I have WSO2 IS 5.3 and WSO2 ESB 5.0
For example:
Company 1 have bank account 123456
User of Company1 - user1 try access to REST API /api/accountinfo ( on WSO2 ESB).
His send POST data "account=123456" and receives detail information about this bank account (123456)
Company 2 have bank account 654321
User of Company1 - user1 try access to REST API /api/accountinfo
His send POST data "account=123456" and recive detail information about this account (654321)
How i can do disable User2 get information about 123456 ?
Related
Most of the new mobile Apps use Mobile number with SMS OTP to authenticate the user without username/password how can we do the same to generate Access Token using WSO2 Identity Server, considering the following points:
User have to enter his/her mobile number in the App
User have to enter the SMS OTP in the App
WSO2IS to send the SMS OTP
In the last step to generate Access Token from WSO2 for the user
Following is the expected flow
Mobile-SMS Flow
You can create a custom authenticator for this and manage SMS-OTPs from the custom authenticator you can follow this link and integrate the below two functionalities for your application.
SMSOtpService.generateSMSOTP(userId);
This will generate a SMS-OTP for the input of userID (scim-id) and the output will be a transactionId alongside with smsOtp and through the WSO2IS SMS event handler, you can send OTP too.
SMSOtpService.validateSMSOTP(transactionId, userID, smsOTP);
This method will validate the SMS-OTP with the input fields of transactionID, userId(scim-id) and smsOtp.
You need to do few customizations but basically, you can use these two functions to generate and validate SMS-OTP
I'm trying to understand the basic organizations and login flow between social logins on a mobile app and how that app requests resources from a backend flask api.
If the user logins into the app through Facebook, how does the backend api provide resources based on that login? Because it seems the backend doesn't know the user has logged in with Facebook.
Does facebook need to send a token to the app that the backend api then validates with facebook?
I suggest you to first read about single sign-on mechanisms:
https://en.wikipedia.org/wiki/Single_sign-on
Then you can read about OAuth2 which is used by Facebook for SSO from here
https://oauth.net/2/
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
Simply you are correct, when user signs-in on Facebook, the backend will get token from Facebook that is used for authentication/ authorization of that user.
This is happening when a Facebook/Google log in is clicked on an XYZ website.
XYZ website redirects to Facebook login page together with an XYZclientID(XYZ should be already registered under Facebook as a developer)
Facebook identifies that XYZ(using XYZclientID) wants to authenticate ABC person
ABC person log in to facebook.
Facebook issues an authorisation code(for ABC+XYX combination) and redirects back to XYZ website.
XYZ uses this authorisation code + XYZclientID + XYZclientSecret to get a bearer token
Facebook validates the secret and issues a bearer token(linked to ABC person)
XYZ uses this bearer token to retrieve details of ABC person. (It cannot be used to retrieve data of DEG person)
Facebook give the email & other personal details of ABC to XYZ and XYZ shows that ABC is logged in.
More elaborated here : https://www.scienceabc.com/innovation/oauth-how-does-login-with-facebook-google-work.html
While using Android SDK Cognito does not add users automatically to the user pool if user logins with a 3rd parth identity provider like Google or Facebook.
What is the best way to do this? Should I register user from Android app?
After successful login I can look for the user with the related email and that I can show a user information for to let them enter their info.
Thank you.
What worked for me - let the users authenticate using Cognito (not FB or Google directly). The Cognito logon page can further delegate the social network authentication and adding users to the user pool
https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html
(I know this is the web endpoint)
I can show a user information for to let them enter their info
the id_token received after logon contains the user email if you request it, you don't need to add users to the pool to get this information
I am looking for a basic example, a little more than a "hello world" example which probably has:
1) user1 using his webapp on his phone, logging in with an username/password
2) requesting list of books he has read, which is kept on the server
Server sending User1 with the list of books that User1 has read on the site
Similarly, if User2 asks the same request to server, the book list sent via JSON would be for User2
Any example of this kind that helps me understand how models stored at the Django server end is sent as JSON objects, and then is consumed by the webapp and shown on phone-screen
Thanks
I'm building an ios app which uses Django as server. Users login my server use their facebook account. ios app get facebook id and access token first, then I want to send facebook id and access token to my server to validate it. If the facebook id and access token is correct, server will create a user.
My question is :
how to validate facebook id and access token?
e.g. a user whose facebook id is 123 get an accessToken: abc in app, then the app send the info to my server, how can server validate that the accessToken abc is assigned for 123, not for other facebook id?
To identify an access_token, make a call to the https://graph.facebook.com/me endpoint with it. Then use the retrieved data to validate the user's id.