I am using SCIM api for registering a user
curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"Smith","givenName":"Paul"},"userName":"Paul","password":"password","emails":[{"primary":true,"value":"paul#somemail.com"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{askPassword:"true"}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users
I got a
Create Password for New Account
email to my primary email address with a confirmation code.
How to validate this confirmation code with wso2is using SCIM 2?
In REST API there is an option to validate code.
I tried REST API
curl -k -v -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{ "code": "84325529-8aa7-4851-8751-5980a7f2d9f7","properties": []}' "https://localhost:9443/api/identity/user/v1.0/validate-code"
it returns in case of invalid code
{
"code": "18001",
"message": "Bad Request",
"description": "Invalid Code '84325529-8aa7-4851-8751-5980a7f2d9f7'"
}
in the case valid code it returns
{
"code": "18001",
"message": "Bad Request",
"description": "Invalid Code '%s.'"
}
no console error
Validate code worked with REST API work flow
There is no such SCIM APIs in WSO2 Identity Server to validate the confirmation codes. WSO2 Identity Server has a soap API (UserInformationRecoveryService-verifyConfirmationCode) and a REST API (/validate-code) that can fulfill your requirement.
You can find the SOAP API here.
I am editing my answer here since I talked with the developers and I realised there is a different API that you need to use for validating the confirmation code: documentation.
So you need to send the following request:
curl -k -v -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{ "code": "84325529-8aa7-4851-8751-5980a7f2d9f7","step": "UPDATE_PASSWORD","properties": []}' "https://localhost:9443/api/identity/recovery/v0.9/validate-code"
and the response should be
"HTTP/1.1 202 Accepted"
I tried it and it works.
Note: if you are using SCIM identity through a system like a self-managed GitLab, GitLab 15.3 (August 2022) offers a better integration:
User SCIM identity visible in UI
Previously, the SCIM identity for a user could only be accessed using the SCIM API.
Now, a user’s SCIM identity is visible to GitLab administrators in the Identities tab of the User list. With
this, troubleshooting of SCIM-related issues is simplified. Administrators can validate what identity, if any, is
being used for a specific account without requiring GitLab Support or an API query.
See Documentation and Issue.
Related
I am using wso2 API manager 3.1.0
I am using REST APIs for creating the subscriptions for the application. I am using the REST API
https://x.x.x.x:9443/apis/api/am/store/v1.0/subscriptions
I am using basic auth for the authentication of the API. My request body is as follows.
{
"applicationId": "6451faaa-65aa-48dc-8655-2ffb623fc441",
"apiId": "ed94f936-7e8a-4c62-92e6-92991aca4348",
"throttlingPolicy": "Unlimited"
}
When I send this request I am getting the 200 OK response but the content of the 200 OK is the management console login page. This is one issue I am facing. Another issue is a very basic one- I am trying to get the applications created in the system for that I am using below API
https://x.x.x.x:9443/api/am/store/v1.0/applications?limit=25&offset=0
again with basic authorization. for this request I am getting the 404 response. Same response I get if I change the authentication to Oauth token.
I tried these APIs with multiple tenant users credentials but for all I am getting the same response.
UPDATE:
I have obtained the access token like below:
1. curl --insecure -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d #payload.json https://localhost:9443/client-registration/v0.16/register
I got the response
{"clientId":"MPPomfxrQ_ZReRlHz0x70pU6yLca","clientName":"rest_api_store","callBackURL":"www.google.lk","clientSecret":"dQrYXtwMG8fB4Qhu7NfC1uqLAkwa","isSaasApplication":true,"appOwner":"admin","jsonString":"{\"grant_types\":\"password refresh_token\",\"redirect_uris\":\"www.google.lk\",\"client_name\":\"rest_api_store\"}","jsonAppAttribute":"{}","tokenType":null}
2. curl -k -d "grant_type=password&username=admin&password=admin&scope=apim:subscribe" -H "Authorization: Basic TVBQb21meHJRX1pSZVJsSHoweDcwcFU2eUxjYTpkUXJZWHR3TUc4ZkI0UWh1N05mQzF1cUxBa3dh" https://10.57.8.36:9443/oauth2/token
and I got the response
{"access_token":"194d3a3c-8f37-3459-a909-f1f871f096dc","refresh_token":"be7bfcb5-970d-3a8b-8f0a-d69fb7ea53fb","scope":"apim:subscribe","token_type":"Bearer","expires_in":3600}
using the obtained token if I place the API request I get still 404
I'm testing WSO2 5.10 user creation via SCIM Rest API using the following curl command
curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"Smith","givenName":"John"},"userName":"john","password":"password","emails":[{"primary":true,"value":"jsmith#test.com","type":"home"},{"value":"jsmith#test.com","type":"work"},{"value":"jsmith#test.com"}],"EnterpriseUser":{askPassword:"true"}}" --header "Content-Type:application/json" https://localhost:9443/scim2/Users
It creates a user as expected but doesn't send an email to set up a password.
