Environment
Clustered API Manager 2.1.0 (two workers, one manager) and Identity Server 5.3.0 (two workers)
Issue
When logging into a webpage, I login as the application creator. Which causes the JWT claims to be the application creator instead of user who logged in.
Idea of issue
My idea of the problem is since the application was created by one user it uses applications client_id as authorization. Since the application is linked to the user who created the application, it logs others in as that user. So when we get the JWT claims back it has the information for the user who created the application instead of the user who logged in.
What types of things should I be looking at as a possible fix for this problem? I believe the JWT configurations can fix the problem. Which I know either api-manager.xml or identity.xml could have the answer.
How do I get the correct JWT claims back from the access token?
JWT Sample
{
"sub": "12345678",
"http://wso2.org/claims/applicationtier": "Unlimited",
"http://wso2.org/claims/client_id": "bzuM29gewg5gxazegXiNfkwsgz",
"http://wso2.org/claims/keytype": "SANDBOX",
"http://wso2.org/claims/version": "1.0.1",
"iss": "wso2.org/products/am",
"http://wso2.org/claims/applicationname": "CellPhones",
"http://wso2.org/claims/enduser": "null",
"http://wso2.org/claims/enduserTenantId": "null",
"http://ourdomain.com/claims/client_rest_of_name": "Ben",
"http://ourdomain.com/claims/client_surname": "Kenobi",
"http://wso2.org/claims/subscriber": "DOMAIN/benk",
"http://wso2.org/claims/tier": "Bronze",
"http://ourdomain.com/claims/client_claim_source": "CLIENT_SUBSCRIBER",
"http://ourdomain.com/claims/client_roles": [
"Full-Time Employee",
"Employee",
"Technology Engineer"
],
"http://wso2.org/claims/applicationid": "8",
"http://wso2.org/claims/usertype": "APPLICATION_USER", <- Client app
"exp": 1493232200,
"email": "user#gmail.com",
"http://wso2.org/claims/apicontext": "/jwt/1.0.1"
}
This was an issue with custom claims. Just had to alter code.
Related
I am trying to configure the Microsoft Azure AD B2C identity provider in my Cognito user pool.
I am using the https://www.npmjs.com/package/#aws-amplify/auth library on my front-end.
I have named the new identity provider Microsoft. I have also enabled it on my user pool. And I am passing the same (Microsoft) to the Auth.federatedSignIn method.
Now, when I try to authenticate the user with Microsoft, the user gets authenticated from the Microsoft side but the Cognito gives me the ?error_description=Invalid+ProviderName/Username+combination.+Please+check+again+&state=XmnGedOhmT99RnTlw0LypyMmqwCRbCZr&error=invalid_request error.
This seems like a configuration issue to me but I am unable to figure out what is it.
Please help.
After some time we managed to resolve this issue.
The problem was that the user is linked with ProviderAttributeValue to lower case, but in the sub claim from the OIDC provider there are capital letters, and that's where the whole confusion was coming from. If the user is linked with the original value provided from the sub claim everything works fine
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html
{
"DestinationUser": {
"ProviderAttributeName": "string",
"ProviderAttributeValue": "string",
"ProviderName": "string"
},
"SourceUser": {
"ProviderAttributeName": "string",
"ProviderAttributeValue": "string" //ensure that value is same as in sub claim,
"ProviderName": "string"
},
"UserPoolId": "string"
}
I am not able to get custom attribute in ID_TOKEN returned from AWS Cognito after successful user login.
Steps I tried :
1.Created user pool
2.Created app client and checked the custom attribute(customattrib1,customattrib2)
User Pool screen :
Check custom attribute in app client config
3.Created user using admin-create-user api
Below image shows the value for user attributes:
4.Signed in user using aws-cognito-auth.js in client app.The ID token returned do not contain the custom attribute.
ID_TOKEN
{
"at_hash": "PKfjYDaiEty5mUOyJZlPQA",
"sub": "639d5016-2bd3-4c6f-b82d-21ae38071b09",
"email_verified": true,
"iss": "https://cognito-idp.ap-south-1.amazonaws.com/ap-south-1_XXXXXXX",
"phone_number_verified": true,
"cognito:username": "testuser",
"aud": "XYXYXYXYX",
"token_use": "id",
"auth_time": 1549349674,
"phone_number": "##########",
"exp": 1549353274,
"iat": 1549349674,
"email": "testuser#somedomain.com"
}
I have already checked links below, which had some info regarding this issue, but nothing helped so far.
Adding Cognito custom attributes post pool creation?
Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider
Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider
https://www.reddit.com/r/aws/comments/a07dwg/cognito_add_custom_attribute_to_jwt_token/
Please help me figure out if I am missing something..
In your Cognito user pool go to General Settings -> App Clients, then for each app client click on Show Details, then Set attribute read and write permissions. Check the checkbox next to your attribute name under Readable Attributes.
In your Cognito user pool go to App client settings -> Allowed OAuth Scopes and enable profile scope.
I had the same trouble and your question came up when I was searching for a solution.
My custom attributes started to appear in ID token when I enabled profile scope in 'App client settings'. (available at: AWS console-> 'User pools'-> click your pool -> 'App client settings' -> 'Allowed OAuth Scopes')
(BTW: I was misled by this sentence from the documentation: "The openid scope returns all user attributes in the ID token that are readable by the client". In my case openid scope was not enough.)
