We have a requirement to call a webservice and insert some values to oracle db after a user lock / user unlock happens in OpenAM.
How can we achieve this?
Is there any way to achieve this using any event handlers ?
Or
do we need to use openDJ Account Status Notification Handlers.
I have gone through the openDJ Account Status Notification Handlers and tried to create a Custom Account Status Notification Handler.
I create a new objectClass and create an new entry in config.ldiff file with java-class as my custom class which extends AccountStatusNotificationHandler, but when I starts openDJ it throws
Exception:
BootstrapData.startEmbeddedDS:
org.opends.server.config.ConfigException: An error occurred while trying to decode the managed object configuration entry cn=Custom Notification Handler,cn=Account Status Notification Handlers,cn=config: The Account Status Notification Handler could not be decoded due to the following reason: The string value "org.opends.server.extensions.CustomAccountStatusNotificationHandler" is not a valid value for the "java-class" property, which must have the following syntax: CLASS <= org.opends.server.api.AccountStatusNotificationHandler (ServerManagementContext.java:839 ServerManagementContext.java:774 ServerManagementContext.java:467 ServerManagedObject.java:493 RootCfgDefn.java:2540 AccountStatusNotificationHandlerConfigManager.java:124 DirectoryServer.java:2904 DirectoryServer.java:1445 EmbeddedUtils.java:88 EmbeddedOpenDS.java:455 BootstrapData.java:230 BootstrapData.java:187 Bootstrap.java:178 Bootstrap.java:161 Bootstrap.java:145 AMSetupServlet.java:427 AMSetupServlet.java:202 StandardWrapper.java:1213 StandardWrapper.java:1026 StandardContext.java:4425 StandardContext.java:
OpenAM version is 11.0.0
My openAM server is apache tomcat.
Thanks
Abhilash KP
If you use OpenAM lockout mechanism, then this won't set OpenDJ's account status, but sets a value to the configured account status attribute.
Currently OpenAM does not have any interface where you can plug into when and account is being locked.
So you have to use OpenDJ account lockout features ...
Related
I'm trying to set up rich notifications for a channel subscription like in the docs below.
New or changed messages in a specific Teams channel: /teams/{id}/channels/{id}/messages
I'm supplying the details to the subscription url like below with ROPC auth flow.
{
"changeType": "created,updated",
"notificationUrl": "https://f554-118-110-222-226.ngrok.io/api/teams/events",
"resource": "teams/TEAM_ID/channels/CHANNEL_ID/messages",
"expirationDateTime": "2021-10-20T02:55:53Z",
"encryptionCertificate": "encryptionCertificate",
"encryptionCertificateId": "encryptionCertificateId",
"includeResourceData": true,
}
I should have all permissions necessary to access this resource since I can create a subscription when includeResourceData is false. However, I'm getting the following error when includeResourceData is true and I supply an encryption cert.
Operation: Create; Exception: [Status Code: BadRequest; Reason: Rich notification are not supported for this resource in 'app + user' context. Please set includeResourceData field to false.]
I think it might be with how my auth and permissions are set up but I'm not entirely sure what this means. Any help is appreciated
Would Suggest you to please try to revalidate and setup all the below prerequisite if might you have missed while setup change notification for team’s channel.
you need to include "includeResourceData" set to "true" and provide certificate information as described here
you need to get your application approved
Other way to subscribe notifications for channel messages dynamically(e.g. powerapp - current user can subscribe to all of his joinedTeams or selected teams and receives push notifications) Because Ms Flows and Logic apps only lets you setup one at a time.
Please follow this MS Document for Set up change notifications that include resource data while creating subscription.
Reference: is team channel messages allowed for change notifications beta? · Issue #3977 · microsoftgraph/microsoft-graph-docs · GitHub
Found the answer to my question in this block of the docs. Thanks to RahulKumarShaw-MT for linking the right version.
https://learn.microsoft.com/en-us/graph/api/subscription-post-subscriptions?view=graph-rest-beta&tabs=http#chatmessage
The error below means that since the app was using ROPC auth flow it falls under delegated permissions and is not supported by the API to send encrypted data.
Operation: Create; Exception: [Status Code: BadRequest; Reason: Rich
notification are not supported for this resource in 'app + user'
context. Please set includeResourceData field to false.]
I got around this by having to set up an additional auth token with app permissions set up specifically for this purpose.
I have setup azure b2c custom policy for inivation flow, using this sample https://github.com/mrochon/b2csamples, it's working fine, but when the inivation link gets expired, and user opens that it shows error page with
"AADB2C90017: The client assertion provided in the request is invalid: 'client_secret' was used as the verification key"
I want to change the error message so user can know that link is expired.
