I'm using an OpenIDIdentityProvider with mappingMethod: claim to authenticate admin users in the Openshift admin console. I'm using the auth0 service to authenticate users. The admin users are defined in an ansible playbook on deployment, effectively making the admin users hard-coded.
Is it possible to completely manage all admin and developer users using the OpenIDIdentityProvider, a lookup mapping method and adding something like extraScopes: [roles] to pull through the additional authorization roles into the authentication request? That would enable me to completely manage users and roles separately from the ansible playbook. Next level bonus points for managing permissions on the authentication provider side.
The Openshift documentation is very light on details for authentication / authorization outside of the default mappingMethod: claim.
Below is my identity provider json file for the claim-based mapping method:
{
"items": [
{
"name": "auth0",
"challenge": false,
"login": true,
"mappingMethod": "claim",
"kind": "OpenIDIdentityProvider",
"clientID": "supersecretsauce",
"clientSecret": "extrasupersecretsauce",
"extraScopes": ["email", "profile"],
"claims": {
"id": [
"email"
],
"preferredUsername": [
"email"
],
"name": [
"name"
],
"email": [
"email"
]
},
"urls": {
"authorize": "https://fancypants.auth0.com/authorize",
"token": "https://fancypants.auth0.com/oauth/token",
"userInfo": "https://fancypants.auth0.com/userinfo"
}
}
]
}
To my simple mind the below would suffice for a working lookup-based mapping method with roles returned by the authentication provider:
{
"items": [
{
"name": "auth0",
"challenge": false,
"login": true,
"mappingMethod": "lookup",
"kind": "OpenIDIdentityProvider",
"clientID": "supersecretsauce",
"clientSecret": "extrasupersecretsauce",
"extraScopes": ["email", "profile", "roles"],
"claims": {
"id": [
"email"
],
"preferredUsername": [
"email"
],
"name": [
"name"
],
"email": [
"email"
],
"role": [
"roles"
]
},
"urls": {
"authorize": "https://fancypants.auth0.com/authorize",
"token": "https://fancypants.auth0.com/oauth/token",
"userInfo": "https://fancypants.auth0.com/userinfo"
}
}
]
}
An example of a functional role value would be cluster-admin.
OpenID can only be used for authentication. You are attempting to use it for both authentication and authorization. This is not possible as roles and bindings are managed by Openshift - they cannot be delegated to an external service.
Related
I was using identity verification feature from Docusign with envelopes. Previously, envelopes are working fine without it. Then I enabled this feature and searched on the Docusign API Documentation, how to implement this feature. I got the necessary details like authentication token, workflow id. Try to hit the endpoint using Post request. Everything's fine but having issues in the body part of the post request getting invalid phone number response. Thank you for your time! Please help!
//Post request endpoint
https://demo.docusign.net/restapi/v2.1/accounts/f8594d59-9d52-xxxx-xxxx-xxxxxxxxxxxx/envelopes
//header
Authorization: Bearer {accestoken}
Content-Type: application/json
Acces: application/json
//request body
{
"accountId": "f8594d59-9d52-xxxx-xxxx-xxxxxxxxxxxx",
"templateId": "4e2ba389-5d26-xxxx-xxxx-xxxxxxxxxxxx",
"emailSubject": "Please sign the contract",
"templateRoles": [
{
"roleName": "Sender",
"name": "Name",
"email": "fName.lName#xyz.com",
"identityVerification": {
"workflowId": "c368e411-1592-xxxx-xxxx-xxxxxxxxxxxx",
"steps": null,
"inputOptions": [
{
"name": "phone_number_list",
"valueType": "PhoneNumberList",
"phoneNumberList": [
{
"countryCode": "1",
"number": "8956324511"
}
]
}
]
}
},
{
"roleName": "Customer",
"name": "cFName",
"email": "cFName.cLName#gmail.com"
}
],
"status": "sent"
}
//Response
{
"errorCode": "PHONE_NUMBER_INVALID",
"message": "Phone number is not valid."
}
//Expected Response can vary
{
"envelopeId": "e8342cd0-ea2b-xxxx-xxxx-xxxxxxxxxx",
"uri": "/envelopes/e8342cd0-ea2b-xxxx-xxxx-xxxxxxxxxx",
"statusDateTime": "2023-01-13T05:22:35.0100000Z",
"status": "sent"
}
According to https://www.areacodehelp.com/where/area_code_895.shtml area code 895 is not valid.
Try with a valid phone number to confirm the issue, but to me it looks like the number you used here is indeed not a valid phone number.
PS
If you meant to use a number in Azerbaijan, you need to change the country code from "1" to "895" as it's a country code for a different country (the way you have is if for the USA)
So, basically what I found is ID verification won't work with template roles because of the syntax compatibility. But it will work with composite templates, I made it work with composite template.
