How can I fetch the logged in AD user in my ROR application.
I have tried:
Etc.getlogin - It gives me the username of where the server is running
system(`WhoAmI`) - returns false
ENV["USERNAME"], ENV["USER"], ENV["USERID"] - Doesn't return anything
And how to check if the User is logged in or not ?
I am using Net::LDAP for this:
a = Net::LDAP::Filter.eq("sAMAccountName", "username")
ldap.search(:filter => a)
It return me the data of the user as :
#myhash=
{:dn=>["CN=Test Windows,CN=Users,DC=example,DC=local"],
:objectclass=>["top", "person", "organizationalPerson", "user"],
:cn=>["Test Windows"],
:sn=>["Windows"],
:givenname=>["Test"],
:distinguishedname=>["CN=Test Windows,CN=Users,DC=example,DC=local"],
:instancetype=>["4"],
:whencreated=>["20211004113850.0Z"],
:whenchanged=>["20211004124559.0Z"],
:displayname=>["Test Windows"],
:usncreated=>["16489"],
:usnchanged=>["16525"],
:name=>["Test Windows"],
:objectguid=>["Some ID"],
:useraccountcontrol=>["22038"],
:badpwdcount=>["0"],
:codepage=>["0"],
:countrycode=>["0"],
:badpasswordtime=>["0"],
:lastlogoff=>["0"],
:lastlogon=>["0"],
:pwdlastset=>["1327782117765465"],
:primarygroupid=>["213"],
:objectsid=>["Some ID"],
:accountexpires=>["9223876536854775807"],
:logoncount=>["0"],
:samaccountname=>["username"],
:samaccounttype=>["93806368"],
:userprincipalname=>["username#example.local"],
:objectcategory=>["CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local"],
:dscorepropagationdata=>["16010101000000.0Z"],
:mail=>["abc#abc.com"]}>]
But here how to know if the user is logged in ?
lastlogoff & lastlogon is always "0"
Thanks.
MSAL API should let us know the username that is currently logged in so that we don't have to create a separate cookie and manage this cookie and logic.
getAllAcounts should give us all the accounts.
getAccount should give us the account that it is currently signed in/active.
Here is how you can check if user is loggedIn or not:
cdef raw_info
#raw_info ||= access_token.get('/me').parse
Then you can check if the token is valid or not. If it is valid then the user is loggedIn otherwise not.
Related
Users sign up/login via Azure AD B2C using Identity provider Local Account-Email.
I can see users signed up (with their password) for the tenant:
When I run example "Manage User Accounts with Graph API" to check for local identity passwordProfiles they show null. My assumption is this property is automatically populated when a user creates the password same as other User resources.
Can someone give me some guidance what I'm missing?
public static async Task GetUserByIssuerAssignedID(AppSettings config, GraphServiceClient graphClient)
{
Console.Write("Enter user sign-in name (username or email address): ");
string userName = Console.ReadLine();
Console.WriteLine($"Looking for user with sign-in name '{userName}'...");
try
{
// Get user by sign-in name
var result = await graphClient.Users
.Request()
.Filter($"identities/any(c:c/issuerAssignedId eq '{userName}' and c/issuer eq '{config.TenantId}')")
.Select(e => new
{
e.PasswordProfile,
e.DisplayName,
e.Id,
e.Identities
})
.GetAsync();
if (result != null)
{
Console.WriteLine(JsonConvert.SerializeObject(result));
}
Thank you for your help
It is an expected result.
Azure AD B2C doesn't require the local identity users to change password next sign in. As the document says:
The property must set to .forceChangePasswordNextSignIn false.
Set forceChangePasswordNextSignIn as true is meaningless. In this case, passwordProfile won't be visible through GET method of Microsoft Graph API.
You can quickly verify it in Microsoft Graph Explorer.
For example, if you create a user with "forceChangePasswordNextSignIn": true in an Azure AD tenant, you will get passwordProfile in the result.
If you create a user with "forceChangePasswordNextSignIn": true in an Azure AD B2C tenant, you can get "passwordProfile" in the result but the password is null.
"passwordProfile": {
"password": null,
"forceChangePasswordNextSignIn": true,
"forceChangePasswordNextSignInWithMfa": false
}
We can never get user password using Microsoft Graph API or any other official API. Azure AD won't store password. So you can't get it.
So, I have been able to connect social accounts (fb or google) to be connected to the local email account if already exists.
