WSO2 Identity Server 5.10.0 - SCIM2 REST - Get all required attributes? - wso2-identity-server

I'm calling SCIM2 REST service to get user information based on ID but it doesn't return all user data.when I call https://localhost:9444/scim2/Users/8f9d1e34-c340-4ebe-af11-fa0c4575f676 passing username and password (BASIC) I get this payload:
{
"emails": [
{
"type": "home",
"value": "test#test.com"
}
],
"meta": {
"created": "2020-10-09T11:29:42.809803400Z",
"location": "https://localhost:9444/scim2/Users/8f9d1e34-c340-4ebe-af11-fa0c4575f676",
"lastModified": "2020-10-09T11:29:42.809803400Z",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"roles": [
{
"type": "default",
"value": "Internal/everyone"
}
],
"id": "8f9d1e34-c340-4ebe-af11-fa0c4575f676",
"userName": "test"
}
But this user has more attributes as seem below:
How do I return whole user data?
Thanks in advance

The SCIM GET request on /Users/{user-id} endpoint will return the SCIM user attributes which defined under urn:ietf:params:scim:schemas:core:2.0:User and urn:ietf:params:scim:schemas:extension:enterprise:2.0:User claim dialects (mgt console -> Main Menu-> Identity tab -> Claims -> List). If the particular attribute (i.e local claim) is not mapped to a SCIM user attribute that value won't be returned in the SCIM user GET response.
In order to map such local attributes to SCIM attributes, you can follow the instructions in https://is.docs.wso2.com/en/latest/develop/extending-scim2-user-schemas/#extending-the-scim-20-api.
Moreover,
You can find SCIM core user attribute definitions here. If an attribute's returned characteristic is
Returned.ALWAYS -> Always returned in the response
Returned.DEFAULT -> Return in the response only if that attribute has a value
Returned.NEVER -> Never return in the response

Related

WSO2 SCIM 2 API to get all users by tenant not returning any user

I am using WSO2 identity server 5.7.0, i am calling the api https://[url]:[port]/t/tenantName/scim2/Users GET. The response received is the following with HTTP status 200:
{"totalResults":0,"startIndex":1,"itemsPerPage":0,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"]}
However, the user is not being returned, the tenant has its own admin user only. The expected response (working fine on another environment) is:
{
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 1,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [
{
"emails": [
"user1#gmail.com"
],
"meta": {
"created": "2023-01-05T13:01:12Z",
"lastModified": "2023-01-05T13:01:12Z"
},
"roles": [
{
"type": "default",
"value": "Internal/subscriber,Internal/creator,Internal/publisher,Internal/everyone,admin"
}
],
"name": {
"givenName": "user1",
"familyName": "user1"
},
"id": "2e86d8e6-7db8-4600-a8bc-f3h1d54d8h6a",
"userName": "user1"
}
]
}
How to fix this? Are there any configuration that should be changed to return all users?
Note: SCIM is enabled in user-mgt.xml file
Recreating a new tenant after enabling the SCIM solved the issue, but the issue remains for the tenant that was created prior to enabling the SCIM.

Callback url value in email for verifying account

This is an extension of Unable to validate account confirmation in WSO2 version 6.0 issue.
I have same regex pattern in my self-registration section. But when I'm creating users using rest API, the link which I got in the email is
https://localhost:9443/accountrecoveryendpoint/confirmregistration.do?confirmation=ce790759-1086-4870-a673-35b5927351d8&userstoredomain=PRIMARY&username=samyu&tenantdomain=carbon.super&callback={{callback}}
and when I created the user using manually the link which I got is
https://localhost:9443/accountrecoveryendpoint/confirmregistration.do?confirmation=dff024e7-d7e7-48ef-bb60-1c1c4d6f3b1c&userstoredomain=PRIMARY&username=sam&tenantdomain=carbon.super&callback=https%3A%2F%2Flocalhost%3A9443%2Fmyaccount.
So, the difference between these two links is that callback. So what configuration should I make in order to get the callback value
When you are trying this from the recovery portal, the callback value is set automatically. If you are trying with the REST API you need to include that in the request. The following is a sample JSON payload.
{
"user": {
"username": "kim",
"realm": "PRIMARY",
"password": "Password12!",
"claims": [
{
"uri": "http://wso2.org/claims/givenname",
"value": "kim"
},
{
"uri": "http://wso2.org/claims/emailaddress",
"value": "kimAndie#gmail.com"
},
{
"uri": "http://wso2.org/claims/lastname",
"value": "Anderson"
},
{
"uri": "http://wso2.org/claims/mobile",
"value": "+947729465558"
}
]
},
"properties": [
{
"key": "callback",
"value": "https://localhost:9443/myaccount"
}
]
}
Notice the way how you need to send the callback when using the REST API.

create user with extended claim with scim2 in wso2

I am trying to create a user with scim2 API in wso2 with my own extended claim
my API request
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"name": {
"familyName": "jackson",
"givenName": "kim"
},
"userName": "test3",
"password": "abc123",
"demoRole":"student",
"emails": [
{
"primary": true,
"value": "kim.jackson#gmail.com",
"type": "home"
},
{
"value": "kim_j#wso2.com",
"type": "work"
}
],
"roles":[
{
"value": "PRIMARY/manager"
}
]
}
and the configuration in scim2-schema-extension.config.xml is
{
"attributeURI":"urn:ietf:params:scim:schemas:core:2.0:User:demoRole",
"attributeName":"demoRole",
"dataType":"string",
"multiValued":"false",
"description":"The displayName of the User's manager.",
"required":"false",
"caseExact":"false",
"mutability":"readwrite",
"returned":"default",
"uniqueness":"none",
"subAttributes":"null",
"canonicalValues":[],
"referenceTypes":["external"]
},
my claim configuration is
Claim URI -> urn:ietf:params:scim:schemas:core:2.0:User:demoRole
Mapped Local Claim -> http://wso2.org/claims/demoRole
Attribute URI for your schema extension should be,
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:demoRole
So, External claim URI for urn:ietf:params:scim:schemas:extension:enterprise:2.0:User will be,
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:demoRole
SCIM2 create user request should contain the demoRole as,
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"demoRole":"student"}
For more details on the schema extension representation, refer the specification