For me the problem was that I was getting my token (after authenticating with the Amplify js library) from:
Auth.currentSession().then(u => u.getAccessToken().getJwtToken())
Instead of:
Auth.currentSession().then(u => u.getIdToken().getJwtToken());
After changing it worked fine! Hope it helps!
For anyone coming here that is using the Amplify SDK like the OP - Copy and Paste calls out an important point that your client ALSO needs to explicitly ask for the scope.
In my case we I am using Angular. After adding "profile" to the User Pool "Allowed OAuth Scopes" - you also need to specify it in your client configuration:
Which configuration needs to put, to retrieve all user attributes (Claims) and associated user Roles into JWT acces_token self-contained on OAuth 2 authentication patterns ?
Please note that I am into a multi-tenant configuration, with only one Service Provider where we have configured Inbound Authentication Configuration to OAuth/OpenID Connect Configuration, with OAuth-2.0.
Action that has been realised:
1. Specify Requested Claims into Service Provider (use Local Claim Dialect), see below
Service Provider Claim Configuration
Verify if default information is present into Registry, section: /_system/config/oidc into openid property:
openid=sub,email,email_verified,name,family_name,given_name,middle_name,nickname,preferred_username,profile,picture, website,gender,birthdate,zoneinfo,locale,updated_at,phone_number,phone_number_verified,address,street_address,country,formatted,postal_code,locality,region
3.Retrieve an acces_token https://{{auth0_domain}}/oauth2/token
Each time we have only :
{
"sub": "SANDBOX-TEST.COM/usertest#sandbox-test.com",
"aud": [
"Y058MDvS1NSe_NrqSV84vDJ6JHga"
],
"azp": "V0458MDvS3NSe_NrqSE84vDJ8JHga",
"iss": "https://localhost:9443/oauth2/token",
"exp": 1519148273,
"iat": 1519144673,
"jti": "4366e42c-48b1-42c6-bf52-a084f1521851"
}
Any help/ideas is much appreciated.
I hope this is the latest IS version. I will give you few tips to troubleshoot this issue.
Make sure the user that you trying to authenticate do have values for given claims. You can do this by login in to admin portal of Identity Server and viewing the user profile of the specified user.
In "/_system/config/oidc" claims are given in OIDC dialect. Make sure you have correct mapping to local claim dialect to the respective OIDC claim in the claim configurations section.
Since this is OIDC make sure you pass the "openid" scope.
I am trying to use the QuickBooks REST API by carrying out a test API call. I am adding my own application token and consumer token, however receiving the following error:
{
"Fault": {
"Error": [
{
"Message": "message=Exception authenticating OAuth; errorCode=003200; statusCode=401",
"code": "3200"
}
],
"type": "AUTHENTICATION"
},
"requestId": "999c6895a5cf42a1aeaacc43bf600cca",
"time": "2015-06-08T19:57:10.669Z"
}
The OAuth string is in the following format: Authorization : OAuth oauth_token="************",oauth_nonce="39316429-ad1d-4aa2-9ba7-d59e380878b3",oauth_consumer_key="************",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1433794011",oauth_version="1.0",oauth_signature="KIC7BXeSXVqw6C%2Fcgcb0Dlq2R40%3D"
I am substituting the "oauth_token" and "oauth_consumer_key" values with the App Token and OAuth Consumer Key values from the QuickBooks developer section, as shown below:
From what I have looked up online, the key values are expired, but that does not seem likely as I am simply copy-pasting them from that page on QuickBooks developers section.
What am I doing wrong?
EDIT: I also tried loading values from this page, after submitting my app token, however I am receiving the same exact error:
I am substituting the "oauth_token" ... with the App Token
This is incorrect. This isn't how OAuth works.
You need to go through the OAuth connection process (e.g. click the "Connect to QuickBooks" button) to get your OAuth token.
The App Token is not the same thing as the OAuth token. They are two totally independent separate values.
If you post what programming language you're using, you'll probably get more details relevant to what you're actually building in.
I am trying to pull in and display the wall posts and comments from a public Facebook page on my client's webpage using JavaScript. I know I need an access_token, but the problem is it expires every so often. It seems I would need to dynamically get the access_token to avoid that issue. Does anyone know of a way to do this client-side?
Short answer:
If the page is really public, you don't need an access token at all. For instance,
http://graph.facebook.com/19292868552
{
"id": "19292868552",
"name": "Facebook Platform",
"picture": "http://profile.ak.fbcdn.net/hprofile-ak-ash2/276791_19292868552_1958181823_s.jpg",
"link": "http://www.facebook.com/platform",
"likes": 3922010,
"category": "Product/service",
"website": "http://developers.facebook.com",
"username": "platform",
"founded": "2007",
"company_overview": "Facebook Platform enables anyone to build social apps on Facebook and the web.",
"mission": "To make the web more open and social.",
"about": "We're building the social web. Get the latest here: developers.facebook.com ",
"talking_about_count": 74536
}
Longer answer, if you are using a particular user's access token to perform actions on their behalf, you might consider asking for "offline access" so that the token won't expire. See https://developers.facebook.com/docs/reference/api/permissions/ for more information about how to ask for this permission.