Please, tell me how to check users' MFA status in Active Directory via Graph API?
As mentioned in the above comments there is no API as of now to directly check the MFA status, but you can raise a feature request for the same here.
but if you want to check the MFS status using azure portal:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#view-the-status-for-a-user
Related
I have endpoints coded in Nodejs... I use the following codes to keep them safe...
const corsOption = {
origin: ['https://www.mywebsite.com'],
};
app.use(cors(corsOption));
if (host !== "myendpoint.com") {
return res.status(403).json({ message: "forbidden access" });
}
will these keep my endpoints safe... or do I have to do anything more for my endpoints to keep them safe... I don't want bots or anyone else to use it... I know that they are public but I want to restrict access... pls, any help or suggestion ???
thank you
To be sure you can control who can access your endpoint, you can setup a token authentication.
When you send a request to your endpoint, the header should include:
Authorization: Token {your token}
And in your endpoint, you can check if the token is authorized or not (by storing authorized token in a database). If the token is not recognized, you can send back a 403 error.
If your website accesses your endpoints, this means that any browser that can display your website must also be able to access your endpoints. Requests are not made by your website, they are made by browsers visiting your website.
You must first ask how much you want to restrict access:
Restrict to individual known users to whom you send a password via mail, which they must then type into your website ("log on") before they can make any requests to your endpoints.
Restrict to users who have self-registered. Can anyone in the world then self-register, or do you demand confirmation via an email address?
Restrict to users who can log on with their Google (or Facebook, or ...) account.
Zain_Ul_Din's answer shows details of a possible implementation for the "self-registration" case. See also What's the best way to add social login (Sign in with Google) to existing email/password app and database?
you can implement user authentication and authorization in your Node js app to restrict access.
for this you can use the jsonwebtoken npm package.
Look up John Smilga's node and express projects on google for a 10hr video including 4 projects. One of the projects introduces JSON web tokens and how to use them.I highly recommend that.
You can also use the express-rate-limit package. With this you should be able to 'limit' how many requests a user can make to your API endpoints within a set amount of time. If the requests exceed that limit then this middleware steps in and stops further access (Haven't tested it in production myself but looks good)
i setup rules to limit user access like this:
.write": "auth != null && !root.child('blockedUsers').hasChild(auth.uid)",
The problem is, i dont know how to use it on the client side. I am assuming this is duplicate question, but i cant find anything on actual usage of the limited user access.
When user tries to create comment for example, i get an error that permission is denied. Thats desired result, problem is how do i check for the user write permission on the client ?
I was hoping for something like user.canWrite or something along those lines. All i am doing right now is just check if user was authenticated, which he was and there is no mention of read/write access rules in the user object as far as i can tell.
if (this.props.user) {
firebase.database().ref(`comments/${key}/rating`)
.transaction(
(value) => (value += rateValue)
)}
Thanks for any help.
By writing you rule you are setting an authorization to authenticated users to write to the specific node of your database.
Therefore, in the client, you only need to insure that your user is authenticated. This should be done through Firebase Authentication. See the doc for the web here: https://firebase.google.com/docs/auth/web/start
In case the user cannot write to this specific node (either because he/she is not authenticated or because his/her uid is listed under the blockedUsers) he/she will receive an error in the front-end.
Update following our comments below:
If you want to be able "to modify the client UI based on the user's role or access level" you should use another mechanism for setting up the authorization: Custom Claims. See the doc here: https://firebase.google.com/docs/auth/admin/custom-claims.
In this case, in the security rule, you would not check if there is a record under the 'blockedUsers' node but you would check the Claims attached to the token, as explained in the documentation.
I am trying to read reactions on a post using the following graph-api call:
FB.options({version: 'v2.12'});
FB.setAccessToken('EAACEdE7w4Fp85PlhH0NYpZBddHyqkx6XXXX')
FB.api('/765898450131958_1518951084826687/insights?metric=page_actions_post_reactions_wow_total', (res) => {
console.log(res)
});
But I always receive an empty data list. What could be the reason for this? For reference I am using FB module to connect to graph-api.
The acces token I am using is my page-access token
In my case, the facebook app instance wasn't set to live. Once the facebook app instance is live, data array returns user info list with id and name . You can check that out in App Review Settings
Click your app instance -> Go To "App Review" -> Click "My Permissions & Requests".
You will see that there are two approved items. I think these are added or granted by default. But if your app is not live, the two permissions will not be active. That includes basic user information like name and profile picture.
TL;DR - Check if your app is live and also make sure that you are using Page Access Token rather than User Access Token.
From official Facebook API documentation:
On February 5th, 2018, User information will not be included in responses unless you make the request with a Page access token. This only applies to Comments on Pages and Posts on Pages.
https://developers.facebook.com/docs/graph-api/reference/v2.12/object/reactions
I have created one user pool & identity pool.
I have used javascript sdk.
I am able to signup, send confirmation code & confirm user successfully with javascript sdk.
