Getting user's organizations from Keyrock - fiware-keyrock

I'm looking for a way to get organizations of a user logged in using Keyrock's OAuth2.
I have Keyrock set up using docker-compose. I've created an organization and assigned users to it, using API. But, when a user logs in, both the JWT token and the /user endpoint return an empty list of organizations.
The user is assigned to an organization, I can see entries in the database and when using API:
mysql> select * from user_organization;
+----+--------+--------------------------------------+--------------------------------------+
| id | role | user_id | organization_id |
+----+--------+--------------------------------------+--------------------------------------+
| 2 | owner | admin | f21f255d-ef4c-4afd-9cc3-261e3e7dc168 |
| 3 | owner | admin | 3cab93ad-83ba-404f-8499-f870d0ab0d02 |
| 4 | member | 42a336da-2321-4258-a4dd-6e447d2ee171 | 3cab93ad-83ba-404f-8499-f870d0ab0d02 |
+----+--------+--------------------------------------+--------------------------------------+
In the API, when logged in as the admin:
curl -iX GET \
'localhost:3000/v1/organizations/3cab93ad-83ba-404f-8499-f870d0ab0d02/users/42a336da-2321-4258-a4dd-6e447d2ee171/organization_roles' \
-H 'Content-Type: application/json' \
-H 'X-Auth-token: 09c30919-ad6c-4eb9-9d90-283f0ae7483e'
{"organization_user":{"user_id":"42a336da-2321-4258-a4dd-6e447d2ee171","organization_id":"3cab93ad-83ba-404f-8499-f870d0ab0d02","role":"member"}}%
When I log in as the 42a336da-2321-4258-a4dd-6e447d2ee171 user using OAuth2, the JWT token has neither roles nor organizations. A part of decoded JWT token:
"organizations": [],
"displayName": "",
"roles": [],
"app_id": "d2e68240-b822-413c-978f-cc9ebdba1600",
"trusted_apps": [],
"isGravatarEnabled": false,
"id": "42a336da-2321-4258-a4dd-6e447d2ee171",
similarly, when instead of JWT I use a bearer token and I get user details using the /user endpoint:
http://localhost:3000/user?access_token=5d50b9b7162fc1cf7890d3b81feb96c5b176f0c8&action=GET&resource=myResource&app_id=d2e68240-b822-413c-978f-cc9ebdba1600
{
"organizations": [],
"displayName": "",
"roles": [],
"app_id": "d2e68240-b822-413c-978f-cc9ebdba1600",
"trusted_apps": [],
"isGravatarEnabled": false,
"id": "42a336da-2321-4258-a4dd-6e447d2ee171",
"authorization_decision": "Deny",
"app_azf_domain": "",
"eidas_profile": {},
"attributes": {},
"shared_attributes": "",
"username": "Test",
"email": "email#example.com",
"given_name": "Test",
"family_name": "Test",
"image": "",
"gravatar": "",
"extra": {
"visible_attributes": [
"username",
"description",
"website",
"identity_attributes",
"image",
"gravatar"
]
},
"sub": "42a336da-2321-4258-a4dd-6e447d2ee171"
}
Did I miss some steps in the organization/user configuration? Is there another way to get the organizations and roles of a current user?

Related

When getting a team using v1.0 API, beta resources are also being returned

I send a GET for a team at least one resource the resources is in beta. The resource teamDiscoverySettings shouldn't be returned when the request is made to v1.0 API
I sent a GET https://graph.microsoft.com/v1.0/teams/{{teamID}} and the server responds with:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#teams/$entity",
"id": "...",
"displayName": "...",
"description": "...",
"internalId": "...",
"webUrl": "...",
"isArchived": false,
"discoverySettings": {
"showInTeamsSearchAndSuggestions": false
},
"memberSettings": {
"allowCreateUpdateChannels": true,
"allowDeleteChannels": true,
"allowAddRemoveApps": true,
Shouldn't the beta resources only be returned withing the beta version of the APIs?

Loopback Error 401 (Unauthorized) while accessing APIs

I am facing an issue in loopback, 401 (Unauthorized). Initially all APIs are working perfectly.
Now I set ACL for some of the models. After that I got an error 401 (Unauthorized) while accessing APIs
Sample Code
Eg: One of my model.json file
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "DENY"
}
I got the accesstoken after login. I think the access token is not getting in in my API headers.
you can also define ACS level. you DENY for all unauthorized user but also set permission for authorized user like.
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "admin",
"permission": "ALLOW"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "ALLOW"
}
]
principalId is define in my ROLE collection if you did't define any princepalId you can also use this.
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW"
}

