I setup and sucessfully run jhipster with OKta but when I login my account only having ROLE_USER.How can I added ROLE_ADMIN for my account.I add ROLE_USER and ROLE_ADMIN like instruction -
Create a ROLE_ADMIN and ROLE_USER group (Users > Groups > Add Group)
and add users to them. You can use the account you signed up with, or
create a new user (Users > Add Person). Navigate to API >
Authorization Servers, click the Authorization Servers tab and edit
the default one. Click the Claims tab and Add Claim. Name it “groups”
or “roles”, and include it in the ID Token. Set the value type to
“Groups” and set the filter to be a Regex of .*.
Related
I have a jhipster microservice named as blog and a jhipster gateway.
I have created a entity named "Farmer".
I have Created below two users in keycloak.
Users:
Pradeep and
Rahul
1) FOR ROLE_ADMIN
2) For ROLE_USER
While Accessing enitity in Admin panel in jhipster gateway, I am getting unauthorized error for admin (Pradeep), whereas for user (rahul) I am able to access entity.
PFB screenshots.
i) Admin Panel Home Page
ii) Admin Entity Page
When admin tries to click on farmer entity below is the error I am getting.
iii) User Home Page
iv) User Entity Page
When user (rahul) tries to access farmer entity he is able to access it.
Please let me know what could be the issue.
Admin users should also have the ROLE_USER role in order to access entity page. This is because the entity routes are secured by default to the ROLE_USER role.
For example, notice the authorities array in the bank-account.route.ts from the sample app:
{
path: '',
component: BankAccountComponent,
data: {
authorities: ['ROLE_USER'],
pageTitle: 'jhipsterSampleApplicationApp.bankAccount.home.title'
},
canActivate: [UserRouteAccessService]
},
I've some problems with the admin consent in a multi tenant environment.
So here is my structur.
Tenant 1
Tenant 2
I've got registered one ActiveDirectory Aapp in Tenant 1, called "App1".
In this App, I set i.e. permissions for Microsoft Graph.
Then I granted this permission.
Now I want to have also this App1 in my Tenant 2, so I do an AdminConsent with:
https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1
It worked fine. A few minutes later I saw App1 in Tenant2 and I was able i.e. to give access right to App1 for Users of Tenant2. No problem.
So then I had to give my App1 a few more permissions. So I clicked
"App registrations" in Tenant1 and gave more permissions for Microsoft Graph.
Then I clicked to "Enterprise Applications" in Tenant1, selected my App1 -> Permission and then "Grant admin consent for tenant1". A new browser was opened and I was able to do the admin consent for App1 in Tenant1.
Then I thought that I have to do the same in Tenant2, because it works the first time. So in Tenant2 I also navigated to ActiveDirectory -> Enterprise Applications -> selected my App1 -> Permissions
Here I saw the first permissions which I granted. Then I clicked to "Grant admin consent for Tenant2". A new browser was opened, but now it failed with folowwing error:
https://myRedirectURL/?error=access_denied&error_description=AADSTS65005%3a+The+application+%clientID_of_App1%27+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor.%0d%0aTrace+ID%TraceID%0d%0aCorrelation+ID%CorrelationIDaTimestampTimestamp&admin_consent=True&tenant=TenantID_of_Tenant2
Better to read: Error:
"AADSTS65005. The application ID_App1 asked for permissions to access a resource that has been removed or is no longer available. Contatct the app vendor."
I get the same error when I invoke the URL https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1
But I didn't do anything...so wheres the problem?
For your Redirect URI error you can try these steps:
Set the resource in your request to Azure AD.
Ensure that the client Id of the WebApp is configured in the WebApi's "knowClientApplications" array property in the manifest file
Ensure that all permissions are correct (APIs are added as delegated permissions to the client).
Ensure that all services (web app & apis) are multi tenant
Update manifest with:
"availableToOtherTenants": true,
"knownClientApplications": [
"{client app application id}"
],
See also the troubleshooting steps in these similar threads:
Azure AD error when fetching access token & login
The client application has requested access to resource 'https://outlook.office365.com'. This request has failed
While creating OpenAM policy i couldn't find Group from same user store (can see groups in master realm).
Realm: / (Top Level Realm) > testRealm
Group in masterRealm: masterGroup
Group in testRealm: testGroup
Users in testGroup: admin
Create Policy(in testRealm) -> Define Subject Conditions ->
Type: Users&Groups
Group Subjects: doesn't shows "testGroup" in auto completion text box (but shows masterGroup).
Also i can see user "admin" in "User Subjects"
Why i am not able to see "testGroup"?
I created policy using "/policies" API with group name "testGroup".
Users in testGroup: admin
when executes policy evaluation API it returns empty attributes.
when i tried with user name "admin" in "User Subjects" box, policy evaluation API gives values.
Whats the issue with Groups in sub Realm in Policy?
issue already reported in JIRA.
https://bugster.forgerock.org/jira/browse/OPENAM-5386
I have a requirement where I have to allow all of my regular users to impersonate a user of their choice.
I haven't been able to make this work. This is what I've done so far:
Added the following properties to portal-ext.properties:
portal.jaas.enable=false
portal.impersonation.enable=true
Created a role for the purposes of impersonation
Defined permissions for this new role: Portal > Users and organizations > View & Impersonate
Assigned this role to a non-administrator user (user A)
I don't need my users to see the list of users they can impersonate, I just want liferay to impersonate a user if ?doAsUserId=x is present in the url (which does work if you are an administrator).
When I try to impersonate user B using user A, nothing happens. I get this error in the tomcat log:
1ERROR [http-bio-8180-exec-85][PortalImpl:5990] User 80413 does not have the permission to impersonate 25105
(User 80413 is my User A, the one attempting to impersonate user B [25105])
Am I missing something else?
There is a condition in Lifeary, which checks the permission on the list of organizations for the impersonation. So, the user who is impersoneting the other user, must have a permission for "impersonation" in all the organisation of which, these users are part of.
if (doAsUser.isDefaultUser() ||
UserPermissionUtil.contains(
permissionChecker, doAsUserId, organizationIds,
ActionKeys.IMPERSONATE)) {
request.setAttribute(WebKeys.USER_ID, new Long(doAsUserId));
return doAsUserId;
}
So, those 2 users must be part of same organization and must be having impersonation permission for that organization.
I do log in the user very well. It is working fine in symfony2. During registration in the DB the role and a state_id are going to be saved.
role: ROLE_USER
state_id: 4 //e.g. has only permissions to do some extra actions
Is there a way in symfony2 in the security.yml that I give permissions to targets with role and state_id?
Better use different roles for this, not a state id. For example: ROLE_USER, ROLE_USER_4, etc.