I have a doubt. I have set a complete solution around the Yubico U2F keys. But now, I cannot stop duplicate registration of the same device for an user for the same app id. While checking on the keyhandles on my database they show different values for each of the duplicate registration. Please help me out.
If you are using the WebAuthn API, you can send all the already registered keys to the client when trying to add a new key using the 'excludeCredentials' key. These credentials would be formatted the same as when trying to log in.
excludeCredentials — Contains a list of credentials that were already
registered to the user. This list is then given to the authenticator,
and if the authenticator recognises any of them, it cancels operation
with error CREDENTIAL_EXISTS, thus preventing double registration of
the same authenticator.
Source: https://medium.com/#herrjemand/introduction-to-webauthn-api-5fd1fb46c285
An example of the JSON the client receives when adding a new key could be:
{
"publicKey":{
"rp":{
"name":"YourApp",
"id":"YourAddress"
},
"authenticatorSelection":{
"userVerification":"preferred"
},
"user":{
"id":"UserId",
"name":"Username",
"displayName":"displayName"
},
"pubKeyCredParams":[
{
"type":"public-key",
"alg":-7
}
],
"attestation":"direct",
"extensions":{
"exts":true
},
"timeout":20000,
"challenge":"...",
"excludeCredentials":[
{
"id":"...",
"type":"public-key",
"transports":[
"usb",
"ble",
"nfc",
"internal"
]
},
{
"id":"...",
"type":"public-key",
"transports":[
"usb",
"ble",
"nfc",
"internal"
]
}
]
}
}
When the browser detects that the user tries to register a key that was already registered, it will tell the user to try another key and the request will not be sent to the server at all.
Related
I'm trying to retrieve the CIF and also the Tax Id of the logged in user following your documentation. When trying to request that information via additional claims via the Consumer API, with the scope of &scope=openid I'm supplying the below claims parameter in my authorization request. Making sure that the External App is configured with the claims access in the Banno portal, I don't get anything in my response id_token. I've also attempted to switch this to the userinfo leveraging the opid/me resource which just returns the user "sub".
Claims readable:
claims={"id_token":{"https://api.banno.com/consumer/claim/customer_identifier":null}}
Here it is url encoded:
claims==%7B%22id_token%22%3A%7B%22https%3A%2F%2Fapi.banno.com%2Fconsumer%2Fclaim%2Fcustomer_identifier%22%3Anull%7D%7D
decoded jwt id_token repsonse:
"id_token": {
"header": {
"alg": "RS256",
"typ": "JWT",
"kid": "sig-rs-0"
},
"body": {
"sub": "sub uuid",
"at_hash": "ShHf2gRtROCBdE-j_5YZkw",
"aud": "aud uuid",
"exp": 1668092577,
"iat": 1668088977,
"iss": "https://api.banno.com/a/consumer/api/v0/oidc"
}
}
using the same example switching the claims key to "userinfo" and making a request to .../a/consumer/api/v0/oidc/me I only get this response:
UserInfo Response:
{"sub":"sub uuid"}
In either scenario, I'm expecting the following example to be in the response:
"https://api.banno.com/consumer/claim/customer_identifier": "AAA1234",
However I don't get anything no matter what I do. What am I missing here?
It looks like there is an extra = in the encoded version. If I take what you've posted in the question, claims==%7B%22id_token%22%3A%7B%22https%3A%2F%2Fapi.banno.com%2Fconsumer%2Fclaim%2Fcustomer_identifier%22%3Anull%7D%7D and decode it, I get claims=={"id_token":{"https://api.banno.com/consumer/claim/customer_identifier":null}}, which has an extra = next to the claims parameter name.
That seems to have the effect of the name of the claim not matching up with what is expected, therefore that claim's value is not included in the Identity Token (and isn't available from the UserInfo endpoint).
The Claims in the Identity Token guide will be helpful to review.
I want to send different JSONs to this endpoint:
{{URL_API}}/products/
I need to update several information related to different products so i need to specify the product within the endpoint, i mean, i.e:
If you access this particular endpoint: {{URL_API}}/products/ you will get all the products but i need to specify the product that i want to update:
{{URL_API}}/products/99RE345GT
So, i decided to create a CSV file, i will update all the different product passing that file in the COLLECTION RUNNER screen, do you get me?.
