create user with extended claim with scim2 in wso2 - wso2

I am trying to create a user with scim2 API in wso2 with my own extended claim
my API request
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"name": {
"familyName": "jackson",
"givenName": "kim"
},
"userName": "test3",
"password": "abc123",
"demoRole":"student",
"emails": [
{
"primary": true,
"value": "kim.jackson#gmail.com",
"type": "home"
},
{
"value": "kim_j#wso2.com",
"type": "work"
}
],
"roles":[
{
"value": "PRIMARY/manager"
}
]
}
and the configuration in scim2-schema-extension.config.xml is
{
"attributeURI":"urn:ietf:params:scim:schemas:core:2.0:User:demoRole",
"attributeName":"demoRole",
"dataType":"string",
"multiValued":"false",
"description":"The displayName of the User's manager.",
"required":"false",
"caseExact":"false",
"mutability":"readwrite",
"returned":"default",
"uniqueness":"none",
"subAttributes":"null",
"canonicalValues":[],
"referenceTypes":["external"]
},
my claim configuration is
Claim URI -> urn:ietf:params:scim:schemas:core:2.0:User:demoRole
Mapped Local Claim -> http://wso2.org/claims/demoRole

Attribute URI for your schema extension should be,
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:demoRole
So, External claim URI for urn:ietf:params:scim:schemas:extension:enterprise:2.0:User will be,
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:demoRole
SCIM2 create user request should contain the demoRole as,
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"demoRole":"student"}
For more details on the schema extension representation, refer the specification

Related

WSO2 SCIM 2 API to get all users by tenant not returning any user

I am using WSO2 identity server 5.7.0, i am calling the api https://[url]:[port]/t/tenantName/scim2/Users GET. The response received is the following with HTTP status 200:
{"totalResults":0,"startIndex":1,"itemsPerPage":0,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"]}
However, the user is not being returned, the tenant has its own admin user only. The expected response (working fine on another environment) is:
{
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 1,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [
{
"emails": [
"user1#gmail.com"
],
"meta": {
"created": "2023-01-05T13:01:12Z",
"lastModified": "2023-01-05T13:01:12Z"
},
"roles": [
{
"type": "default",
"value": "Internal/subscriber,Internal/creator,Internal/publisher,Internal/everyone,admin"
}
],
"name": {
"givenName": "user1",
"familyName": "user1"
},
"id": "2e86d8e6-7db8-4600-a8bc-f3h1d54d8h6a",
"userName": "user1"
}
]
}
How to fix this? Are there any configuration that should be changed to return all users?
Note: SCIM is enabled in user-mgt.xml file
Recreating a new tenant after enabling the SCIM solved the issue, but the issue remains for the tenant that was created prior to enabling the SCIM.

Callback url value in email for verifying account

This is an extension of Unable to validate account confirmation in WSO2 version 6.0 issue.
I have same regex pattern in my self-registration section. But when I'm creating users using rest API, the link which I got in the email is
https://localhost:9443/accountrecoveryendpoint/confirmregistration.do?confirmation=ce790759-1086-4870-a673-35b5927351d8&userstoredomain=PRIMARY&username=samyu&tenantdomain=carbon.super&callback={{callback}}
and when I created the user using manually the link which I got is
https://localhost:9443/accountrecoveryendpoint/confirmregistration.do?confirmation=dff024e7-d7e7-48ef-bb60-1c1c4d6f3b1c&userstoredomain=PRIMARY&username=sam&tenantdomain=carbon.super&callback=https%3A%2F%2Flocalhost%3A9443%2Fmyaccount.
So, the difference between these two links is that callback. So what configuration should I make in order to get the callback value
When you are trying this from the recovery portal, the callback value is set automatically. If you are trying with the REST API you need to include that in the request. The following is a sample JSON payload.
{
"user": {
"username": "kim",
"realm": "PRIMARY",
"password": "Password12!",
"claims": [
{
"uri": "http://wso2.org/claims/givenname",
"value": "kim"
},
{
"uri": "http://wso2.org/claims/emailaddress",
"value": "kimAndie#gmail.com"
},
{
"uri": "http://wso2.org/claims/lastname",
"value": "Anderson"
},
{
"uri": "http://wso2.org/claims/mobile",
"value": "+947729465558"
}
]
},
"properties": [
{
"key": "callback",
"value": "https://localhost:9443/myaccount"
}
]
}
Notice the way how you need to send the callback when using the REST API.

