I'm using OAuth2 with OpenAM 13. I need my client application to be able to retrieve user information by means the OpenAM "User Information" endpoint.
However, I need to add / enhance the information provided to provide custom information in the user profile.
I was not able to see how to do this with the "User Information" endpoint.
However, with the "Token Information" endpoint it is very easy to add information (adding scopes that match the profile name automatically adds the information in the JSON response). I tried the same for the "User Information" endpoint but this didn't work.
In this other POST I have read that the "User Information" endpoint information can be enhanced by using a 'script'. However I was not able to find how to do it:
OpenAM - Use OAuth2 Access Token to get User Details?
Could someone help with this? I would really appreaciate it.
Thanks so much
In the default claims script you can add additional profile attributes by
extending the 'profile' key of the 'scopeClaimsMap' and create a mapping for the new claim in the 'claimAttributes' map.
As the claims script is using the IDRepo API of OpenAM you need to make sure the attributes are configured in the 'User Attributes' section of the configured user data store.
Example: Additional claim "employee_number" for the "profile" scope.
claimAttributes = [
"email": attributeRetriever.curry("mail"),
"address": { claim, identity, requested -> [ "formatted" : attributeRetriever("postaladdress", claim, identity, requested) ] },
"phone_number": attributeRetriever.curry("telephonenumber"),
"given_name": attributeRetriever.curry("givenname"),
"zoneinfo": attributeRetriever.curry("preferredtimezone"),
"family_name": attributeRetriever.curry("sn"),
"locale": attributeRetriever.curry("preferredlocale"),
"name": attributeRetriever.curry("cn"),
"employee_number": attributeRetriever.curry("employeeNumber")
]
scopeClaimsMap = [
"email": [ "email" ],
"address": [ "address" ],
"phone": [ "phone_number" ],
"profile": [ "given_name", "zoneinfo", "family_name", "locale", "name", "email", "employee_number" ]
]
The attribute 'employeeNumber' must be configured in the user data store config (which is there by default if you did not change anything)
Related
I have a problem with creating another user by Admin API. I don't have an organization_id property in /userinfo response. I need it to create new users via my app. There I also use recommended scopes.
This response I have after call /userinfo
{
"sub": "xxx",
"name": "Some Name",
"given_name": "Name",
"family_name": "Name",
"created": "2022-02-02T16:38:29.457",
"email": "some.email#gmail.com",
"accounts": [
{
"account_id": "xxx",
"is_default": true,
"account_name": "Name",
"base_uri": "https://demo.docusign.net"
}
]
}
Also when I used Quickstart App I faced the same problem. I can't create users via this app. Because an organization_id property is missed.
Quickstart App error
Thanks.
#docusignapi
To use the Admin API you have to have an organization for your account.
Once you create an organization - you will have an organizationId which is used for this API call.
How to create an organization for your DocuSign account.
Is there any login REST-API for created users in keycloak?
I used API
{{root}}/realms/{{realm}}/protocol/openid-connect/token
but it gives only access token but I need full information of the user.
I think what you are looking for is user info API which provides information of currently logged in user:
Try this: (by passing the token obtained from url you mentioned : {{root}}/realms/{{realm}}/protocol/openid-connect/token)
GET "{root}/auth/realms/yourRealmName/protocol/openid-connect/userinfo"
A sample response from my setup:
{
"sub": "d32be694-f438-44a5-95f2-7434ff37ca1e",
"email_verified": false,
"roles": [
"Administrator"
],
"groups": [
"Administrator"
],
"preferred_username": "administrator"
}
I studied the different authentication methods and i found that the JWT grant method is the best suited for our plateform. We need to send envelope to our clients which will subscribe to our website with any email from any domain. We purchase the plan : basic api plan, Site: NA3-EU1.
example 1:
our domain is for example : domain-a.com
sender : hello#domain-a.com
receiver : martin#gmail.com
example 2 :
sender: hello#domain-a.com
receiver:jean#domain-b.us
our goal is to be able to send automatically, when registering our client "martin#gmail.com" in our platform an email to sign documents. Once signed by martin#gmail.com ... we download the signed document.
Is the JWT grant flow is the best method for our case ? Please if possible provide an example.
You are correct. It sounds like you don't need to have individual users authenticate themselves, so JWT grant flow is the right way to go.