For that, i created a new collection, i put this request_url:
{{URL_API}}/ns/products/{{sku}}
I edited the request body:
{
"sku": "{{sku}}",
"price": "{{price}}",
"tax_percentage": "{{tax_percentage}}",
"store_code": "{{store_code}}",
"markup_top": "{{markup_top}}",
"status": "{{status}}",
"group_prices": [
{
"group": "{{class_a}}",
"price": "{{price_a}}",
"website": "{{website_a}}"
}
]
}
all those fields between the {{}} will be completed by the CSV but it shows an error message over the url_request, {{sku}} seems to be wrong... it throws this message error:
unresolved variable, this variable is not defined in the active
collection, environment or globals.
How can i solve this? I do not know what to do now.
What am i missing?
We are setting up some automation around SSO into AWS, but I have run into a problem.
There is a custom user attribute called AWSLab, and if a user does not have any IAMRole values populated for this attribute, then I need to add one.
The IAMRole field has Info type set to Text and No. of values set to Multi-value on the GSuite side, so I am putting it into an array for this API request.
Also, when I do a GET on the user and look at other schemas attached, I see this key named type set to work so I include that too.
Below is my function in Google Apps Script:
function check_user_access(){
var email = 'user#domain.com';
var role = [
'arn:aws:iam::123456789012:role/User',
'arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider'
].join(',')
optArgs = {
projection: "full"
}
var user = AdminDirectory.Users.get(email, optArgs)
var schema = user.customSchemas
Logger.log("typeof(schema): %s", typeof(schema))
if(schema["AWSLab"]) {
Logger.log("schema[\"AWSLab\"] found on user '%s': %s", email, schema["AWSLab"])
} else {
Logger.log("schema[\"AWSLab\"] not found! Updating...")
Logger.log("schema before:\n\n%s\n", JSON.stringify(schema))
schema["AWSLab"] = { "IAMRole": [{ "type": "work", "value": role }] }
Logger.log("schema after:\n\n%s\n", JSON.stringify(schema))
AdminDirectory.Users.update(userFull, email) // line 35
}
}
When this function runs, I see this error:
Invalid Input: [AWSLab] (line 35, file "Labs")
I have some extra lines in there right now, to output some details for troubleshooting, but it's not helping me see the problem.
As it turns out, the issue was with the name of the custom schema.
At creation, the schema had a different name which was then edited at some point.
The key to figuring this out was populating the schema fields in question on a user with some dummy data, then pulling the user out via the API with a GET and examining the JSON.
After creating a Group using POST /v1.0/groups with the body:
{
"description": "hello",
"displayName": "group_for_restore",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"mailNickname": "group_for_restore",
"securityEnabled": false,
"visibility": "Public"
}
A request to GET /v1.0/groups/{group-id}/planner/plans does not retrieve any plans.
As far as I know, after creating a Group, a Plan will be created too. On the web interface you can see that this plan is correctly created and shown, but it does not appear in JSON response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.plannerPlan)",
"#odata.count": 0,
"value": []
}
After clicking on it in the web interface you can easily get the plan using the request above.
Is it ok to do such magic steps to fetch plan id?
The Web App is provisioning the Group's Plan the first time you attempt to access it. When creating a Group through the API however, you'll need to create a new Plan yourself:
POST https://graph.microsoft.com/v1.0/planner/plans
Content-type: application/json
{
"owner": "group-id",
"title": "title-value"
}
Keep in mind this important note from the documentation:
When creating a new plan, make a group its owner by simply setting the owner property on a plan object.
I have a document like -
{
"fullUserName": "xxyz",
"userFirstName": "xx",
"userLastName": "xx",
"primaryRole": "xy",
"actualRole": "rrr",
"userId": "abcd1234",
"password":"c28f5c7cb675d41c7763ab0c42d",
"type":"login",
"channels":"*"
}
and view -
function (doc, meta) {
if(doc.userId,doc.password,doc.type){
emit([doc.userId,doc.password,doc.type],doc);
}
}
When the key matches with the docment's property it return the document otherwise it return empty JSON like -
{"total_rows":2,"rows":[
]
}
Now I want to response the error message in JSON format when the key does not match for example-
{
"Error-Code":"400",
"Error-Msg":"user id and password does not match"
}
Is there any way to do so,Please correct if I am moving in the wrong direction.
Thanks in advance.
You shouldn't directly expose the view query result to your users but interpret it instead.
So make a view request, look at the response and do the business logic of checking there. For example:
"if result is empty it can only be because the user is unknown or the password hash didn't match the user, so return a business-specific error message, otherwise carry on with login"
There's no way you can change the behavior and response format of the server, and that doesn't make much sense to do so anyway. This is the API and contract of how you interact with the server. You should add your own business logic in a layer in between.