AWS API Gateway (REST) - Request Validation passes even when there is unknown property

I have an API gateway with the following schema:
{
"swagger": "2.0",
"info": {
"description": "This is a sample server Petstore server. You can find out more about Swagger at [http://swagger.io](http://swagger.io) or on [irc.freenode.net, #swagger](http://swagger.io/irc/). For this sample, you can use the api key `special-key` to test the authorization filters.",
"version": "1.0.0",
"title": "Swagger Petstore",
"termsOfService": "http://swagger.io/terms/",
"contact": {
"email": "apiteam#swagger.io"
},
"license": {
"name": "Apache 2.0",
"url": "http://www.apache.org/licenses/LICENSE-2.0.html"
}
},
"paths": {
"/pet": {
"post": {
"summary": "Add a new pet to the store",
"description": "",
"operationId": "addPet",
"consumes": [
"application/json",
"application/xml"
],
"produces": [
"application/xml",
"application/json"
],
"parameters": [
{
"in": "body",
"name": "body",
"description": "Pet object that needs to be added to the store",
"required": true,
"schema": {
"$ref": "#/definitions/Pet"
}
}
],
"responses": {
"405": {
"description": "Invalid input"
}
}}
}},
"definitions": {
"Pet": {
"required": ["id", "name"],
"type": "object",
"properties": {
"id": {
"type": "integer",
"description": "Id of the pet",
"example": 123
},
"name": {
"type": "string",
"description": "Name of the pet",
"example": "Jammy"
},
"nickname": {
"type": "string",
"description": "Nickname of the pet",
"example": "Jam"
}
}
}
}
}
When I send a request body with fields which are not present in the schema, I don't get 400 response from API gateway. I have applied the configuration to Validate body, headers, query string.
Is this an open issue in API gateway? Or am I missing something?
So with swagger v2 and openapiv3 specs the default behavior is to accept all additional properties that your spec does not define. If you include the required pet id and name and additional unused propertues like foo and bar, you post should succeed.
If you want more strict validation that fails when additional properties are sent then set additionalProperties to false in your pet schema or do that and change the spec version to 3.x.x

List users as non admin with custom fields

As per the documentation, I should be able to get a list of users with a custom schema as long as the field in the schema has a value of ALL_DOMAIN_USERS in the readAccessType property. That is the exact set up I have in the admin console; Moreover, when I perform a get request to the schema get endpoint for the schema in question, I get confirmation that the schema fields are set to ALL_DOMAIN_USERS in the readAccessType property.
The problem is when I perform a users list request, I don't get the custom schema in the response. The request is the following:
GET /admin/directory/v1/users?customer=my_customer&projection=full&query=franc&viewType=domain_public
HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer fakeTokena0AfH6SMD6jF2DwJbgiDZ
The response I get back is the following:
{
"nextPageToken": "tokenData",
"kind": "admin#directory#users",
"etag": "etagData",
"users": [
{
"externalIds": [
{
"type": "organization",
"value": "value"
}
],
"organizations": [
{
"department": "department",
"customType": "",
"name": "Name",
"title": "Title"
}
],
"kind": "admin#directory#user",
"name": {
"fullName": "Full Name",
"givenName": "Full",
"familyName": "Name"
},
"phones": [
{
"type": "work",
"value": "(999)999-9999"
}
],
"thumbnailPhotoUrl": "https://photolinkurl",
"primaryEmail": "user#domain.com",
"relations": [
{
"type": "manager",
"value": "user#domain.com"
}
],
"emails": [
{
"primary": true,
"address": "user#domain.com"
}
],
"etag": "etagData",
"thumbnailPhotoEtag": "photoEtagData",
"id": "xxxxxxxxxxxxxxxxxx",
"addresses": [
{
"locality": "Locality",
"region": "XX",
"formatted": "999 Some St Some State 99999",
"primary": true,
"streetAddress": "999 Some St",
"postalCode": "99999",
"type": "work"
}
]
}
]
}
However, if I perform the same request with a super admin user, I get an extra property in the response:
"customSchemas": {
"Dir": {
"fieldOne": false,
"fieldTwo": "value",
"fieldThree": value
}
}
My understanding is that I should get the custom schema with a non admin user as long as the custom schema fields are set to be visible by all domain users. This is not happening. I opened a support ticket with G Suite but the guy that provided "support", send me in this direction. I believe this is a bug or maybe I overlooked something.
I contacted G Suite support and in fact, this issue is a domain specific problem.
It took several weeks for the issue to be addressed by the support engineers at Google but it was finally resolved. The behaviour is the intended one now.