However, I also want the reverse functionality, i.e. I would like to allow user to sign up even if the (google or FB) social account exists. Currently it says:
{ A user is already registered with this email address }
I am using django-all-auth and django-rest-auth with Django 2.1
Yes, you can do that. You should be able to modify the password reset endpoint provided by django-rest-auth to set a password and then be able to login:
from django.contrib.auth import get_user_model
from django.contrib.auth.forms import PasswordResetForm as DjangoPasswordResetForm
from rest_auth.serializers import (
PasswordResetSerializer as RestAuthPasswordResetSerializer
)
from rest_auth.views import PasswordResetView as RestAuthPasswordResetView
UserModel = get_user_model()
class PasswordResetForm(DjangoPasswordResetForm):
def get_users(self, email):
"""
Given an email, return matching user(s) who should receive a reset.
"""
active_users = UserModel._default_manager.filter(**{
'%s__iexact' % UserModel.get_email_field_name(): email,
'is_active': True,
})
return iter(active_users)
# or (u for u in active_users if not u.has_usable_password())
class PasswordResetSerializer(RestAuthPasswordResetSerializer):
password_reset_form_class = PasswordResetForm
class PasswordResetView(RestAuthPasswordResetView):
serializer_class = PasswordResetSerializer
You can add this view to your urls.py as general endpoint to reset passwords (remember to place it in front of the rest_auths' URLs) or as an additional endpoint to set passwords (see the commented line). Then you can add a note to your signup page that links to your page that serves your new endpoint.
As an alternative, you could also add a field to your user settings page where users can set a password.
You could also send an e-mail with a link via send_confirmation to set a password when a user tries to sign up and the e-mail exists already (or only in case this user has a social account). If you like I could add an example here how to do that.
i'm using django-allauth for my django app. by default, when a user successfully sign's up, they are automatically logged in. how do you override the default behaviour and prevent the user from logging in after after successful signup. After the user signs up, he/she must be redirected to the login page. ive disabled email verification. Thank you.
# settings.py
LOGIN_REDIRECT_URL = 'welcome'
ACCOUNT_AUTHENTICATED_LOGIN_REDIRECTS = False
ACCOUNT_LOGOUT_REDIRECT_URL = 'thanks'
ACCOUNT_EMAIL_REQUIRED = False
ACCOUNT_EMAIL_VERIFICATION = 'none'
If you don't need the email verification, you can skip the login like this:
First in your urls.py, you must override the url to the default SignupView with a url to your own view:
url(r^'accounts/signup/$', views.CustomSignupView.as_view(), name="account_signup")
Then in your views.py, you have a custom view that will return a path to your frontpage instead of continuing to login the user.
class CustomSignupView(SignupView):
def form_valid(self, form):
self.user = form.save(self.request)
return redirect('/frontpage')
Use Case : A single user with “single user name” should be able to use data available in different tenant without relogin.
Expected Flow :
User “A” login into tenant 1
He done some activity and able to access all tenant 1 data
He clicks on the “switch tenant” link and after that he should be able to access all data related to Tenant 2
Environment :
Grails v2.1
spring-security-core v1.2.7.3
multi-tenant-single-db v0.8.3
I am using following auto generated class
SpringSecurityTenantRepository
SpringSecurityTenantResolver
I used following code in controller but it did not work.
def switchedTenentId = params.switchedTenentId
if(switchedTenentId != null && !"".equals(switchedTenentId))
{
def currUser = springSecurityService.currentUser
springSecurityService.currentUser.userTenantId = new Long(switchedTenentId)
}
I googled but did not find any solution. I like to know the logic, solution or any sample code.
Thanks
Here is what I did:
User u = User.get(springSecurityService.currentUser.id)
u.userTenantId = params.switchedTenentId.toInteger()
u.save flush: true
springSecurityService.reauthenticate u.username
It worked like a charm.
I wrote a Rails application. I used omniauth for authentication.
session.rb
auth = request.env["omniauth.auth"]
user = User.find_by_provider_and_uid(auth["provider"], auth["uid"]) || User.create_with_omniauth(auth)
session[:user_id] = user.id
Everything seems normal as well, but when I want to change my facebook status, fbgraph cannot do that. I wrote this code
provider = User.find_by_provider_and_name('facebook', current_user.name)
#facebook = FbGraph::User.me(provider.token)
#facebook.feed!("loanminder-test-message-#{Time.now.utc}")
And the exception is like that
FbGraph::InvalidToken in LoansController#show
OAuthException :: Error validating access token: Session does not
match current stored session. This may be because the user changed the
password since the time the session was created or Facebook has
changed the session for security reasons.
How can I solve the problem, how can I change my status via Rails?
Your stored token is no longer being accepted. You will need to prompt the user to login again and use a new access token, or use the following token
app_id|secret
where if your app ID is 942523352 and your secret is bc76876876f67676ae0 then you access token is
942523352|bc76876876f67676ae0