But when i try to sign in user with authenticate method & try to get credentials with "CognitoIdentityCredentials" by passing idToken with below code
logins[cognitoEndpoint + "/" + userPoolId] = jwtToken;
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: identityPoolId,
Logins: logins
});
it's giving me below error
Error: Invalid identity pool configuration. Check assigned IAM roles for this pool.
at Request.extractError (aws-sdk.js:104063)
at Request.callListeners (aws-sdk.js:106060)
at Request.emit (aws-sdk.js:106034)
at Request.emit (aws-sdk.js:105121)
at Request.transition (aws-sdk.js:104843)
at AcceptorStateMachine.runTo (aws-sdk.js:108480)
at aws-sdk.js:108492
at Request.<anonymous> (aws-sdk.js:104859)
at Request.<anonymous> (aws-sdk.js:105123)
at Request.callListeners (aws-sdk.js:106070)
I have given administrator access to "Unauthenticated role" & "Unauthenticated role" of identity pool and to user whose credentials i am using.
I am new to aws. Can anyone tell me what am i missing?
Any help would be appreciated.
Check that the role you have assigned in Cognito Identity Pools (Federated Identities), has a trust relationship with the identity pool.
Get the identity pool ID + the name of the role that isn't working. To do this:
Go to Cognito
Select Manage Federated Identities
Select the identity pool
Click Edit identity pool (top right)
Make a note of the identity pool ID
Make a note of the name of the role that isn't working (e.g. Cognito_blahUnauth_Role
In IAM, check the trust relationship for the role. Ensure that the StringEquals condition value matches the identity pool ID.
To do this:
Go to IAM
Click Roles
Click the name of the role that you noted previously
Click Trust relationships
On the right under Conditions, check the StringEquals condition contains the identity pool Id that you noted previously.
Edit the trust relationship to fix.
What you're trying to access here are "Cognito Federated Identity" credentials, which is a separate AWS product to "Cognito User Pools". In-order to retrieve these credentials, you need to connect your User Pool to your Federated Identity Pool.
Perhaps this link will help: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html
Also, I would remove admin access from Unauthenticated permissions, it means anyone with your details has control of your AWS account.
When you create role in IAM and choose identity provider, make sure you don't choose user pool id, instead, you have to choose identity pool id.
If you are using OpenID, disable attributes for access control and error will be gone
I had this issue when I manually added additional roles in Cognito to the already existing. (previously created with amplify CLI)
TLDR: Don't manually create groups and roles if you're going to be using them for Amplify.
My accounts which had this error included the following attributes in that JWT. (you can go to jwt.io and see your attributes)
"cognito:roles": [
"arn:aws:iam::*ACCOUNT_ID*:role/*THE_ROLE*"
],
"cognito:preferred_role": "arn:aws:iam::*ACCOUNT_ID*:role/*THE_ROLE*",
Then I found these roles and I tried to verify if they have correct conditions attached to them:
"Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-west-2:<COGNITO_IDENTITY_POOL_ID>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } }
After a few hours of verifing the roles, configuring them it started finally working.
Lessons learned: It's possible to fix them manually too.
Then I manually deleted the groups in Cognito I've created along with the roles associated with them and then recreated it via the Amplify CLI from scratch. It worked like a charm. Apart from that in this way Amplify will maintains them, when I change configs etc.
I had this error working with amplify. I noticed that the error appeared after I created Cognito User Roles from amplify cli. What I did was, delete these roles from CLI and create again from AWS Console and it worked fine!
I have a simple application that I'm hosting on bluemix.
I have set up a Single Sign On service for my application and paired it with facebook. I can successfully log in using the SSO service from bluemix and then I want to check that status of my login (I am logged in or not).
function CheckStatus(){
console.log("I'm trying to check the status");
FB.getLoginStatus(function(response) {
console.log("Here is the status response:");
console.log(response.status);
});
}
I trigger this piece of code with a simple button defined before. Whenever I click the code I get the following error:
Given URL is not permitted by the application configuration.: One or more of the given URLs is not allowed by the App's settings. It
must match the Website URL or Canvas URL, or the domain must be a
subdomain of one of the App's domains.
I had a look at a number of posts on stackoverflow about this and none of them seem to work. My understanding is that there is something wrong with the configuration of my application but I can't figure out what.
Below is my configuration:
And this is the url my application is trying to reach when I try to get my login status:
https://www.facebook.com/connect/ping?client_id=913147408730179&domain=fncsecuritydemo.mybluemix.net&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2FrFG58m7xAig.js%3Fversion%3D41%23cb%3Df29b5c6b3%26domain%3Dfncsecuritydemo.mybluemix.net%26origin%3Dhttp%253A%252F%252Ffncsecuritydemo.mybluemix.net%252Ff21657f8dc%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey
I am out of ideas about what I should be trying next. Any help is very much apreaciated. Let me know if you need more info.
The answer for this error lies in the Valid OAuth redirect URIs that fall under the Advanced tab from settings.
While setting up the application profile on facebook I have set the Valid OAuth redirect URIs to an URL generated by bluemix.
In order to received response on my application I had to add my app url in there as well. Rookie mistake.