is it possible in wso2 identity server when user is disabled or locked by admin or any other scenario and then user session can be invalidated just in time and user's authentication token is disabled?
Once user login and have a valid session, but after this time, admin lock the user and deactivates user account. now user will access to protect resource and will against as your token is validate. is user's token valid yet?
Please specify the IS version that you are using. In IS 5.1 the user can't access to any resource once his account is locked. I'm not quite sure about IS 5.0 though.
Thanks
Related
I tried to add a user using the Web API via client credentials and via identity provider. Neither resulted in the invited user receiving an email or seeing the granted lock in his app.
I called /api/v1/Owners to get the owner account's ID for the locks I want a new user to grant access for.
I created a new contact by posting to /api/v1/Owners//Contacts only setting email as identifier (not posting any other data) and using the ownerAccountId from step 1
With the newly created contact id from step 2, ownerAccountId from step 1 and boundlock id I did a put request to /api/v1/Owners//Grants
This resulted in a 200 response, but the new contact did not get any notify or invite email.
When I login to my.portal.nl as owner of the lock I do see the the added user as smartphone user with correct lock and validFrom and validBefore
I expect the invited user in step 4 to be emailed. What am I missing? In your comment you say : Generally speaking, Tapkey will usually not send emails to users.
But how do new users get notified about new locks the can open?
Via the API I do see the users and grants are actually added. I have checked spam folders, but no emails.
When I register as one of these user by using the emailadress I setup as identity and login into the tapkey app, still no locks.
The client ID I'm using is c2f11e47604639323320d08f8e4038f4 and the owner account id is e12e4145-3afb-45ae-81f5-2cdd57d89fb5
I will just summarize what was already explained by Markus in his answer:
Regarding the question about the email:
User will not be informed by email if you create a grant for him.
Regarding the permissions:
If you have created permissions for an user with an identity provider tapkey then these grants are visible for the user once he logs in into the Tapkey app and navigates to his smartphone keys.
If you have created permissions for an user with your own identity provider, these are not displayed in the Tapkey app for a granted user and you need to implement your own application to handle these keys.
We had a look on the grants you have created and as you correctly said, they were created successfuly. All, but one, have been created with your own identity provider and therefore they are not visible in Tapkey app for the granted user. Due to the privacy reasons, I don't want to share anymore details regarding your data here.
Is there anyway to identify how many times user has logged in in wso2?
We have a use case where we want to give option to user to reset password after first login?
We are using wso2 IAM.
I'm trying to implement OTA (one time access) using WSO2 (IS 5.7.0, AM 2.5.0, EI 6.4.0), and I need to find a way to generate user access token.
I have tried:
using admin service for password recovery. Disadvantage is email template is bound to password reset, but OTA is not a password reset scenario, so using password recovery email template will be spoiled.
find admin service that generate user access token, but nothing was found
find WSO2 extension\plugin, but nothing corresponding was found
using OTP, but met an error like this: https://github.com/wso2/product-is/issues/1860
Even admins are not allowed to generate tokens for a user without their consent.
For one-time password, this should work.
https://docs.wso2.com/display/IS570/Configuring+Email+OTP
You can write a custom grant handler, to authenticate user, not via password, but using something he has unique(mobile no, email, etc) as per your requirement and generates an access token from that grant.
You can easily do a token call to WSO2 Identity Server through your custom grant and get the access token.
You can check out for more details in [1]
[1] https://docs.wso2.com/display/IS570/Writing+a+Custom+OAuth+2.0+Grant+Type
I am trying to use AWS Cognito user pools with Cognito federation as auth for my APIs on api-gateway. I got the authentication & authorization part (using roles) to work, but now stuck on how to revoke access. After login & getting the federated identity, I deleted the identity from identity browser (console) & deleted the user from cognito user pool. But that does not invalidate access using the earlier generated tokens, till they expire (which is a minimum of 1 hour).
I also tried setting ServerSideTokenCheck to true, but that doesn't work either. The only way to "revoke" access seems to be this. But this does not work for us as our use case assigns roles to a group. I cannot have groups of users lose access to revoke/deny access to one user.
Is there anything I have missed to get this done? I cannot fathom an auth service which does not give me easy way to revoke access to user.
This is a common case with stateless JWT tokens issued with Cognito for authentication.
Once a user got hold of a token which valid for 1 hour, the token itself acts as the proof for authentication. The token is signed and issued by AWS and for validation it only requires to do a signature verification using a publickey.
The approach you can handle this is at the authorization layer in your application where you can check either the user is active/deactive in your database after the user successfully authenticates. You can further delete the user from Cognito where he is not able to login back again.
I see what you are saying and as the other answer explained when the token is issued, the user can use the token until its expiry date. A solution to your problem can be handled two ways:
Cognito way: For this, you make two calls to Cognito, first if the user is enabled, second if so, authenticate its token.
DB way: You have a DB, which act as a "black list" holder, so when you want to disbale the user, the app, adds the username of the user to the DB. Therefore, when the user wants to authenticate, you first check with the DB (if the user is enabled), then check its cookie for authentication/authorization.
Note: If your user base is small, you could go the Cognito way, however there is a limit to Cognito calls, if you have a large user base; you should consider the second approach.
We are connecting to facebook via the api secret key etc… but when ever a fb user changes their password the tool disconnect… How can we stop this from happening
This is expected behavior. When a user changes their password, all access tokens are revoked for all applications that the user has installed.
There is nothing you can do to prevent a user from changing their password. What you will be able to do is detect an invalid token when the user arrives and re-authenticate them to generate a new token.