I have configured OAuth2 service in Moodle and after a success login from OAuth2, it redirects me to edit user profile page for new user and only email is prefilled as the OAuth2 issuer only provides openid and mail scopes, I couldn't directly retrieve user profile from the callback and prefill First Name, Last Name and other user info fields. So, how should I configure it in Moodle website or in the backend code to call
https://{oauthurl}/oauth/v1/token
in order to get the access token and after that retrieve user info by calling
https://{oauthurl}/oauth/v1/userinfo
?
Locked fields
Do you have the fields unlocked in Moodle ? If they are locked then the fields aren't updated.
Go to Site administration > Plugins > Authentication > OAuth 2 > Settings
Or direct to admin/settings.php?section=authsettingoauth2
Mapped fields
Also, you can map the fields in Moodle to the Oauth2 service
Go to Site administration > Server > OAuth 2 services
Or direct to /admin/tool/oauth2/issuers.php
Edit the service and then update the field mapping
Related
Configured grafana with wso2 IS for authentication, Authentication is working fine but I am not able get user role into grafana from WSO2 IS. Can anyone guide on this.
You need to request the roles(groups) claim in the SP you registered for grafana. You can following the steps in doc to add roles claims to the SP
If you are using new console, follow these steps
Go to the registered SP edit page
Select the user attributes tap
Add the role(groups) attributes
In the access token, you can see the roles. (note: to always receive the roles in the access token make the roles attribute mandatory in the claims/attribute setting)
I'm a bit of a salesforce / web noob, but am testing out the customer 360 external identity licences, along with customer users. My main goal is to authenticate a customer user using OAUTH, get an access token, then use the Salesforce web APIs to access some relevant bits of info for the customer user. However I just can't seem to figure out how to get the customer user authenticated despite being able to do the same just fine for my personal admin user account.
I have the following setup:
a bunch of external identity licences
a profile with the external identity user licence assigned, with the API enabled setting checked.
a connected app setup with relaxed IP restrictions set, all users may self authorize set, OAUTH settings enabled, device flow enabled, and the full access OAUTH scope selected.
an end customer contact with an associated end-customer user, assigned to the external identity profile and thus external identity user licence.
And I'm POSTing to the test token endpoint (https://test.salesforce.com/services/oauth2/token).
I've tried two auth flows, password and device flow for IOT as I want to integrate this with a command line app (which the IOT flow is good for apparently), and while both succeed for my personal salesforce user credentials, they both fail for my test user account credentials.
The server response for the password flow is as follows:
{
"error": "invalid_grant",
"error_description": "authentication failure"
}
End-customer users don't appear to have a security token so I've just been using the password on its own. I can't seem to find a way to generate a security token for these types of users but suspect this could be the issue for this flow.
When trying the device flow the returned verification uri is always https://test.salesforce.com/setup/connect but attempting to login on this page as the customer-user fails with this error:
Please check your username and password. If you still can't log in, contact your Salesforce administrator".
I am definitely providing the correct customer user credentials here so have no idea why this fails.
Does anyone have any ideas on how to get this working?
#eyescream nudged me in the right direction so here's the solution for anyone in the same position as me.
Authentication of external identity customer users is not done using the normal OAUTH REST endpoints (https://test.salesforce.com/services/oauth2/token or https://login.salesforce.com/services/oauth2/token).
Instead you have to setup an experience cloud site, add your customer user profile to the sites list of member profiles, then authenticate using a site specific AUTH endpoint.
For example, if your experience cloud URL is https://sandboxname-companyname.instanceid.force.com, then your OAUTH token endpoint would be at:
https://sandboxname-companyname.instanceid.force.com/services/oauth2/token
Extra things to note:
customer user accounts cannot authenticate using the username-password flow.
the device flow for IOT (or command line apps) will return a verification URL that customer users cannot log in to (https://test.salesforce.com/setup/connect). You can instead use the experience site connect URL (https://sandboxname-companyname.instanceid.force.com/sitename/setup/connect)
We are currently working on an Angular node application which uses WSO2 Api Manager and Identity Server . The current mode of login is done through emails which gets saved as WSO2 Carbon users . We need to allow users to login using their google or facebook accounts using OAuth2. I have implemented the code for fetching access token,refresh token on login through google on click of a button from my app . But How can i link it to save this user as a user in our application's identity server . I found the below link which helps in the process: https://docs.wso2.com/display/IS570/Logging+in+to+an+Application+Using+Google#50629d9a6ddf4769ae2d8953c5a25645 .
Can anyone suggest me whether this one would help ?
I would like to know how the google account user details will be saved as a user in our identity manager ?
Is it possible ? If possible, what all data will i get from google ?
I assume that you have already done the configurations for the communication between your application and the WSO2 Identity Server according to the description in the question.
From the description, I'm not certain that you have done the configurations to federate the login to Google. Follow the below steps if you already haven't done so.
Generate OAuth client ID from the google developer console.
Configure a federated authenticator in WSO2 IS with google authenticator using the generated client id and secret values.
Add newly created IDP as an option to the first step of your application.
More information can be found in here. From Google, you can get email and default profile attributes of the user. Reference.
Follow the same steps for Facebook login as well. More information available here.
Now the federated login is configured. Now you need to enable JIT provisioning for the configured Identity Providers above to save the user in the Identity Server when the user is logged in with those social login options. More information available in here. You have a few modes to create the user in the Identity Server.
In my requirement, i have users in the IS. And I need to log into other applications by entering his user name and password. then the application should call the service provider which is defined inside IS and check whether the person who is trying to log into the application is actually authenticated user, then user name, email and user permissions also should be sent to the application as the response from the service provider.
I'm using OAuth2. Using Is 5.1.0.
Can anyone please guide me how to implement this
Can I check it with rest client tool like postman also?
How do I secure my API when I want an app to be able to retrieve app-specific information without a user logged in and when I have an OAuth provider for another section of my API? Can I use the client app's OAuth credentials to hit the API without a user logged in?
I have create an OAuth provider and client using doorkeeper following railscasts 353. I can successfully authenticate a user to my provider app and make requests on behalf of the user to my provider API.
However, a portion of the API is user independent, meaning that the information returned from the API is not specific for a user and therefore a user should not have to be logged in. For example, assume an ecommerce site and items and prices are stored on the provider for multiple clients. I want a client app to be able to securely retrieve the items/prices associated the retrieving app without a user having to be logged in. So if you went to example.com the items would be displayed even if a user is logged in via OAuth.
I have only be able to retrieve this information via OAuth when a user has logged in through OAuth (creating an access_token). Is there a way to use OAuth without having a user present (I've been trying to read about 2-legged OAuth and if that is an appropriate solution)? Or do I need to use Api keys (or Http Basic Auth) for the application to retrieve the application specific data?
If OAuth is not the right solution because I do not have a user present, could/should I use HTTP Basic Auth over SSL and use the client site's OAuth secret key as the API key for the basic auth username?
If you need to authenticate your client apps in you API (without requiring a user specifically) use the Client Credentials flow