send OTP to the user? Which properties do I have to set or override? Any help would be highly appreciated.
I could not find any documentation on this so far.
In order to send the SMS OTP to the user, there should be a valid mobile number in the user's profile.
For that you need to update the mobile claim's mapped attribute accordingly.
Refer to https://is.docs.wso2.com/en/latest/guides/dialects/edit-claim-mapping/ and go to mobile claim configs. Then update the mapped attributes section.
If you connect the custom userstore as your PRIMARY userstore, change the Mapped Attribute to the DB table's column name(phone number as per the question) respective to the PRIMARY userstore domain.
If you are connecting this custom userstore as a secondary userstore, add another mapped attribute for the secondary userstore domain and put the DB table's column name.
NOTE: Since you have only one table in the userstore and mobile number is available as a column in that table I mentioned to use that column name as the mapped attribute. Then you have to add additional DB queries under advance configurations to retrieve that data from DB.
Then, you have to override public Map<String, String> getUserPropertyValuesWithID(String userID, String[] propertyNames, String profileName) throws UserStoreException method in your custom userstore manager. You have to invoke your custom DB query inside this overridden method to retrieve the user attributes.
Here is the reference to the default uniqueIDJDBCUserstoreManager's method implementation:
https://github.com/wso2/carbon-kernel/blob/09b67404ec8f4dc2e19d0d730f33c91441c1c63b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java#L437
Once http://wso2.org/claims/mobile claim value of the user is requested in SMS OTP flow, the Abstractuserstore manager resolves the mappend attribute of the claim and handed over to the relevant userstore manager to resolve the properly value.
I guess you are referring to the SMS-OTP as a second factor authentication. You can refer to this document [1].
And do you have any error trace to see if there are any specific issues to fix?
Refer:
[1] https://is.docs.wso2.com/en/latest/guides/mfa/2fa-sms-otp/
In SOAP Teanant API I can define my own tenantId (https://docs.wso2.com/display/IS530/Managing+Tenants+with+APIs#ManagingTenantswithAPIs-addTenant()), but in REST API this ability is not available. The reason I wanted to use custom tenantId is so that I can map multi-tenancy from WSO2 domain to my application domain, thus using id as a bridge. There is additonalClaims element in request JSON for addTenant endpoint, but this element is not returned in getTenant endpoint. Is there additional tenant property I can use to store custom information?
The Tenant creation REST API doesn't allow to input the tenant id. But you can use the returned tenant id for the mapping purpose.
Once a tenant is created successfully using API, It should return 201 Cretaed status code and you would be able to find the Location header in the response headers. The location header contains the location to the tenant. https://<Host>:<port>/t/<tenant-domain>/api/server/v1/tenants/<tenant-id>. From this value you can extract the tenant id.
For the second part of the question:
additonalClaims attribute belongs to tenant owners not to the core tenant object. When you execute GET /tenants or GET /tenants/ request, owner's id and username are returned.
"owners": [
{
"id": "af01d6cf-bf5d-440f-b99c-ac482f6dc89f",
"username": "kim"
}
]
If you check the tenant owner's profile via carbon console/console you should see the additional claims added via the request. Moreover, if that added local claim is mapped to a SCIM claim (eg: http://wso2.org/claims/mobile) you would view that user properties via SCIM GET User API.
eg: https://<host>:<port>/t/<tenant-domain>/scim2/Users/<tenant-ownser's-id>
I have configured ldap readonly user store and I can see the users from this US while using the admin panel.
But when I try to call the SCIM 2.0 API to get users, I always get an empty result. What might be the problem?
Request:
GET https://wso2:9443/scim2/Users/?domain=mydomain
Response:
{
"totalResults": 0,
"startIndex": 1,
"itemsPerPage": 0,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}
Enable SCIM for the userstore
First of all, please make sure that you have enabled scim for that userstore. Bydefault, scim is not enabled for ReadOnly LDAP userstore. By adding the following config in deployment.toml file, you can enable scim.
[user_store]
scim_enabled = true
If the issue still persists after adding the above config, verify the following claim mapping.
Configure a mapped attribute for User ID claim.
For SCIM, we need a unique ID for each user to identify separately. When you are creating users from WSO2 IS on a SCIM enabled userstore, we create a random ID for the new users and store in the "http://wso2.org/claims/userid" claim which is mapped to "scimId" attribute.
I presume that you have plugged in a read-only LDAP userstore with an existing set of users. So you may not have values for "scimId" attribute on this particular user store. That may be a root cause of this issue. So this users might not have the scimId, hence does not have any unique User ID
Verify
Claims > List > "http://wso2.org/claims".
goto edit view of the claim named "User ID" Enable support by default for this claim.
Now go to the list users page and view the profile of a user who belongs to the LDAP userstore
Please check whether the attribute "User ID" is having a value or not.
Optionally, you can check are there any
values mapped for "http://wso2.org/claims/userid" directly from the
ReadOnlyLDAP side
If you have the above issue, (there is no any mapped attribute for "http://wso2.org/claims/userid" claim),
Solution
Find a unique attribute unique among the existing users from ReadOnly LDAP user store
You can go to the above-mentioned claim edit page and click on "Add Attribute Mapping" under "Mapped Attribute (s)*".
Then select the user store domain, enter the unique attribute name and update.
check whether now the User ID attribute of the user profile is not empty.
I have added a local custom claim namely http://wso2.org/claims/fg_imprenditore to http://wso2.org/claims dialect and mapped it on a custom primary user store attribute (JDBC user store).
The custom claim appears in the user profile and I can set/update the value correctly.
I have defined a new service provider and added the custom claim in Claim Configuration -> Use Local Claim Dialect.
In addition I have edited /_system/config/oidc and modified the openid property to include the new claim as follows: sub,...,street,http://wso2.org/claims/fg_imprenditore
Now the issues.
I ask a JWT Token from a javascript client with the following request:
http://**********/?response_type=id_token&client_id=" + "f8SatEWpyi1qvPLVspsDfTbefm0a" + "&scope=openid&redirect_uri=http://localhost:3000/oauth_callback.html&nonce=" + nonce
After login the WSO2is server prompts the following message (even if the attribute is already present in the profile): You are trying to login to **** application, but it needs following information filled in the user profile. You can fill those below and proceed with the authentication. But it is advised to fill these information in your Identity Provider profile in order to avoid this step every time you login.
If I fill the field (correctly) labeled "http://wso2.org/claims/fg_imprenditore" I can proceed. In any case the claim is not returned in the JWT Token.
In addition if I go in the user profile the attribute is set correctly (with the new value!) but if I try to authenticate again I need to fill the attribute again..
Many thanks for the support.
If you don't mark the claim as mandatory on your Service Provider it shouldn't request it when you try to log in. Also, in order for the jwt to contain your custom claim you need to map the custom claim to a new custom claim under the oauth dialect, and then map the new oauth claim under the oidc scope you use. It took me a while to get it too as there isn't sufficient documentation describing these steps. Hope this solves your issue.
This happens because "http://wso2.org/claims/fg_imprenditore" claim is not mapped to any oidc claims in WSO2 IS. Do the following in get rid of the issue.
Go to List under Claims in IS Management Console Main tab.
Click on http://wso2.org/oidc/claim
Add new claim with the name fg_imprenditore in oidc claim dialect. You will see a drop down to select "Mapped Local Claim". Map it to http://wso2.org/claims/fg_imprenditore. (Check "Add External Claim" section in this)
Save new oidc claim and try again.
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.