After reviewing this authentication guide on JWT, you should check out the language-specific code examples linked on that page.
Now, on to your use case... It looks to me like your clients will receive a very similar template. With Docusign, you can create a template of documents, roles, and tabs and send that template to each new client.
Here's an example that demonstrates how to create and send an envelope that contains a template. The template is set up to expect two recipients, one signer and one carbon copy. There is also a "note" tab assigned to the signer, which I've prepopulated with his physicalAddress
POST /envelopes
{
"status": "sent",
"templateId": "00df08bf-xxxx-xxxx-xxxx-ecaa2360c121",
"templateRoles": [
{
"email": "test#test.com",
"name": "Test User",
"roleName": "signer",
"routingOrder": "1",
"tabs": {
"note": [
{
"tabLabel": "physicalAddress",
"value": "221 Main St. San Francisco, CA"
}
]
}
},
{
"email": "test2#test.com",
"name": "Another user",
"roleName": "cc",
"routingOrder": "2"
}
]
}
I'm using the https://accounts.google.com/o/oauth2/auth? endpoint to obtain the id_token.
The scopes are openid profile email.
The problem is that when I try to verify that id_token I get iss, azp, aud, sub, email, email_verified, iat, exp, jti. And as you can see there is no any profile info like given_name, family_name, picture.
The official doc says that it should contain profile info:
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser#gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
All permissions are granted.
UPDATE
So in case anyone ever needs it.
As Vladimir Serykh mentioned, to get profile info we need to hit the /userinfo endpoint. But this endpoint takes access_token as a Bearer token in a Authorization header, so you need obtain that too.
So basically we need to call the OAuth2 with the response_type='id_token token' query parameter. After that the responseUrl will contain access_token too.
Next you just need to call the https://openidconnect.googleapis.com/v1/userinfo endpoint with a Authorization header set to Bearer your_access_token. You will get a response wiht the profile info:
"sub": "user_id",
"name": "Name Lastname",
"given_name": "Name",
"family_name": "Lastname",
"picture": "pic_url",
"email": "example#gmail.com",
"email_verified": true,
"locale": "en"
Thank you again, Vladimir Serykh
It's not very clear how old the documentation is (by the link you provided) and is it relevant to your case.
I know that different Identity Providers can work slightly different. And I know cases when you should make a separate call with obtained ID token to /userinfo endpoint to get user info.
There is some different Google documentation for Google Identity Platform.
It has description of ID tokens.
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
Google ID Tokens may contain the following fields (known as claims):
Notice that it doesn't have always in Provided column. I think that it could be different for different APIs.
The same docs have section "Obtaining user profile information"
It explains where to get the /userinfo endpoint URL and how to call it. In the response you should receive the info you need.
My guess why it's not working in your case is that you are using /tokeninfo endpoint. It's not a part of OpenID Connect standard. It just validates the token and parses it (does the same job as https://jwt.io). And the original ID token doesn't contain that claims for some reason. Therefore /tokeninfo endpoint doesn't return them to you.
But according to Google's documentation and you should use /userinfo endpoint to obtain user info claims.
You can find description of this endpoint in OpenID Connect specification:
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
5.3 UserInfo endpoint
The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication.
I have a backend API written in nodejs(authorization with oAuth2) using azure-passport-ad, my frontend angular 5(openId connect), and I`m using Azure AD for authentication, the thing is that our users will have two roles
"student", "admin", how can I make that difference of roles, does the token retrieved by the idP gives me a field with the kind of roles that users has?
You can define the roles in Azure AD as shown here: https://joonasw.net/view/defining-permissions-and-roles-in-aad.
To define roles in an app, you will have to modify its manifest in AAD to something like this (other properties removed for brevity):
{
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Administrator",
"id": "179c1dc0-4801-46f3-bc0d-35f059da1415",
"isEnabled": true,
"description": "Administrators can access advanced features.",
"value": "admin"
}
]
}
Then you can assign users to these roles via the Users and groups tab for the Enterprise application/service principal's blade.
The ID tokens sent to your app will then contain the role(s) like so:
{
"family_name": "User",
"given_name": "Test",
"name": "Test User",
"roles": [
"admin"
]
}
You can check that claim after the token has been validated by Passport.