How to get permission list using Keycloak Token

Can't get the User Permission list using Keycloak token. Getting error like keycloak.exceptions.KeycloakAuthorizationConfigError: Keycloak settings not found. Load Authorization Keycloak settings.
Iam using python-keycloak
Keycloak Configuration
keycloak_openid = KeycloakOpenID(server_url=config.server_url,
client_id=config.client_id,
realm_name=config.realm_name,
client_secret_key=config.client_secret_key,
verify=True)
keycloak_openid.load_authorization_config(os.path.join(local_path, 'Dynamic_Client-authz-config.json'))
userinfo = keycloak_openid.get_permissions(token, method_token_info='introspect')
print(userinfo)
Key Cloak Setting File
{
"allowRemoteResourceManagement": false,
"policyEnforcementMode": "PERMISSIVE",
"resources": [
{
"name": "Default Resource",
"type": "urn:Dynamic_Client:resources:default",
"ownerManagedAccess": false,
"attributes": {},
"_id": "2c2a046f-84b2-42a8-a028-c6ae56ad63a1",
"uris": [
"/*"
]
}
],
"policies": [
{
"id": "f570c7e7-8168-4fb8-b05c-4df8be9398d0",
"name": "Default Policy",
"description": "A policy that grants access only for users within this realm",
"type": "js",
"logic": "POSITIVE",
"decisionStrategy": "AFFIRMATIVE",
"config": {
"code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
}
},
{
"id": "836d2453-ad1c-4482-b726-49875a8ba64f",
"name": "Default Permission",
"description": "A permission that applies to the default resource type",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"defaultResourceType": "urn:Dynamic_Client:resources:default",
"applyPolicies": "[\"Default Policy\"]"
}
}
],
"scopes": []
}
Please find the solution for my issue
so I am assuming you are looking for the roles?
If so use the introspect token , that worked for me
Introspect Token
token_info = keycloak_openid.introspect(token['access_token'])
print(token_info['resource_access']['client-name']['roles'])
I am able to get the permissions using UMA (mentioned here):
# Get UMA-permissions by token
token = keycloak_openid.token("user", "password")
permissions = keycloak_openid.uma_permissions(token['access_token'])
# Get UMA-permissions by token with specific resource and scope requested
token = keycloak_openid.token("user", "password")
permissions = keycloak_openid.uma_permissions(token['access_token'], permissions="Resource#Scope")
# Get auth status for a specific resource and scope by token
token = keycloak_openid.token("user", "password")
auth_status = keycloak_openid.has_uma_access(token['access_token'], "Resource#Scope")

How can we get the phone number with Google OAuth API and facebook API used for social login?

How can we get the phone number with Google OAuth API login.
I am using scopes as
'scope' : 'https://mail.google.com https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.login '
and the request is as
var request = gapi.client.plus.people.get({'userId': 'me'});
Is there any scope we can use to get it.
I am getting response as with no sight of phone number :
{
"kind": "plus#person",
"etag": "\"vPymIyv1bT9LfmoUujkgN2yLMK0\"",
"gender": "male",
"emails": [
{
"value": "XXX#gmail.com",
"type": "account"
}
],
"urls": [
{
"value": "http://picasaweb.google.com/XXX",
"type": "otherProfile",
"label": "Picasa Web Albums"
}
],
"objectType": "person",
"id": "4354354334435465",
"displayName": "XXXXX YYYY",
"name": {
"familyName": "XXX",
"givenName": "YYYYY"
},
"url": "https://plus.google.com/1100335464643327",
"image": {
"url": "https://lh3.googleusercontent.com/-fgsdgfgU9-jU/AAAAAAAAAAI/AAAAAAAADkM/fgffdgdkM/photo.jpg?sz=50",
"isDefault": false
},
"isPlusUser": true,
"language": "en",
"ageRange": {
"min": 21
},
"circledByCount": 59,
"verified": false
}
if you want to get user phone numbers you have to have authorization from the user: see the following info page : https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
ask the user for this scope of authorization :
https://www.googleapis.com/auth/admin.directory.user.readonly
after you have authorization from user run the folowing request :
GET https://www.googleapis.com/admin/directory/v1/users/userKey
the response will be a JSON response formatted as followed:
https://developers.google.com/admin-sdk/directory/v1/reference/users#resource
one of the attributes is phone list.
hope it helps.
You can use google's people API to get the user's phone numbers.
To explore more you can try yourself.
Steps to explore:
Visit this link.
Select https://www.googleapis.com/auth/user.phonenumbers.read permission in People API v1 section
Click on Authorize API
Choose the account to log in
Grant permission
Click Exchange authorization code for tokens
Enter https://people.googleapis.com/v1/people/138262720636785143353?personFields=phoneNumbers,emailAddresses link, make sure you replace the UID
Click on send request to see the response