Microsoft Graph API keeps returning 401 Unauthorized

Please do not report as duplicate because all other topics have not solved my issue, thanks.
I'm using Microsoft Graph API to list and create calendar events, however, I can't seem to make the findMeetingTimes endpoint work.
This is my authorization URL:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
?client_id=xxxxx
&response_type=code
&redirect_uri=xxxxx
&response_mode=form_post
&scope=openid profile User.ReadWrite User.ReadBasic.All Sites.ReadWrite.All Contacts.ReadWrite People.Read Notes.ReadWrite.All Tasks.ReadWrite Mail.ReadWrite Files.ReadWrite.All Calendars.ReadWrite
&state=12345
Then I request an access token using the same scopes:
$request = json_decode($guzzle->post('https://login.microsoftonline.com/common/oauth2/v2.0/token', [
'headers' => ['Content-Type' => 'application/x-www-form-urlencoded'],
'form_params' => [
'client_id' => 'xxxxx',
'scope' => 'openid profile User.ReadWrite User.ReadBasic.All Sites.ReadWrite.All Contacts.ReadWrite People.Read Notes.ReadWrite.All Tasks.ReadWrite Mail.ReadWrite Files.ReadWrite.All Calendars.ReadWrite',
'code' => $auth_code,
'grant_type' => 'authorization_code',
'redirect_uri' => 'xxxxx',
'client_secret' => 'xxxxx'
],
])->getBody()->getContents());
After that I'm trying the findMeetingTimes endpoint using:
$request = json_decode($guzzle->post('https://graph.microsoft.com/v1.0/me/findMeetingTimes', [
'headers' => [
'Authorization' => 'Bearer ' . $accessToken,
'Content-Type' => 'application/json',
],
'body' => '{
"attendees": [
{
"type": "required",
"emailAddress": {
"name": "My Name",
"address": "myemail#hotmail.com"
}
}
],
"timeConstraint": {
"activityDomain":"work",
"timeslots": [
{
"start": {
"dateTime": "2019-04-02T09:00:00",
"timeZone": "Pacific Standard Time"
},
"end": {
"dateTime": "2019-04-03T17:00:00",
"timeZone": "Pacific Standard Time"
}
}
]
}
}',
])->getBody()->getContents());
However, it keeps returning:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Does anyone know what I'm missing? Note that I'm not using a Microsoft work/school account, just my regular one. (Does it matter?)
Its not possible to call this endpoint with personal accounts, this is metioned very cleary in the documentation

Microsoft Graph API error "Required scp claim values are not provided"

Given I'm logged in with MSSSO account;
And the Read the organization's roster permission is set;
When I call /education/me/classes endpoint;
Then I get the 403 response with the code AccessDenied and the message Required scp claim values are not provided.
What does the error mean? How do I fix it?
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/22d54f2b-1771-400c-8839-1b661d1d5270/",
"iat": 1517909669,
"nbf": 1517909669,
"exp": 1517913569,
"acr": "1",
"aio": "Y2NgYLj3Um+jDePa8FgXu/w7Jkl3lHo0ZbNPdx498+y09QQTG3UA",
"amr": [
"pwd"
],
"app_displayname": "My company ",
"appid": "5a993391-9e90-45e8-9823-e6ba00f810f3",
"appidacr": "1",
"family_name": "user",
"given_name": "user",
"ipaddr": "91.244.25.19",
"name": "user",
"oid": "bb0571c2-e60d-4425-8c37-5cd7fabe5083",
"platf": "5",
"puid": "10033FFF9E13F0A0",
"scp": "Contacts.Read Directory.AccessAsUser.All Directory.Read.All email Files.Read Files.Read.All Group.Read.All Mail.Read.Shared Mail.Send offline_access openid People.Read profile User.Read User.Read.All User.ReadBasic.All",
"sub": "rq0gSA1ps5tiFGaN1n84WZEeqqBU5pKhv-cMJQRwpSw",
"tid": "22d54f2b-1771-400c-8839-1b661d1d5270",
"unique_name": "user#company.com",
"upn": "user#company.com",
"uti": "ARRvKJOO6UutMlcwAPgYAA",
"ver": "1.0"
}

Creating a new user from Twitter using auth0 get nil email

I am using auth0 for my rails application,I tried to sign in with social connection using auth0, this works fine with google and facebook but when I tried with twitter I am getting blank email for user and not able to sign in with the user having blank email.
Here is the response which I am getting
{
"name": "XXXX",
"picture": "XXXX",
"lang": "en",
"screen_name": "XXXX",
"clientID": "XXXXXX",
"user_id": "XXXXX",
"nickname": "XXXX",
"identities": [
{
"access_token": "XXXX",
"access_token_secret": "XXXX",
"provider": "twitter",
"user_id": XXXX,
"connection": "twitter",
"isSocial": true
}
],
"created_at": "2015-04-07T06:00:51.515Z"
}
How do I get user email for twitter using auth0
Not possible. Twitter API doesn't give email address of the user.
Is there a way to get an user's email ID after verifying his/her Twitter identity using OAuth?

Resources