I'm testing LMS API using https://apitesttool.desire2learnvalence.com/
I have:
App ID
App Key
User ID
User Key
I can get users from my LMS API https://lms.freedomhighschool.ca/d2l/api/lp/1.30/users/
This is private route and i have access to it.
But when i'm trying to create new user i got "Message": "Not Authorized"
This is admin user and i can login via LMS and to do everything i want(create, delete, update) users.
So, what's the problem? Why can't i create new user via https://apitesttool.desire2learnvalence.com/ ?
https://i.stack.imgur.com/gE98j.png
https://i.stack.imgur.com/BmOiC.png
It looks like you have RoleId = 0. In order to create a Brightspace User, you need to provide a Role Id value.
The user account you are using in the Test Tool will also need to have the appropriate permissions to Enroll users. For example, if you are wanting to enroll a "Student" then your user account needs to have the permission "Users - Enroll 'Student'" turned ON.
Related
Scenario: Native app with user (user role) present including a user profile page allowing the user to update his profile.
Azure AD v2.0 endpoint used & app registration done accordingly. App is used by many tenants, therefore we have admin consent flow included in the apps sign-up flow.
Account Types: Work & School Account
Admin consented scopes (delegated permission per tenant on registered app):
User.ReadWrite
Directory.AccessAsUser.All (Admin Only)
Directory.ReadWrite.All (Admin Only)
User.ReadWrite.All (Admin Only)
From the documentation:
User permission
User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties for work or school accounts:
aboutMe
birthday
hireDate
interests
mobilePhone
mySite
pastProjects
photo
preferredName
responsibilities
schools
skills
Question 1: Did we understood the terms and documentation correctly?
Question 2: What about other user fields not in this list? Is there no Graph Scenario at all to change them? The documentation is a bit unclear in terms of if possible with user delegated rights or just application delegated right or not possible at all.
Concrete:
Job Title? Can a user with delegated permission ever updated this field or do we need application permission to do so?
User Profile Photo? Can a user with delegated permission update his/her own profile picture or do we need application permission to do so?
The next sentence after that list you referenced from the documentation explains this:
With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or school accounts except for password.
So yes, you can only update the full set of user properties using Application permissions (aka the Client_Credentials flow).
I am creating an iOS app, and am working through the signup/login flow trying to understand how to structure my user model.
I want to allow users to sign up via facebook/twitter as well as using a standalone email/password if they don't want to authenticate through a service.
I am using auth0 to handle service authentication.
What is the standard process of storing / keeping track of my users if some are signing up through email/password, and others are simply authenticating through Auth0.
This is what I've come to so far:
My user model will contain the following properties at a minimum:
_id
name
email
password (will be blank for authenticated users)
auth0_id (will be blank for non-authenticated users)
How I will validate a user on login:
If a user who signs up manually (email/password) wants to log back in, I will check their email exists in my users table and then run a match on their password, if a match - return the user object.
If a user who authenticates through a service wants to log back in, I will make the call to Auth0, check their auth0_id exists in my users table, and then run return the user object.
Does this pose any security issues?
Comments/suggestions welcome!
I recommend decoupling your user and auth0 models from each other. For example:
User schema:
_id
name
email
password
Auth0 schema:
_id
auth0_id
user_id
I also recommend requiring a password on the user schema, and generating a strong password for users that register through Auth0. This will ensure that all users have a "standard" user account regardless of Auth0 and their continuing to have those services in the future (ex: the user deletes their Facebook account but continues to use your service – all they have to do is run through your "forgot password" flow).
Then have a standard login flow and an Auth0 login flow – the latter is the standard Auth0 flow, you check that the Auth0 ID exists and return the joined user record.
Did you consider using the email/password functionallity that is built-in in Auth0? That way you don't have to keep two different logics.
I have finally managed to implement Facebook as an external login provider on my MVC website which seems to be working fine, but I am wondering what is the correct / secure way to allow multiple external login provides to be linked to a single account.
Lets say I login with my facebook ID, no existing account is found with the same email address and my website persists a new account with their email address and their facebook token etc associated.
Next day I login with my Google account, If i check my database for an account which already has a matching email address what should I do?
1) Link this Google account with the existing account automatically and
log them in?
2) Ask the user if they wish to link their google account to the
already existing account we found?
3) Something else?
Thank You.
It is really up to you. But the default provided in the VS2013 template assumes a one to many relationship between your internal user and any external logins. If you retrieve a user with UserManager, you will see a IList for each external provider the user has logged in with.
