I'm trying to implement OTA (one time access) using WSO2 (IS 5.7.0, AM 2.5.0, EI 6.4.0), and I need to find a way to generate user access token.
I have tried:
using admin service for password recovery. Disadvantage is email template is bound to password reset, but OTA is not a password reset scenario, so using password recovery email template will be spoiled.
find admin service that generate user access token, but nothing was found
find WSO2 extension\plugin, but nothing corresponding was found
using OTP, but met an error like this: https://github.com/wso2/product-is/issues/1860
Even admins are not allowed to generate tokens for a user without their consent.
For one-time password, this should work.
https://docs.wso2.com/display/IS570/Configuring+Email+OTP
You can write a custom grant handler, to authenticate user, not via password, but using something he has unique(mobile no, email, etc) as per your requirement and generates an access token from that grant.
You can easily do a token call to WSO2 Identity Server through your custom grant and get the access token.
You can check out for more details in [1]
[1] https://docs.wso2.com/display/IS570/Writing+a+Custom+OAuth+2.0+Grant+Type
Related
I am using AWS Cognito for the user management. I want to achieve a feature called "login as". Basically, the admin can use this feature to login as a specific user. The APIs I designed require idTokens for the authentication. So if I am able to get the idToken of a user, then I am able to login as the user.
Therefore, the question is "is there a way or Cognito API to get the idToken of a specific user without user's password?".
No this isn't possible and there is a very good reason for it. It ensures that the admin cannot simply log in as user and make changes under his name. Only the user is allowed to use his account. If that wasn't the case you would not have data integrity or non-repudiation
I am trying to use AWS Cognito user pools with Cognito federation as auth for my APIs on api-gateway. I got the authentication & authorization part (using roles) to work, but now stuck on how to revoke access. After login & getting the federated identity, I deleted the identity from identity browser (console) & deleted the user from cognito user pool. But that does not invalidate access using the earlier generated tokens, till they expire (which is a minimum of 1 hour).
I also tried setting ServerSideTokenCheck to true, but that doesn't work either. The only way to "revoke" access seems to be this. But this does not work for us as our use case assigns roles to a group. I cannot have groups of users lose access to revoke/deny access to one user.
Is there anything I have missed to get this done? I cannot fathom an auth service which does not give me easy way to revoke access to user.
This is a common case with stateless JWT tokens issued with Cognito for authentication.
Once a user got hold of a token which valid for 1 hour, the token itself acts as the proof for authentication. The token is signed and issued by AWS and for validation it only requires to do a signature verification using a publickey.
The approach you can handle this is at the authorization layer in your application where you can check either the user is active/deactive in your database after the user successfully authenticates. You can further delete the user from Cognito where he is not able to login back again.
I see what you are saying and as the other answer explained when the token is issued, the user can use the token until its expiry date. A solution to your problem can be handled two ways:
Cognito way: For this, you make two calls to Cognito, first if the user is enabled, second if so, authenticate its token.
DB way: You have a DB, which act as a "black list" holder, so when you want to disbale the user, the app, adds the username of the user to the DB. Therefore, when the user wants to authenticate, you first check with the DB (if the user is enabled), then check its cookie for authentication/authorization.
Note: If your user base is small, you could go the Cognito way, however there is a limit to Cognito calls, if you have a large user base; you should consider the second approach.
The use case occurs once user is authenticated and obtain an oAuth2 access token from Wso2 API Manager and we want to obtain username again from this access token.
To obtain access token I've followed normal steps published on: [API Manager] (http://docs.wso2.org/display/AM160/Token+API#TokenAPI-GeneratingaccesstokenswithusercredentialspasswordgranttypeGenerating)
Does WSO2 AM provide any REST method to solve it?
Yes.. There would be two ways that you can obtain user name
APIM would return the user name with the Access token. Here user name would be embedded with the access token. You can find more details from here
You can obtain the user name and user's attribute during access token verification process. Once access token is verified successfully, It would return back with JWT token which contains user's attributes. Then you can extract use name from JWT. You find more details on here. Basically inside the APIM, you can extract JWT token in transport header. But, if you want to retrieve the JWT token for the use of your application, you can send the access token to "OAuth2TokenValidationService" service and validate it and then it return back with JWT. (But "OAuth2TokenValidationService" is a web service.). You can use web service client to invoke this service (such as SOAPUI)
We are connecting to facebook via the api secret key etc… but when ever a fb user changes their password the tool disconnect… How can we stop this from happening
This is expected behavior. When a user changes their password, all access tokens are revoked for all applications that the user has installed.
There is nothing you can do to prevent a user from changing their password. What you will be able to do is detect an invalid token when the user arrives and re-authenticate them to generate a new token.
Given a user's name and password, is there a way to check if the name is a valid user account on the system and if the supplied password matches the password for that user's account?
Edit: The need for this arises from the way authentication is structured in this application. The app uses the local accounts on the system to allow the users to remotely access files and stuff. My app needs a way of authenticating those users to provide them with access to its services.
You should be able to use the LogonUser() API for this purpose... If the call fails, then either the username or password are bogus.