For getting user info in wso2 sso, im using bellow api:
https://localhost:9443/oauth2/userinfo?schema=openid
the result is like this:
{
"sub": "mahyar.z",
"family_name": "Zarif Kar Asli",
"email": "mahyar.z#mtnirancell.ir"
}
But i expect more claims. In Service Provider -> Claim Confiquration i added some local claim dialect. In user profile list i can see these claims but in JSON result from api just some of them are appeared.
Im using AD as user store, and i added local claim that is mapped with AD user attributes. For example i added http://wso2.org/claims/custom/company claim that is mapped with company attribute in AD.
I can see user company in User Profile but it is not in JSON result, as you can see.
So how can i get all user info's?
What you should do is:
Place the claims you want to return in the dialect wso2.org/oidc/claim (Add External Claim)
Add Claims to Service Providers -> Claim Settings -> Claims Requested -> Add Claim URIs
Edit adding claims in Registry -> Browse -> Tree -> _system / identity / oidc -> Properties / openid
Related
I'm trying to config a service provider of WSO Identity Server v5.7.0 in order to export the UUID & roles of a user as part of JWT token. I've done like this but only roles are exported. UUID is not shown.
local claim:http://wso2.org/claims/userid. mandatory claim: yes
local claim:http://wso2.org/claims/role. mandatory claim: yes
Steps:
In wso2 is admin console->main tab->locate the service provider I've created.
In "claim configuration", I choose "use local claim dialect"; 3. In "Requested Claims" I Add Claim URI.
I've add "wso2.org/claims/userid" & "wso2.org/claims/role" and both of them are marked "mandatory claim"
After saving it. I use curl -u kbxx:Vyy -k -d "grant_type=password&username=youfa.mao&password=x&scope=openid" -H "Content-Type:application/x-www-form-urlencoded" xxx:yyy/oauth2/token to get the JWT token;
Only roles are in the token. The user UUID is not found
In WSO2 Identity Server password grant type issue id_token(JWT) by adhering to OIDC core specification. In order to get a user claim in JWT you should have a mapping between wso2 claims(http://wso2.org/claims) and OIDC claims ( http://wso2.org/oidc/claim ). For role claim this mapping is already there where http://wso2.org/role map to groups claim in OIDC dialect.
Please follow below steps in addition to what you did to get userid claim in id_token(JWT)
Add userid to OIDC claim dialect
Dialect URI: http://wso2.org/oidc/claim
Claim URI: userid
Mapped Local Claim: http://wso2.org/claim/userid
From management console UI "OIDC Scopes" add userid claim to openid scope.
You need to map wso2 claims to OIDC claims in order to achieve this. blog, blog section 6 with claim configuration will help you to understand how to add wso2 claim mappings.
I am not able to get custom attribute in ID_TOKEN returned from AWS Cognito after successful user login.
Steps I tried :
1.Created user pool
2.Created app client and checked the custom attribute(customattrib1,customattrib2)
User Pool screen :
Check custom attribute in app client config
3.Created user using admin-create-user api
Below image shows the value for user attributes:
4.Signed in user using aws-cognito-auth.js in client app.The ID token returned do not contain the custom attribute.
ID_TOKEN
{
"at_hash": "PKfjYDaiEty5mUOyJZlPQA",
"sub": "639d5016-2bd3-4c6f-b82d-21ae38071b09",
"email_verified": true,
"iss": "https://cognito-idp.ap-south-1.amazonaws.com/ap-south-1_XXXXXXX",
"phone_number_verified": true,
"cognito:username": "testuser",
"aud": "XYXYXYXYX",
"token_use": "id",
"auth_time": 1549349674,
"phone_number": "##########",
"exp": 1549353274,
"iat": 1549349674,
"email": "testuser#somedomain.com"
}
I have already checked links below, which had some info regarding this issue, but nothing helped so far.
Adding Cognito custom attributes post pool creation?
Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider
Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider
https://www.reddit.com/r/aws/comments/a07dwg/cognito_add_custom_attribute_to_jwt_token/
Please help me figure out if I am missing something..
In your Cognito user pool go to General Settings -> App Clients, then for each app client click on Show Details, then Set attribute read and write permissions. Check the checkbox next to your attribute name under Readable Attributes.
In your Cognito user pool go to App client settings -> Allowed OAuth Scopes and enable profile scope.
I had the same trouble and your question came up when I was searching for a solution.
My custom attributes started to appear in ID token when I enabled profile scope in 'App client settings'. (available at: AWS console-> 'User pools'-> click your pool -> 'App client settings' -> 'Allowed OAuth Scopes')
(BTW: I was misled by this sentence from the documentation: "The openid scope returns all user attributes in the ID token that are readable by the client". In my case openid scope was not enough.)
