I have configured ldap readonly user store and I can see the users from this US while using the admin panel.
But when I try to call the SCIM 2.0 API to get users, I always get an empty result. What might be the problem?
Request:
GET https://wso2:9443/scim2/Users/?domain=mydomain
Response:
{
"totalResults": 0,
"startIndex": 1,
"itemsPerPage": 0,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}
Enable SCIM for the userstore
First of all, please make sure that you have enabled scim for that userstore. Bydefault, scim is not enabled for ReadOnly LDAP userstore. By adding the following config in deployment.toml file, you can enable scim.
[user_store]
scim_enabled = true
If the issue still persists after adding the above config, verify the following claim mapping.
Configure a mapped attribute for User ID claim.
For SCIM, we need a unique ID for each user to identify separately. When you are creating users from WSO2 IS on a SCIM enabled userstore, we create a random ID for the new users and store in the "http://wso2.org/claims/userid" claim which is mapped to "scimId" attribute.
I presume that you have plugged in a read-only LDAP userstore with an existing set of users. So you may not have values for "scimId" attribute on this particular user store. That may be a root cause of this issue. So this users might not have the scimId, hence does not have any unique User ID
Verify
Claims > List > "http://wso2.org/claims".
goto edit view of the claim named "User ID" Enable support by default for this claim.
Now go to the list users page and view the profile of a user who belongs to the LDAP userstore
Please check whether the attribute "User ID" is having a value or not.
Optionally, you can check are there any
values mapped for "http://wso2.org/claims/userid" directly from the
ReadOnlyLDAP side
If you have the above issue, (there is no any mapped attribute for "http://wso2.org/claims/userid" claim),
Solution
Find a unique attribute unique among the existing users from ReadOnly LDAP user store
You can go to the above-mentioned claim edit page and click on "Add Attribute Mapping" under "Mapped Attribute (s)*".
Then select the user store domain, enter the unique attribute name and update.
check whether now the User ID attribute of the user profile is not empty.
Related
I have made a custom userstore by overriding the UniqueIDJDBCUserStoreManager class, based on this article https://nishothan-17.medium.com/custom-user-store-manager-for-wso2-identity-server-5-11-0-6e23a4ddf1bb . My database has one table which has the username, password, email, name, and phone number.
I was able to authenticate successfully. However, I am unable to send the OTP to the users phone number. Can anyone please guide me on how to send OTP to the user? Which properties do I have to set or override? Any help would be highly appreciated.
I could not find any documentation on this so far.
In order to send the SMS OTP to the user, there should be a valid mobile number in the user's profile.
For that you need to update the mobile claim's mapped attribute accordingly.
Refer to https://is.docs.wso2.com/en/latest/guides/dialects/edit-claim-mapping/ and go to mobile claim configs. Then update the mapped attributes section.
If you connect the custom userstore as your PRIMARY userstore, change the Mapped Attribute to the DB table's column name(phone number as per the question) respective to the PRIMARY userstore domain.
If you are connecting this custom userstore as a secondary userstore, add another mapped attribute for the secondary userstore domain and put the DB table's column name.
NOTE: Since you have only one table in the userstore and mobile number is available as a column in that table I mentioned to use that column name as the mapped attribute. Then you have to add additional DB queries under advance configurations to retrieve that data from DB.
Then, you have to override public Map<String, String> getUserPropertyValuesWithID(String userID, String[] propertyNames, String profileName) throws UserStoreException method in your custom userstore manager. You have to invoke your custom DB query inside this overridden method to retrieve the user attributes.
Here is the reference to the default uniqueIDJDBCUserstoreManager's method implementation:
https://github.com/wso2/carbon-kernel/blob/09b67404ec8f4dc2e19d0d730f33c91441c1c63b/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/UniqueIDJDBCUserStoreManager.java#L437
Once http://wso2.org/claims/mobile claim value of the user is requested in SMS OTP flow, the Abstractuserstore manager resolves the mappend attribute of the claim and handed over to the relevant userstore manager to resolve the properly value.
I guess you are referring to the SMS-OTP as a second factor authentication. You can refer to this document [1].
And do you have any error trace to see if there are any specific issues to fix?
Refer:
[1] https://is.docs.wso2.com/en/latest/guides/mfa/2fa-sms-otp/
In my WSO2 Identy Server (v5.8.0), i have added one custom attribute named XXX.
Then, in my web client application, I invoke /scim2/Users service to create new user inside IDS.
I successfully create user with correct name, surname, email, phone number and so on, but my custom field is not updated in my user content store.
By other hand, if I update field by data entry and read my user from IDS, I can see my custom attribute XXX correctly.
Can someone help me ?
One of the following reasons could be caused not to update custom attributes via scim2/Users endpoint.
Once you add a new local claim and if you want to access/modify its value using SCIM endpoint it should be mapped to scim claim dialect. Follow the steps in extending scim user claims doc in https://docs.wso2.com/display/IS580/Extending+SCIM+2.0+User+Schemas
If the above step is correctly configured, check the request payload whether the attribute is correctly defined in the payload. If the attribute is not defined in the expected format, WSO2 IS ignores those attributes.
When you trying to update the value via login to the management console and view the user profile through the management console doesn't involve the SCIM APIs. You are directly updating the local claim in the WSO2 local claim dialect. If you have followed the doc mention is step 1 and that attribute has a value, GET /scim2/Users/{user-id} should return the attribute in the response.