Additionally, both of the methods are compatible idVerification or phoneAuthentication. I am using idVerification for the first Signer and phone Authentication for the second signer
Docusign docs have more methods as well like sms auth, etc. Explore it from these links:
https://developers.docusign.com/docs/esign-rest-api/how-to/phone-auth/
https://developers.docusign.com/docs/esign-rest-api/reference/envelopes/envelopes/create/
Check examples, in my usecase I explored Generic JSON Request/Response
Thanks for all the support from Inbar and the community!
{
"accountId": "f8594d59-9d52-xxxx-xxxx-xxxxxxxxxx",
"emailSubject": "Please sign the contract",
"status": "sent",
"compositeTemplates": [
{
"compositeTemplateId": "1",
"serverTemplates": [
{
"sequence": "1",
"templateId": "4e2ba389-5d26-xxxx-xxxx-xxxxxxxxxx"
}
],
"inlineTemplates": [
{
"sequence": "2",
"recipients": {
"signers": [
{
"roleName": "Sender",
"recipientId": "1",
"name": "Name",
"email": "fName.lName#xyz.com",
"identityVerification": {
"workflowId": "c368e411-1592-xxxx-xxxx-xxxxxxxxxx",
"steps": null,
"inputOptions": [
{
"name": "phone_number_list",
"valueType": "PhoneNumberList",
"phoneNumberList": [
{
"countryCode": "1",
"number": "1234567890"
}
]
}
]
}
},
{
"roleName": "Customer",
"recipientId": "2",
"name": "cName",
"email": "cfName.clName#gmail.com",
"phoneAuthentication": {
"senderProvidedNumbers": [
"+11234567890"
],
"recipMayProvideNumber": false
},
"idCheckConfigurationName": "Phone Auth $"
}
]
}
}
]
}
]
}
Note: Use valid phone number!
I'm having a hard time understanding how context providers work in the Orion Context Broker.
I followed the examples in the step-by-step guide written by Jason Fox. However, I still do not exactly get what happens in the background and how the context broker exactly creates the POST from the registration. Here is what I am trying to do:
I do have a WeatherStation that provides sensor data for a neighborhood.
{
"id": "urn:ngsi-ld:WeatherStation:001",
"type": "Device:WeatherStation",
"temperature": {
"type": "Number",
"value": 20.5,
"metadata": {}
},
"windspeed": {
"type": "Number",
"value": 60.0,
"metadata": {}
}
}
Now I like the WeatherStation to be a context provider for all buildings.
{
"id": "urn:ngsi-ld:building:001",
"type": "Building"
}
Here is the registration that I try to use.
{
"id": null,
"description": "Random Weather Conditions",
"provider": {
"http": {
"url": "http://localhost:1026/v2"
},
"supportedForwardingMode": "all"
},
"dataProvided": {
"entities": [
{
"id": "null",
"idPattern": ".*",
"type": "Building",
"typePattern": null
}
],
"attrs": [
"temperature",
"windspeed"
],
"expression": null
},
"status": "active",
"expires": null,
"forwardingInformation": null
}
The context broker accepts both entities and the registration without any error.
Since I have a multi-tenant setup I use one fiware_service for the complete neighborhood but every building would later have a seperate fiware_servicepath. Hence, the weatherstation has a different servicepath than the building. Although I also tried to put them both on the same path.
For now I used the same headers for all entities.
{
"fiware-service": "filip",
"fiware-servicepath": "/testing"
}
Here is the log of the context broker (version: 3.1.0):
INFO#2021-09-23T19:17:17.944Z logTracing.cpp[212]: Request forwarded (regId: 614cd2b511c25270060d873a): POST http://localhost:1026/v2/op/query, request payload (87 bytes): {"entities":[{"idPattern":".*","type":"Building"}],"attrs":["temperature","windspeed"]}, response payload (2 bytes): [], response code: 200
INFO#2021-09-23T19:17:17.944Z logTracing.cpp[130]: Request received: POST /v2/op/query?options=normalized%2Ccount&limit=1000, request payload (55 bytes): {"entities": [{"idPattern": ".*", "type": "Building"}]}, response code: 200
The log says that it receives the request and forwards it as expected. However, as I understand it this would simply point to the same building entity again. Hence, it is somehow a circular forwarding. I also cannot tell anything about the headers of the request.
I do not understand how the forwarded request from the building can actually query the weather station for information. When I query my building I still only receive the entity with no own properties:
{
"id": "urn:ngsi-ld:building:001",
"type": "Building"
}
I also tried to vary the url of the registration but with no success.
Is this scenario actually possible with the current implementation? It would be very useful
Is there any example for this including also the headers?
I know that I could simply use reference but that would put more work on the user.
Thanks for any help on this.
It is messy, but you could achieve this via a subscription. Hold the weather station as a separate entity in the context broker and poll or push updates into the entity. The subscription would fire whenever the data changes and make two NGSI requests:
Find all entities which have a Relationship servicedBy=WeatherStationX
Run an upsert on all entities to add a Property to each entity:
{
"temperature" : {
"type" : "Property",
"value" : 7,
"unitCode": "CEL",
"observedAt": "XXXXX",
"providedBy": "WeatherStation1"
}
}
Where observedAt comes either from the payload of the weather station or the notification timestamp.
