We are using WSO2 for authentication (SAML/SSO).
I don't know how to tell if a user is already logged in (in order to prevent concurrent logins). Other SO questions have indicated this is possible to know both with WSO2 IS Analytics and without. I would prefer to not have to run WSO2 IS Analytics as well (this is alluded to here, but never clarified. Further, I can see the IDN_AUTH_SESSION_STORE table being populated and referred to during login, but that is using SESSION_ID (which is passed by the commonAuth cookie).
So I'm looking for a direct answer to this question: during the Auth flow, how can we tell if the given user is already logged in?
Without using the analytics, querying logged in user sessions by a user is not supported out of the box in WSO2 Identity Server. Let me explain why.
When a user authenticates with the WSO2 Identity Server, a session is created. These sessions are stored as session context objects, against the commonAuthId cookie in WSO2 implementation. Information about the logged in user is inside these session objects. Therefore if we want to get the session for a particular user, we have to query all active sessions and go through all of them one by one matching the user.
As an alternative, you can write a custom data publisher module which persists session data against each user and then you can use these data to prevent concurrent logins. I have a blog post written for this exact use case.
Hope this helps.
Related
I am using the camunda spring-boot-starter and running the embedded camunda engine.
For Authentication, we are using a JWT token and the user information exists in an outside database. From Camunda docs, what I understood is that, for Camunda Authorization like assigning A User Task to a user, will totally depend on the Camunda Database.
How should I use an outside user authenticated with an external system, for the Authorization purpose in the Camunda? Should I create a copy of the authenticated user in the Camunda Database?
As part of the authentication you can also tell Camunda which groups/roles the user belongs to. For instance as shown in this generic simple Spring Security example: https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso
specifically: https://github.com/camunda-consulting/code/blob/4a609b375c6564838e85a1bde7d70e5a9951ab64/snippets/springboot-security-sso/src/main/java/com/camunda/demo/filter/webapp/SpringSecurityAuthenticationProvider.java#L35
Another mechanism uses a custom identity provider (read-only or writable) as explained here: https://docs.camunda.org/manual/latest/user-guide/process-engine/identity-service/#custom-whitelist-for-user-group-and-tenant-ids
It is correct that the default implementation is the database identity service, which uses the engine database for managing users and groups.
However, this is only the case if no alternative identity service implementation is provided. Camunda also provides an LDAP identity service for an LDAP-based user/group repository and you can of course implement your own.
Once you have an authenticated user and user group information for the user, the detailed functional permissions are linked to these groups as shown here: https://docs.camunda.org/manual/latest/webapps/admin/authorization-management/
You don't have to manage users in Camunda and or to sync with another system. If user's authorizations (groups, roles) should be fetched from another system, then use the SPI mentioned above. Either way you don't need to create the users in the Camunda DB. When a request comes in you may set the user and its roles on the IdentityService. In your subsequent API usage the user id and the authorization will be considered (if auth is enabled). If authorizations are disabled, then you only need the user id, not the groups/roles. If you want to provide neither and handle everything in your custom code, then you can just complete task without the user's Id (but won't have the user info in the audit information).
I'm writing a web application with Django framework. This web application is API based and I'm using Django rest_framework. I have a security issue: On the first page, the user must solve a Recaptcha. After solving the Recaptcha my site gives a session ID to the user and after this, the user must post this session ID in the body of all his/her API calls and every API can be called just once with a specific session ID. In other words, I have a state machine for the APIs being called by the user and in each state, the user can call the APIs which have corresponding outgoing edges from that state.
The purpose of all of the above procedures is preventing the user from crawling my website. (User can't call an API many times with a session ID and he/she should act as a normal user and call every API at most two or three times)
Now my question is that how should I handle this in my Django app? Before this, I just used the ordinary Django session middleware for handling sessions. Now should I handle the authentication process and passing and getting session ID completely in a manual way or is there a way in which I can use that middleware that it can be able to handle my procedure.
You can do this with simply with saving your user's state and in each step update your user's state and consider the next states which user can see.
Use custom permission classes for your APIViews to block such request.
Read more here https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions
It's possible to use facebook info, and get some information in the local database in the userinhfo api?
Let'me explain, I get name and mail from facebook claim, and I want the userinfo api returns that information, and local information in the local user store.
Becouse I have the user facebook email provisioned in the secondary user store, if the user is in the PRIMARY user store, userinfo works perfectly, there are some way to work with secondary user store. And my secondary user store is a custom implementation of jdbc user store.
Thanks
This is possible to do. What you can do is authenticate the user using wso2 IS. Since you use custom implementation, the claim mapping should be done accordingly. If the claims are not there create custom claims.
Try to use those claims to map the Facebook user information
Or you may want to use facebook SDK to get user information.
I've created a Glass app in Python. I began with the mirror quickstart for Python and have my app running fine except some users are getting multiple notifications. I only have one row per user in my Credentials table, however when I go and look at my own Authorized Access on my account I see that I have my Glass project listed 8 separate times.
Can anyone tell me how to check and see if the user has previously granted access to my app when they sign in and if so then skip creating a new token.
You can use the user's ID to prevent storing more than one credential for each user.
When you complete the OAuth flow, you'll receive an ID token along with the access and refresh tokens. If you decode this token, you'll see something like this:
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"1234987819200.apps.googleusercontent.com",
"email":"jsmith#example.com",
"aud":"1234987819200.apps.googleusercontent.com",
"iat":1353601026,
"exp":1353604926
}
The sub key is the one you're interested in. Use this value to uniquely identify your user. If you see a user authenticate with a user ID that you already know, replace the old value.
If you update your question to include the code you're using for your OAuth flow, we can provide more specific advice. Or, you can learn more about this from Google's OAuth documentation.
I want my sites users to be able to use facebook to create an account and login
I will gather additional details from the user once they have logged in (id, name, link, etc.) and create a local application database entry for the user.
For future logins, how would i handle the fact that their local db record will now exist?
How do I use the facebook login to return and be able to get the local db user details?
Yes, authenticating through other providers (openAuth is a biggy too and more generic) is getting quick common.
Here is the facebook info on how to do it with them:
http://developers.facebook.com/docs/authentication/signed_request/