For me the problem was that I was getting my token (after authenticating with the Amplify js library) from:
Auth.currentSession().then(u => u.getAccessToken().getJwtToken())
Instead of:
Auth.currentSession().then(u => u.getIdToken().getJwtToken());
After changing it worked fine! Hope it helps!
For anyone coming here that is using the Amplify SDK like the OP - Copy and Paste calls out an important point that your client ALSO needs to explicitly ask for the scope.
In my case we I am using Angular. After adding "profile" to the User Pool "Allowed OAuth Scopes" - you also need to specify it in your client configuration:
So im getting the error:
The ad account is not enabled for usage in Ads API. Please add it in
developers.facebook.com/apps -> select your app -> settings ->
advanced -> advertising accounts -> Ads API. Account XXXXXXXX not
enabled for this application.
While trying to make a add/remove user from a custom audience. Here is my code:
FacebookAdsApi.init(access_token=access_token)
custom_audience = CustomAudience('123456789')
response = custom_audience.remove_users(
schema=CustomAudience.Schema.email_hash,
users=[
'example#email.com',
]
)
But when i go to the App control panel the Ad Account is already added.
What am i missing? I gave the app access to the Ad Account on the business configuration panel.
It seems that you need to also manage the AdAccounts that are going to be access by this API on:
Products > Marketing API > Configuration
This solved the issue.
In WSO2 IS admin console, we are trying to set the user claims for a service provider under 'Claim Configuration'.
We selected the Claim mapping Dialect as 'Define Custom Claim Dialect' and added Local claims as :
http://wso2.org/claims/givenname
http://wso2.org/claims/lastname
http://wso2.org/claims/emailaddress
But when we perform a curl with /oauth2/userinfo, it just gives us last name and email. But first name is not being returned.
Returned User Info:
{"sub":"abc#carbon.super","family_name":"abcFN","email":"abc#abc.com"}
Any pointers for the issue will be helpful.
There is actually an error in the mapping of the given name attribute between the oidc claim and the wso2 claim :
In the management console, go to Home > Identity > Claims > List > claim.view
Click on http://wso2.org/oidc/claim in the Available Claims Dialect list
Change the mapping for given_name to Mapped Local Claim : http://wso2.org/claims/givenname
In order to get the first name through user info endpoint,you should have an OIDC claim mapping with http://wso2.org/claims/givenname.
Could you please check whether your given_name claim under oidc dialect has a mapping with http://wso2.org/claims/givenname.
I have added a local custom claim namely http://wso2.org/claims/fg_imprenditore to http://wso2.org/claims dialect and mapped it on a custom primary user store attribute (JDBC user store).
The custom claim appears in the user profile and I can set/update the value correctly.
I have defined a new service provider and added the custom claim in Claim Configuration -> Use Local Claim Dialect.
In addition I have edited /_system/config/oidc and modified the openid property to include the new claim as follows: sub,...,street,http://wso2.org/claims/fg_imprenditore
Now the issues.
I ask a JWT Token from a javascript client with the following request:
http://**********/?response_type=id_token&client_id=" + "f8SatEWpyi1qvPLVspsDfTbefm0a" + "&scope=openid&redirect_uri=http://localhost:3000/oauth_callback.html&nonce=" + nonce
After login the WSO2is server prompts the following message (even if the attribute is already present in the profile): You are trying to login to **** application, but it needs following information filled in the user profile. You can fill those below and proceed with the authentication. But it is advised to fill these information in your Identity Provider profile in order to avoid this step every time you login.
If I fill the field (correctly) labeled "http://wso2.org/claims/fg_imprenditore" I can proceed. In any case the claim is not returned in the JWT Token.
In addition if I go in the user profile the attribute is set correctly (with the new value!) but if I try to authenticate again I need to fill the attribute again..
Many thanks for the support.
If you don't mark the claim as mandatory on your Service Provider it shouldn't request it when you try to log in. Also, in order for the jwt to contain your custom claim you need to map the custom claim to a new custom claim under the oauth dialect, and then map the new oauth claim under the oidc scope you use. It took me a while to get it too as there isn't sufficient documentation describing these steps. Hope this solves your issue.
This happens because "http://wso2.org/claims/fg_imprenditore" claim is not mapped to any oidc claims in WSO2 IS. Do the following in get rid of the issue.
Go to List under Claims in IS Management Console Main tab.
Click on http://wso2.org/oidc/claim
Add new claim with the name fg_imprenditore in oidc claim dialect. You will see a drop down to select "Mapped Local Claim". Map it to http://wso2.org/claims/fg_imprenditore. (Check "Add External Claim" section in this)
Save new oidc claim and try again.