A recent trend in applications is that users register with a username, even if it's not "unique" by also using a discriminator value: Limnic#4391 for example.
Popular services such as Discord, Rocket League, Battle.net, ... use this. I'm wondering if it's possible to achieve this type of username system in WSO2. All I can find out of the box is to use emails.
To log in to these services, you do indeed use an email, but your shown username is the name with the discriminator. Could this be just email authentication and then claims which contain the discriminator and username?
OOB WSO2 IS does not support this kind a feature, however you can write a customisation to add discrimination value to the username. However, usernames should be unique in the system. So you have to save the username value as it is with the discrimination value. And whenever you get the username value, you have to remove the discrimination value depends on your need.
As you mentioned, other option is to use a different claim to store the user name and discrimination value separately and authenticate using another unique value. (Such as email)
Related
The important attributes for the User Table are:
unique id (uuid): to identify the user (and to be referenced later with other datasets for identity)
social media id: FB, Google, Apple
email id
mobile no
User can login using either social media or mobile no or email. For this 3 cases, the searching needs to be done in the DynamoDB table for its existence.
So, what would be the ideal designing of this User table (with respect to keys) to ensure the performance as well as the purpose?
For better understanding of the Use Case:
Use Case:
User can register with Social Media (any of the FB or Google or Apple) along with mandatory detail like mobile and email
User can login using Social Media (any of the FB or Google or Apple) or Mobile No or Email ID (using OTP)
The Data volume will be on the higher side.
So, all this attributes to be stored alongside with the right design of the Primary Key to fetch information correctly during login.
I don't know if I fully understand your use case, but I'd probably build it like this:
PK
GSI1PK
UUID#<uuid1>
GOOGLE#<google-id1>
UUID#<uuid2>
MOBILE#<number1>
UUID#<uuid3>
FACEBOOK#<facebook-id1>
The table has PK as it's partition key and GSI1PK as the partition key of a Global Secondary Index (GSI1).
If you want to check if there is a Google-User with a specific ID, you run a Query against GSI1 with GSI1PK=GOOGLE#<your-id>. You can use the prefix for different identity sources.
Any queries against your own UUID can be executed against the Base Table.
You can also essentially flip the attributes, but this way it's easier to transition a user from one identity provider to another.
In Amazon Cognito's User Guide, in the page “Configuring User Pool Attributes”, there is this paragraph (with added emphasis):
“If your application does not require a username, you do not need to ask users to provide one. Your app can create a unique username for users in the background. This is useful if, for example, you want users to register and sign in with an email address and password.”
I want to do precisely what the paragraph says: while users sign up, create in the background a custom user ID for them myself, because I need these IDs to follow a specific semantic format, that embeds tenant context into the IDs (something like “T01234#U01234567“, meaning “user U01234567 inside of tenant T01234”).
The users won't know of their custom ID, they will feel as they've signed up (and later signed in) with their emails (or through 3rd parties like Facebook and Google, if possible in this set up). But in the background I will create these custom IDs and store them in their username attribute in the User Pool.
The reason I want to store these iDs specifically in the username attribute is because it is un-mutable and unique, but most important because I will need to query Cognito's APIs (ListUsers, AdminListGroupsForUser, etc.) using these custom IDs as filter, to give my customers some user management capabilities. The username attribute is the parameter for these APIs. Therefore, I cannot use User Pool custom attributes here, since they are not accepted as parameters of these APIs.
The reason I post this Question is because, while the documentation recommends this as a possible setting, there is no specific information on how to set the user pools and sign up flow to support this specific use case.
What is the general settings layout of this? To start with, in the option “How do you want your end users to sign-up and sign-in?”, what do I have to put there in the scenario I described? If anyone can give any additional pertinent information, it would be very helpful, as the documentation feels somewhat opaque.
Thank you very much for those who've read this.
You probably will need to deal this in your frontend.
When your user start the sign-up process, you will need to generate the username based on your requirements and send the request to Cognito User Pool using that generated username + e-mail.
For Cognito User Pools this will be transparent because in the request it will receive the username, the password and the user e-mail. Off course you will need to allow login with e-mail and password.
If you don't want to do this in the frontend you can create a backend with public access that accepts a unauthenticated requests and performs this task directly in Cognito User Pool.
Currently I am using database accounts as my authentication schema and as a result anyone with a valid database account may login. I would like this to be more restrictive. All my users have a prefix in their user account names which specifies the group they belong to. An example would be dev_john, qa_cindy, etc. I would only like a specific group with a certain prefix in their username to be able to login. Database accounts seems to just allow all. I see there is a custom auth, but I am unsure how to get databse users from here.
I think the problem with this would be how to check the Oracle users' passwords from within your custom authentication function. Hopefully there is no way you can find out their passwords to check them, so how can you establish they typed the correct password? Maybe there is a way, I don't know.
However, perhaps more appropriate for this rule would be an authorization scheme. The user can log in, but if their username fails your authorization scheme test, they can't access the application. The test would be a PL/SQL expression like:
:APP_USER like 'QA%' or :APP_USER like 'TEST%'
When user DEV_JOHN logs in, the log in succeeds but all they get is a page saying e.g.
Only QA and TEST users are allowed to access this system.
Our website is using DocCheck, an external authentication provider, to authenticate and identify contacts. We use the DocCheck ID, which comes as the request parameter "uniquekey", as contact identifier, so that the contact, when logging in on another device, can be re-identified. These users are then authenticated in Sitecore via a virtual user.
Tracker.Current.CurrentPage.Session.Identify(Page.Request.QueryString["uniquekey"]);
In addition to that, we're planning an own user management with registration, login etc. The users will be logged in via email address and password. The email address should now be used as another identifier to identify the contacts loggin in with these credentials.
The users should then be able to use both DocCheck and our own login for different parts of our website, so that we have DocCheck contacts and our own users.
Is it possible to combine these two identifiers to identify as one contact?
Thank you and kind regards
Torsten
At the moment you can only use a single value to identify a user within xDB. This is potentially going to change in the future however for now you can only use one.
xDB is just a mongo database so how about persisting an additional collection that contains the relationship between identifiers. An example would be:
CustomContact
- _id: the xDB identifier
- alternativeIdentifiers: [docCheckId, formsAuthId, etc] - if this is indexed the lookup will be quick
Then when you come to identify the user you lookup in your custom collection your identifier, find the actual xDB id and then identify with that.
To find the item in the array look at elemMatch or in:
https://docs.mongodb.org/manual/reference/operator/projection/elemMatch/
and some examples on
https://stackoverflow.com/a/18149149/1065332
I set django default user authentication to use an email address instead of a user name.
My worry is about the possible future effects. If the user changes his email will the primary keys need to be changed as I assume the primary key for a user is now an email. What are the basic consequences of this.
The users will also have their own space on the website, hence the urls will need to have some kind of username/unique identification ,I do not foresee an issue here as but if you do please advise.
My main concern being updates of email causing bugs in the database and application.
I know the topic is broad but what would the consequence be here or are there none.
Thank you.
The username is unique, but it is not the primary key. Django creates a primary key id by default. See the docs on automatic primary key fields for more information.
So you should be able to change your username or email without causing problems with primary keys.
However, if you include the username or email address in the url, then these would of course change if the user changes their details.