However, when an admin tries to create a user through the management console for the same scenario, the user receives an email to set up a password. But not through this API request.
What am I doing wrong?
You need to set the askPassword attribute under the urn:ietf:params:scim:schemas:extension:enterprise:2.0:User schema as true in the SCIM2 user create request. So try the request as below,
curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"Smith","givenName":"John"},"userName":"john","password":"password","emails":[{"primary":true,"value":"jsmith#test.com","type":"home"},{"value":"jsmith#test.com","type":"work"},{"value":"jsmith#test.com"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{askPassword:"true"}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users
Please refer the official documentation for more details.
I tried to access Google's Datastore through their REST Api. It says that they allow authentication through the API-key. However it doesn't seems that I can get it to work any where. I copied the snippet generated from their Try this API page.
curl --request POST \
'https://datastore.googleapis.com/v1/projects/PROJECT_ID:runQuery?key=[YOUR_API_KEY]' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{"query":{"filter":{"compositeFilter":{"op":"AND","filters":[{"propertyFilter":{"property":{"name":"id"},"op":"EQUAL","value":{"stringValue":"ID"}}}]}},"kind":[{"name":"NAME"}]},"partitionId":{"namespaceId":"NAMESPACE_ID","projectId":"PROJECT_ID"}}' \
--compressed
But it keeps returning me an 401 error.
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
It looks like it require me to use OAuth instead, which is not what their documentation says. Anyone experienced something similar?
You are using an API key which is incorrect.
This link details which services support API Keys. Cloud Datastore is not one of them.
Using API Keys
You want to use an Access Token which is derived from Service Account credentials.
Review this document.
Using OAuth 2.0
The steps to generate an Access Token:
Load the service account credentials json file.
Extract the client_email, private_key and private_key_id.
Create a json payload.
Call the authorization URL: https://www.googleapis.com/oauth2/v4/token
This returns a json object. Extract the access_token.
Use the access_token instead of an API Key.
There are examples on the Internet in various languages. The link will get you started. The process appears complicated, and it is, but once you understand it, generating Access Tokens is easy and they can be reused until they expire (typically 60 minutes which you control).
This document on Google Cloud Storage authentication is the same for Cloud Datastore. The key is understanding "Authorization: Bearer" which is a header you need to include with your curl request.
Authentication
Are there any wso2 scim apis that help in password resets? I have tried using the normal user update but it does not seem to work and there was no mention of an api specific to password reset. I am using a node app to access wso2. Any help would be appreciated.
You can change the password using a SCIM PUT or a PATCH request for the particular user.
Ex. for SCIM PATCH request
curl -v -k --user admin:admin -X PATCH -d '{"schemas":[],"name":{"familyName":"Doe","givenName":"John"},"userName":"john", "password":"test123", "emails":[{"value":"john#acme.com","type":"work"},{"value":"john#home.com","type":"home"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/3bb710ba-32c8-4469-82ae-67ecd11e58f9
I am recently doing projects on openstack. I start it. I want to access openstack account through RESTful API. I read the API guide in the official website. The link is here http://developer.openstack.org/api-guide/quick-start/api-quick-start.html#authenticate.
I do the same way to do the authentication.
Here is my command:
curl -s -X POST https://url:5000/v2.0/tokens -H "Content-Type: application/json" -d '{"auth": {"tenantName": "MyTenantName", "passwordCredentials": {"username": "'"myAccountNme"'", "password": "mypassword"}}}'
But everytime I just get 401 (Unauthorized) response said The request you have made requires authentication. The error message is here.
What's wrong with my request? My username and password is correct, I can use it to access my account from dashboard.
Since you are using https, I think you get the error message because you do not specify a certificate. Use the --cert or --cacert option of curl. Something like this:
curl --cacert <your_crt_file> -X POST https://url:5000/v2.0/tokens -H "Content-Type: application/json" -d '{"auth": {"tenantName": "MyTenantName", "passwordCredentials": {"username": "'"myAccountNme"'", "password": "mypassword"}}}'