You can Set a custom error page UI and Use CSS to hide the default error message.
Using JavaScript parse the default error message when it contains "AADB2C90017", then show a custom error message.
There are some samples which explains how to enable java script
I have a running java ee application and now i want to integrate keycloak as authentication server. The only thing i have troubles is the user storage. I want to have all the user data in my java application.
The problem now:
If the user registers on the keycloak frontend, my java application doesn´t know that the user has registered, so i cannot create a new entity. I found out that keycloak is able to load some custom modules (https://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html) but i haven´t found any examples.
Is there any solution where keycloak notifys my java application when the user registered?
I have had the same problem and I have resolved it using a filter. I just check if the principal exist and if not I insert it into my application DB:
KeycloakSecurityContext ctx = (KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
User userEntity = em.find(User.class, ctx.getToken().getSubject());
if (userEntity == null) {
....create user...
}
You can also use an event listener (keycloak events listener) as shown in Example Event Listener that prints events to System.out, but for this exact use case that solution was easier and faster.
You have to implement a custom Authentication SPI (inside success() method you create user on your app), deployed it , and add it to the registration flow
Keycloak documentation : Link
I am using the most recent Identity 2 package in my MVC 5 program.
In the Register method of the Account controller when a user is registered. it sends an email to the user's email account with a link to click to verify the account.
I have found that If I create a dummy user and immediately check my email to register the account it verifies successfully.
If I wait on clicking on the link in the email, all I get is
Error.
An error occurred while processing your request.
Is there a time out on this email link? And if so is there anyway to extend the timeout of this link?
Since no one has provided an answer here, I will. The OP's problem was that no URL encoding the resulting token occurred.
var code = Url.Encode(await UserManager.GenerateEmailConfirmationTokenAsync(userId))
or
var code = HttpUtility.UrlEncode(await UserManager.GenerateEmailConfirmationTokenAsync(userId))
If you are encoding, check the lifespan.
I am new to openAM. I am trying to use openAM (954) to secure my web service using J2EE agent 3.0. I have deployed my webservice (using CXF) on Glass fish 3.1.x.
I have created necessary configuration given in URL http://docs.oracle.com/cd/E19575-01/820-4803/ghuqg/index.html
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
Are there any additional configurations required? Please let me know, I am not able to find any other information on this anywhere.
Following is the request we are sending. I am not sure about UsernameToken wsu:Id whether it is correct? How do we get this value from OpenAM dynamically at each time when we send the request.
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-27777511" xmlns:wsu="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>amadmin</wsse:Username>
<wsse:Password Type="HTTPdocs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Amit4001</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<demo:greetPerson>
<!--Optional:-->
<arg0>Ashish</arg0>
</demo:greetPerson>
Please help me solve this issue.
I want to authenticate using user id and password. I am passing this information (userid/password) using SOAP header. But when I try to access my web service in browser it gives access forbidden message.
I'm currently struggling to learn OpenAM as well and I think your specific problem is that you have not yet set up a policy (not a policy agent) after users have successfully authenticated.
If you haven't try the following steps:
Navigate to Access Control -> YourRealm -> Policies -> New Policy
Name: yourpolicyname
Rules (click new):
Name: URLPolicy
Resource Name: http:// your-webservice-url/*
Check allow get and post
Name: GetUrlPolicy
Resource Name: http:// your-webservice-url /* ? *
Check allow get and post
Subjects (click new)
Type = OpenAM Identity Subject
Name: UserAccess
Add users you want to be able to authenticate
You have to add in the * ? * if you have any GET parameters in your web page.
Hope that helps, I know the documentation around is terrible.
For your agent policy, in the Global tab: General section > Agent Filter Mode, remove ALL and add SSO_ONLY (leave Map Key blank and Map Value as SSO_ONLY). Note that this configuration isn't hot-swappable, so OpenAM has to be restarted to apply.
Here is a procedure for installing the agent on the server you want to protect:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/jee-install-guide/index/chap-glassfish.html
Here is a good procedure for configuring the agent policy centrally on the OpenAM server:
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/admin-guide/index/chap-agents.html#create-agent-profiles
You might want to also control which URIs (webapps) to protect instead of the entire website. To do that, in the agent policy:
Application tab: Not Enforced URI Processing section > add the URI to protect, for example: /application1/*
Application tab: Not Enforced URI Processing section > check the "Invert Not Enforced URIs" checkbox so that it will actually enforce the "Not Enforced URI" values