Within the existing IoT Agents, provisioning the link attribute allows a device to propagate measures to a second entity (e.g. this Thermometer entity is measuring temperature for an associated Building entity)
{
"entity_type": "Device",
"resource": "/iot/d",
"protocol": "PDI-IoTA-UltraLight",
..etc
"attributes": [
{"object_id": "l", "name": "temperature", "type":"Float",
"metadata":{
"unitCode":{"type": "Text", "value" :"CEL"}
}
}
],
"static_attributes": [
{
"name": "controlledAsset",
"type": "Relationship",
"value": "urn:ngsi-ld:Building:001",
"link": {
"attributes": ["temperature"],
"name": "providedBy",
"type": "Building"
}
}
]
}
At the moment the logic just links direct one-to-one, but it would be possible to raise a PR to check for an Array and update multiple entities in an upsert - the relevant section of code is here
I'm trying to get the list of emails of users who installed my addon.
I'm using the onInstall trigger to get the email and push it to my database.
This is fine with individual installation (normal gmail or even admin who chooses to Individual Install)
But with Domain Install, onInstall event was not fired
So how can I track the Domain Installation?
We can use the LicenseNotification endpoint of the G Suite Marketplace API:
https://developers.google.com/gsuite/marketplace/v2/reference/licenseNotification/list
The result will be something like this:
{
"kind": "appsmarket#licenseNotificationList",
"notifications": [
{
"kind": "appsmarket#licenseNotification",
"id": "001566972002228000-000001",
"applicationId": "xxx",
"customerId": "test#gmail.com",
"timestamp": "1566972001590",
"provisions": [
{
"kind": "appsmarket#provisionNotification",
"editionId": "default_edition",
"seatCount": "1"
}
]
},
{
"kind": "appsmarket#licenseNotification",
"id": "001568364120883000-000001",
"applicationId": "xxx",
"customerId": "domainabc.com",
"timestamp": "1568364119585",
"provisions": [
{
"kind": "appsmarket#provisionNotification",
"editionId": "default_edition",
"seatCount": "-1"
}
]
},
...
],
"nextPageToken": "001569976724468000-000001"
}
Inside the notifications array, notice some object that has "seatCount": "-1"
Those are domain installations that we are looking for.
We just need to get the value inside "customerId": "domainabc.com",
I can't make FeathersJs work along RS256. I used the generator, but i receive
error: NotAuthenticated: error:0906D06C:PEM routines:PEM_read_bio:no start line when user logs in with correct JWT access token.
"authentication": {
"secret": "whateverSecret",
"strategies": [
"jwt"
],
"path": "/authentication",
"service": "users",
"jwt": {
"header": {
"typ": "access"
},
"audience": "https://yourdomain.com",
"subject": "anonymous",
"issuer": "feathers",
"algorithm": "RS256", //set to RS256
"expiresIn": "1d"
},
"auth0": {
"clientID": "myClientid",
"clientSecret": "myClientSecret",
"successRedirect": "/",
"domain": "myDomain.auth0.com",
"scopes": [
"profile"
]
},
"cookie": {
"enabled": true,
"name": "feathers-jwt",
"httpOnly": false,
"secure": false
}
}
and inside user.hooks.js is the default generator.
The RS256 requires quite a bit more configuration to work. This issue mentions to make sure that your private key (secret) is a valid certificate and contains the proper newlines.
You will also likely have to customize the JWT verifier to pass the public key as the signing secret when verifying the JWT.
I created some permissions(permission_fiware table) in Horizon regarding urls that can or cant be seen.I created permission(name:Upload images, with resource: "/image_upload") and role(role_fiware) admin that has this permission.
Now i want to check whether some user that is logged in to my application can view that page on url "/image_upload" that i defined in horizons permission.So my guess is i should first check what roles user has, and after that whether those roles that user is assigned have required permission.
So, my question is next:
How can i list what permission one specific user has.
In Keyrocks API:
http://docs.keyrock.apiary.io/#reference/keystone-extensions/role-user-relationships/list-users-role-assignments
i found how i can list all permissions for a specific role
http://keyrock/OS-ROLES/roles/role_id/permissions
but how can i get information about what roles(role_fiware) are assigned to a user?
As stands in the FIWARE-IDM documentation doing a request against the resource user of your IDM host using the access_token, will return the user information, and within that information you will find the roles that user have assigned:
GET
/user?access_token=XXXXXXXXXXXXXXXXXXXX
Response:
{
"organizations": [{
"website": "",
"city": "",
"name": "Franchise1",
"img": "/static/dashboard/img/logos/small/group.png",
"domain_id": "default",
"enabled": true,
"id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"roles": [{
"name": "Franchise manager",
"id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}],
"email": "",
"description": "Test Organization"
}],
"displayName": "user1",
"roles": [{
"name": "End user",
"id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}],
"app_id": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"email": "user1#test.com",
"id": "user1"
}