As they log in with the new provider, you would normally not automatically know the user is associated with another provider's login. When you login it looks up a user via external ProviderKey, so initally would not find any relation to an internal user. At that point you could search users by name, email (with customized user store) and so on to link as needed.
Assuming primary emails registered on facebook and google for example, are verified by them (which they usually are) I don't see any issues on linking them together.
I think the main problem is linking internal account with email that was not verified to be from specific user. If i create an account with email of other user and that email is not verified, when the other user creates an account it associates the data of the first user together and that way both users are using the same account.
Can anyone identify and explain potential flaws for my first claim please?
I'm having an issue with the unenroll call in Valence API for the users with roles that are hidden. I can unenroll the users with visible roles though.
My organization's wiki says that "If users are missing from the Classlist, their role in the course may be hidden". Is there any way to unenroll such a user? Am I missing some permissions to unenroll these users with hidden roles?
In order to delete a user enrollment using DELETE /d2l/api/lp/(version)/enrollments/orgUnits/(orgUnitId)/users/(userId) (or the action that removes the enrollment by specifying user ID first and then org unit ID), the calling user context must have permission to:
See user enrollments in the first place (Users>View User Enrollments), at the organization level
Search for the user role type(Users>Search for RoleType), at the organization level
Enroll the user role type (Users>Enroll RoleType), at the organization level
Since the various enrollments actions are considered administrator-type actions, they use the "Users" role permissions at the organization level.
D2L has not currently provided classlist level API actions to unenroll users (so user contexts that would be able to un-enroll users from the classlist tool, within the web UI, often cannot do so using the Learning Framework API, unless the calling user's role has the organization-level permissions required to unenroll users).
I've been looking into OAuth for a while, but haven't implemented it in any of my applications yet. I'm having trouble really understanding the full concept, so I still have a few questions that I haven't found an answer to, so I hope that anyone can help me.
I want a user to be able to start my application (WP8), login to facebook / twitter / microsoft / ... .
When he gets authenticated, I want to actually save this user to my own DB so I can add some user specific stuff like preferences, posts, ... .
What do I need to save in my own DB to specify a user?
Do I need to save the token itself or is this something that will be invalidated after a while? Or do I need to specify the user's name? With other words: What can I use as a unique identifier?
And what happens when a user would authenticate with for example facebook and he deletes his account?
And one more question, would you ever allow a user to connect to an application with 2 different service providers? If so, how would you make the coupling of these 2 providers to 1 user in your own DB?
I hope my questions are clear enough!
If not, don't hesitate to ask for more information!
Kind regards,
Gert
I assume that you have your own back-end where you authenticate your own users and your WP8 application is just a client.
First, let me distinguish between a user credential and a user profile. User credential is something that validates who the user is, e.g. username/password, facebook user id supplied with a valid auth token. User profile, is what you store in your own database about the user.
You also need to distinguish between a token you use to authenticate the user and the AccessToken Facebook needs to grant you access to user's data.
So... to answer your questions:
What do I need to save in my own DB to specify a user?
Create a record with user data (like preferences, and your unique user ID), and user's login method (e.g. Facebook) and credential (e.g. Facebook's user ID). This is your user's profile.
Do I need to save the token itself or is this something that will be invalidated after a while?
You can also store the Facebook AccessToken here if you've been granted "offline access" privileges by Facebook, but that is used for Facebook's access by you... not by the user's access to your app/back-end. For user's access you could just use a mechanism similar to cookie-based authentication - it's up to you. You could use the AccessToken as a kind of a "cookie", but you would need to always check against Facebook that it's valid.
With other words: What can I use as a unique identifier?
You could treat Facebook's ID as unique (so long as you never allow another account in your user profile DB to link with the same Facebook account)
And what happens when a user would authenticate with for example facebook and he deletes his account?
It's a good idea to have users still create a username/password combination that works with you site and only rely on Facebook login for convenience. In any case, Facebook provides a "Deauthorize Callback URL" when you create an app profile on Facebook. This is called when a user deactivates your app or deletes an account with Facebook. When you receive this call, you could send your user an email when an auth link to setup a different credential so as to not lose access.
would you ever allow a user to connect to an application with 2 different service providers? If so, how would you make the coupling of these 2 providers to 1 user in your own DB?
Sure, you could do that. Say you'd want to allow a Twitter account as well. You'd need to add a Twitter user ID field to your user profile database.
Here's another tip: create an ASP.NET MVC4 project in Visual Studio - the template includes an example of how to set up a user profile database with OAuth login.
Hope it gives you the high-level overview to investigate further.