Google People API detect merged contacts with syncToken - previousResourceNames not included

I am using the people API to allow users to create entities in my system from their google contacts, via the people API, and am storing the resourceName (i.e 'people/c7760106965272617307') to keep track of the google contact the entity was created from.
I want to be able periodically update the entities to match what is in google. i.e. if the contact updates the phone number the entity gets the updated phone number. So am a calling the list API passing the sync token to get the contacts that have changed since the last call. This works for updates, edits and deletes but I can't find a way to detect when two contacts have been merged in google contacts.
The docs state:
https://developers.google.com/people/api/rest/v1/people#Person.PersonMetadata
previousResourceNames[] Any former resource names this person has had.
Populated only for connections.list requests that include a sync
token.
So if I:
- Call the list API requesting a sync token
- Create Contact A and Contact B
- Call the list API passing the sync token, then I get just the two created contacts and a new sync token:
{
"resourceName": "people/c1465347538402693914",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgxab0lZTFBvUU43bz0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "1455f5d28afc531a",
"etag": "#ZoIYLPoQN7o=",
"updateTime": "2020-02-26T15:35:34.021Z"
}
],
"objectType": "PERSON"
},
"names": [
{
"metadata": {
"primary": true,
"source": {
"type": "CONTACT",
"id": "1455f5d28afc531a"
}
},
"displayName": "Contact A",
"familyName": "A",
"givenName": "Contact",
"displayNameLastFirst": "A, Contact"
}
]
},
{
"resourceName": "people/c4555919836853785218",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgx2WmJHUUtjNTcxQT0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "3f39e0f40cd35282",
"etag": "#vZbGQKc571A=",
"updateTime": "2020-02-26T15:35:44.056Z"
}
],
"objectType": "PERSON"
},
"names": [
{
"metadata": {
"primary": true,
"source": {
"type": "CONTACT",
"id": "3f39e0f40cd35282"
}
},
"displayName": "Contact B",
"familyName": "B",
"givenName": "Contact",
"displayNameLastFirst": "B, Contact"
}
}
If I then merge the two contacts, and then call the API passing the new sync token i get:
{
"resourceName": "people/c4555919836853785218",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgxqNlFVYnIwaU9vVT0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "3f39e0f40cd35282"
}
],
"deleted": true,
"objectType": "PERSON"
}
}
So TDLR; I can find out one of the contacts were deleted, but not that it was merged into another contact.
It seems like the previousResourceNames[] field would do exactly what I want, but I can't seem to make it return in the data, either on the try the API function on the docs:
https://developers.google.com/people/api/rest/v1/people.connections/list
or using the below nodjs code:
const service = google.people({version: 'v1', auth: authClient});
const result = await service.people.connections.list({
resourceName: 'people/me',
personFields: 'names,emailAddresses,phoneNumbers,metadata',
//requestSyncToken: true
syncToken: "insert token here"
});
console.info("Google Returned", JSON.stringify(result.data, null, 4));
I wonder if i need to grant extra scopes, or something else in the requested person fields.
Scopes Requested:
'https://www.googleapis.com/auth/contacts',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile'