I'm using Auth0 as my authentication provider. I've enabled Guardian to facilitate SMS based MFA (Multi Factor Authentication). When a new user signs up,
Auth0 registers their phone number.
My system provides users the option of opting into SMS messaging on topics of interest to them. Unfortunately when I query the Management API I'm given a masked version of the phone number (i.e. "+61 XXXXX2407"). I would like to get their complete phone number as registered from Auth0 rather than asking them to enter it again.
How can I go about retrieving the complete phone number from Auth0's Guardian?
After two years, Auth0 finally provide a feature to disable phone number obfuscation. :)
Given a management API token with the proper permitted scope, this is how to get the user's phone number used in MFA:
Send PATCH /api/v2/tenants/settings to disable the phone number obfuscation.
The request body should contain:
{
"flags": {
"disable_management_api_sms_obfuscation": true
}
}
Send GET /api/v2/users/{id}/enrollments to get the user's first confirmed MFA enrollment ID.
The id field is the user id. The response body should contain an MFA enrollment id. For MFA using SMS, you would want an id that begins with sms|dev_. Save this id for the next step.
Send GET /api/v2/guardian/enrollments/{id}
The id field is the MFA enrollment id. The phone number should now be deobfuscated.
Reference:
Getting Users Phone Number
Footnote:
As recently discussed here, to get all authenticators by a user, you would use GET /api/v2/users/{id}/authenticators. The response will include the entry obtained in the step 2 above. However, this is not documented yet as of now.
Related
Using the Microsoft Graph API v 1.0, how can I retrieve the user's MFA details?
For example, if I have an email based sign-in/sign-up policy with phone/SMS MFA, how can I see the phone number entered by the user? (and also set update it)
I know if I select 'identities' in the GET /users method I can see the email they've signed up with, but not the phone number they set for MFA. (https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0)
Of course I'm looking for all the mfa settings: mfa phone number, mfa email address, is mfa set, etc.
Hopefully there is some kind of extension attribute that contains this that I can select, and set on creation, but I cannot find documentation on this.
[UPDATE]
In the Azure portal, I can see the entered data if I go to user > profile > authentication methods. So I tried accessing the authentication relationships on the user. but it didn't provide any details (all empty arrays) https://learn.microsoft.com/en-us/graph/api/resources/authentication?view=graph-rest-1.0
There's a write-up here.
e.g:
GET https://graph.microsoft.com/beta/users/objectID/authentication/methods
I cant find any help around on this topic because I am being told how to implement it rather than how it actually works.
All I know is two-factor authentication is authenticating users through an email and a phone number.
Here are my set of questions :
Does it authenticate users by verifying their email and phone number at the time of registration?
Does it authenticate users by verifying their email and phone number on every login?
Why is it that every user can set two-factor authentication enabled or disabled for their account? Isn't this an admin thing which should not be decided by the user?
I'll see if I can help clarify for you.
It works as an extra level of security. Traditionally you would have a username/email and password to get into a site. If the password is compromised then so is the account. Adding a phone number to your account will mean that only someone with access to that phone can get past the extra level of security and access your data.
When the user logs in with another 'step' is added before they get through. A token (usually a number with a short expiry - i.e. seconds) is tied to the user logging in and sent to their phone. They fill in the form and submit. The device the user is logging in with (laptop/phone/desktop browser) can then be tied to their account (see point 2 below).
This can be the case but if you take Google as an example you can select to 'Trust' the device logging in for 30 days. This ties the device to a trusted list (perhaps stored in a database for instance) for a set amount of time before asking at the point of login again.
Common practice is that it is the user's choice as to whether they have this extra level of security. They may not have access to a phone...what happens then? They may like the convenience of just using a username/email and strong password....it doesn't mean to say you can't force it by design in your system though.
I am just starting to work with, and learn AWS. I am using the services in the AWS Mobile Hub and so far have set up the Sign In & Sign Up methods.
Everything works fine, and now I am working on the Forgot Password and Update Password.
Problem:
The problem is, is that the way AWS has set up the Forgot Password is that:
You first enter a username and then after the user enters a username AWS sends a verification code via SMS to the phone number associated
with that username.
That's an issue because it means that anyone can enter any username and a text message will be sent, resulting in my SMS payments increasing and to be honest it just looks sloppy.
What I want to have done is that:
After a user enters a username, they then have to enter the phone number associated with the account
Then if it matches, it sends the SMS.
Question
How do I check if a user exists in a userpool?
And then if it does, how do I get the user attribute associated with the phone number to check if it matches the phone number that the user enters?
Is this even possible? Can I even get the credentials of a user who isn't the one logged in?
Thanks in advance!
Cognito User Pools does not currently allow you to get attributes for a user (such as phone number) without that user having signed in and gotten an access token.
The admin apis can do the lookup you're looking for, but they shouldn't be called from the client as that would mean you have to embed credentials. If this is a must have for you, you could potentially secure those credentials by wrapping it in API Gateway or something along those lines and then call that from your client.
Here is how you should do it:
1) Create a web API using the APIGateway. Ideally you want to restrict access with an API Key, which you should bundle with your application.
2) Connect a POST method to a Lambda function, which will
(a) perform the necessary checks (whether the phone number specified is indeed the correct one, etc), calling the admin_* functions.
(b) issue the client version of the password reset, which will trigger the sending of the SMS code.
I want to disable push notifications to user who has still not accepted the request for the group.
Note
This answer is valid as per my experience with quickblox framework 2.7 and below. As quickblox is releasing newer version's of framework very frequently you might find a better API for doing it in future. Till then you can make use of this approach.
Answer
I dont think you can disable push notification for a specific user in group using Quickblox api.
When you send a message (QBChat) to a group everyone in the QBChatDialog gets the message including the person who is sending it out him/her self.
There is a Privacy List to prevent the user from receiving message from specific users, but that requires a initiation from user's end. So I dont think that will help you much here. This feature can be used to block a person/group from sending message to user.
Solution
Your best bet would be, not to add the user to group until the user accepts the group request. Implement your own logic to send out the request to each user in group and keep adding the user when he/she accepts the request.
1> Send out QBChat message with a specific custom object with data like group id, group type, group name and all other necessary data, which will differentiate it from other QBChat messages to all the user in group.
2> On receiving this special message, show a UI specific to deal with it, like an alert with "would you like to join the group??" and button accept or deny
3> On tapping accept, make a WS call to your own server and in your server api add the user to specific group for which he has agreed to join.
Because you have already populated QBChat message with object which contains the info about the dialog, you should be able to inform your server easily for which group user has joined.
Once user joined to group he will continue to recieve all the messages in group
EDIT
Here is a detailed answer to your question in comment :)
I was pretty much sure you will ask this question :)
In order to add the occupant id to an existing QBChatDialog group we used the rest api of Quickblox. Remember I told you dont add all the participants to group initially, add them one by one after they accept to join group ?? When user accepts to join the group we call our rest api which in turn invokes the quickblox api and adds the current user id to group :)
You can easily find api for that in API section of quickblox. In case you din find it gimme time till Monday lemme ask my API developer and update u on the same
There is CATACH with this approach.
QB docs clearly says only the owner of the group can add the members to the group. That means just because you have a REST API you cant add the user to group. You will need to have the valid session id of the group owner. You will get the session id when you login, I believe you are very much aware of it :)
Now how on earth will I get the group owner session id ??
Here is the approach we followed. We had foreseen such issues might arise long way before we started the project :)
When user sign up using our app we save his username and password in our server db and generate a random username and password and create a Quickblox account with that usrname and password for the user and we save this quick blox username, quickblox password and quickblox user id for that user :)
So though sign up actually deals with two servers user will always feel like he is dealing with one server and he continue to think he is using his username and password to login to chat.
But in reality when user uses his username and password to login to app in login response we get the quickblox username and quickblox password that server had used to create the account. On receiving it app uses QB framework to login to quickblox account with that username and password :)
This way user is never aware of his quickblox username and password and userid :) Gives us lot of control as well :)
That being said :) now when a user creates a group and sends out a special QBChat message containing custom object, in that custom object along with details of dialog he also sends his quickbloxuserid :)
Now when user who recieves the special QBChat accepts the request, we extract the dialog id (to which he is intending to join) group_owner_id (id of user who created dialog and sent out this special message) and sends it to our rest api along with his own id :)
Once API recieves the group owner id, it fecthes the QB username and password from its db and log's in with that and gets a valid session id and finally adds the user to group with that session id.
Note : Quickblox allows user to login in multiple devices at a time that means it entertains multiple valid session id for user.
Hope I made my point clear :) Happy coding.
I registered a Twitter API app, and it works fine. I have just one little problem: I can't remember what Twitter account I was logged into when I created it.
I tried to re-register the same app in another Twitter account, but Twitter seems to be rejecting it because the "Application Website" is already used, and Twitter won't let me leave that field blank,
Any idea how I can find out what Twitter account I was in when I registered the app?
Thanks in advance,
John
For single-user use cases, if you look at the value of the OAuth access token, it will have the form:
nnnnnnn-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
where n is a decimal number, and x is a base64-encoded character. The decimal portion of the access token, up to the hyphen, is the Twitter user ID that the app was registered under. To get the actual user info, run the following query (substituting the number from your access token for the nnnnnnnnn below.)
http://api.twitter.com/1/users/show.xml?user_id=nnnnnnnnn
This may hold in multiple user scenarios as well.