In SOAP Teanant API I can define my own tenantId (https://docs.wso2.com/display/IS530/Managing+Tenants+with+APIs#ManagingTenantswithAPIs-addTenant()), but in REST API this ability is not available. The reason I wanted to use custom tenantId is so that I can map multi-tenancy from WSO2 domain to my application domain, thus using id as a bridge. There is additonalClaims element in request JSON for addTenant endpoint, but this element is not returned in getTenant endpoint. Is there additional tenant property I can use to store custom information?
The Tenant creation REST API doesn't allow to input the tenant id. But you can use the returned tenant id for the mapping purpose.
Once a tenant is created successfully using API, It should return 201 Cretaed status code and you would be able to find the Location header in the response headers. The location header contains the location to the tenant. https://<Host>:<port>/t/<tenant-domain>/api/server/v1/tenants/<tenant-id>. From this value you can extract the tenant id.
For the second part of the question:
additonalClaims attribute belongs to tenant owners not to the core tenant object. When you execute GET /tenants or GET /tenants/ request, owner's id and username are returned.
"owners": [
{
"id": "af01d6cf-bf5d-440f-b99c-ac482f6dc89f",
"username": "kim"
}
]
If you check the tenant owner's profile via carbon console/console you should see the additional claims added via the request. Moreover, if that added local claim is mapped to a SCIM claim (eg: http://wso2.org/claims/mobile) you would view that user properties via SCIM GET User API.
eg: https://<host>:<port>/t/<tenant-domain>/scim2/Users/<tenant-ownser's-id>
I'm setting up OIDC provider for Cognito User pool. The open id connect service I'm using is Paypal. At the step where paypal issues code and redirects to cognito's /oauth2/idpresponse endpoint after which cognito is supposed to exchange the code for access token, I'm receiving "Exception processing authorization code" error. As you can see the error message is not very discriptive.
I have no idea what I'm doing wrong. I did setup open id connect properly. Setup client settings in cognito and etc.
These are the endpoints I'm using for openid connect:
https://www.sandbox.paypal.com/signin/authorize
https://api.sandbox.paypal.com/v1/identity/openidconnect/tokenservice
https://api.sandbox.paypal.com/v1/oauth2/token/userinfo
https://api.sandbox.paypal.com/v1/oauth2/certs
In app client settings I have auth code grant flow and implicit flow enabled. I have custom domain setup. I provided paypal client id and secret
My guess is if I'm able to somehow debug idpresponse endpoint I should be able to solve the problem. Is there any way to do that? Maybe cloudwatch?
I don't know about debugging Cognito's endpoints, but I had the same problem and fixed it by doing the following:
Go to your User Pool in AWS.
In the side navigation under Federation, select Attribute mapping.
Click the tab of the identity provider you're having issues with (in my case it was Google).
There should be three columns, Capture, Google attribute, and User pool attribute. Make sure all of the attributes that are checked in the Capture column are mapped to an attribute in the User pool attribute column.
UPDATE:
After submitting this answer, I realized that the checkboxes in the Capture column are not checked by default. If you marked any attributes as required in the Attributes section of your user pool, then you need to map those attributes to the attributes provided by your external identity providers.
For example, I marked email as a required attribute in my user pool settings. So, when I added Google as an identity provider, I had to go to Federation->Attribute mapping, click on the tab for Google, check the box in the Capture column next to email, and select Email from the dropdown box in the User pool attribute column.
After taking these steps, the sign in work-flow worked for me.
My guess is the auth flow works just fine between Cognito and your identity provider, but Cognito doesn't know how to map the attributes returned from the identity provider to the attributes you have set in your user pool (in General settings->Attributes under the Which standard attributes are required section).
I have added a local custom claim namely http://wso2.org/claims/fg_imprenditore to http://wso2.org/claims dialect and mapped it on a custom primary user store attribute (JDBC user store).
The custom claim appears in the user profile and I can set/update the value correctly.
I have defined a new service provider and added the custom claim in Claim Configuration -> Use Local Claim Dialect.
In addition I have edited /_system/config/oidc and modified the openid property to include the new claim as follows: sub,...,street,http://wso2.org/claims/fg_imprenditore
Now the issues.
I ask a JWT Token from a javascript client with the following request:
http://**********/?response_type=id_token&client_id=" + "f8SatEWpyi1qvPLVspsDfTbefm0a" + "&scope=openid&redirect_uri=http://localhost:3000/oauth_callback.html&nonce=" + nonce
After login the WSO2is server prompts the following message (even if the attribute is already present in the profile): You are trying to login to **** application, but it needs following information filled in the user profile. You can fill those below and proceed with the authentication. But it is advised to fill these information in your Identity Provider profile in order to avoid this step every time you login.
If I fill the field (correctly) labeled "http://wso2.org/claims/fg_imprenditore" I can proceed. In any case the claim is not returned in the JWT Token.
In addition if I go in the user profile the attribute is set correctly (with the new value!) but if I try to authenticate again I need to fill the attribute again..
Many thanks for the support.
If you don't mark the claim as mandatory on your Service Provider it shouldn't request it when you try to log in. Also, in order for the jwt to contain your custom claim you need to map the custom claim to a new custom claim under the oauth dialect, and then map the new oauth claim under the oidc scope you use. It took me a while to get it too as there isn't sufficient documentation describing these steps. Hope this solves your issue.
This happens because "http://wso2.org/claims/fg_imprenditore" claim is not mapped to any oidc claims in WSO2 IS. Do the following in get rid of the issue.
Go to List under Claims in IS Management Console Main tab.
Click on http://wso2.org/oidc/claim
Add new claim with the name fg_imprenditore in oidc claim dialect. You will see a drop down to select "Mapped Local Claim". Map it to http://wso2.org/claims/fg_imprenditore. (Check "Add External Claim" section in this)
Save new oidc claim and try again.