Hi Sameera, Looks like the business case has security issue. You create a rogue user in federated IdP (e.g. Facebook) add the email claim and then you can login to your system.
Cheers, Ruwan A On Tue, Oct 22, 2019 at 10:26 AM Sameera Wickramasekara <[email protected]> wrote: > Hi Ashen, > > Thanks for the explanation. however, in this case, the user is > already present in the userstore by different user id (uuid is used as the > identifier) and during the adaptive authentication process, it must > identify if the current logging in user is already present in the userstore > . the email claim acts as the unique identifier in this case. for example > if the email of the current authenticating user is present in another > user's email claim we should identify it as the same user and retrieve that > users roles. I hope I am clear about my requirements. :) > > Anyways I was able to retrieve the current user from userstore using the > *getUniqueUserWithClaimValues > *method.[1] and then retrieve the roles of that user successfully. The > issue is solved now. > > [1] - > https://github.com/wso2-extensions/identity-conditional-auth-functions/pull/43 > <https://www.google.com/url?q=https://github.com/wso2-extensions/identity-conditional-auth-functions/pull/43&sa=D&source=hangouts&ust=1571738698374000&usg=AFQjCNHvbxARjo1SULca7W06DqXiqBdN6A> > > Thanks, > Sameera > > On Fri, Oct 18, 2019 at 8:04 PM Ashen Weerathunga <[email protected]> wrote: > >> Hi Sameera, >> >> On Thu, Oct 17, 2019 at 8:04 PM Sameera Wickramasekara <[email protected]> >> wrote: >> >>> Hi Devs, >>> >>> I am looking for a way to get the roles of a user in an adaptive >>> authentication script in *IS 5.8.0* in the following special scenario. >>> >>> >>> - The user authenticates through GitHub federated IDP. >>> - The user can be already present in the user store registered from >>> another means. >>> - The email attribute will be used as the unique identifier (common >>> attribute) to associate the user >>> >>> >>> The requirement is to check if the user currently authenticating >>> through GitHub already exists in the userstore with the same email address >>> and if present, retrieve the list of roles for that user. >>> currently we can retrieve the roles of the logging in user but it does >>> not address the above scenario because IFAIU user association happens after >>> the adaptive authentication process. >>> >> >> Yes, the user association happens during the post-authentication process. >> When you have enabled JIT provisioning for the GitHub federated IDP, during >> the 1st login it will create a new user in the local user store with the >> same username (email) and then it will associate the authenticated >> federated user with the local user. >> >> When you try to do a role comparison during the authentication process >> via an adaptive authentication function (eg: hasAnyOfTheRoles()), it will >> retrieve the roles of the local user. Therefore in your case, if the user >> is already created in the local userstore you should be able to check the >> roles of the existing local user during the adaptive authentication >> process. That way you should be able to achieve your requirement AFAIU. >> >> Thanks, >> Ashen >> >> >>> >>> I have gone through resources [1] and skimmed through [2]. Appreciate if >>> you could provide any insight into a solution. >>> >>> >>> [1] - >>> https://docs.wso2.com/display/IS580/Adaptive+Authentication+JS+API+Reference#AdaptiveAuthenticationJSAPIReference-contextObject >>> [2] - >>> https://github.com/wso2-extensions/identity-conditional-auth-functions/tree/master/components/org.wso2.carbon.identity.conditional.auth.functions.user/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/user >>> >>> >>> Thanks, >>> Sameera >>> >>> >>> >>> -- >>> *Sameera Wickramasekara* >>> Senior Software Engineer >>> WSO2 >>> lean . enterprise . middleware >>> Mobile : +94(0) 714652035 >>> <https://wso2.com/signature> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >> >> >> -- >> Ashen Weerathunga | Senior Software Engineer | WSO2 Inc. >> (m) +94716042995 | (w) +94112145345 | Email: [email protected] >> <http://wso2.com/signature> >> >> >> > > -- > *Sameera Wickramasekara* > Senior Software Engineer > WSO2 > lean . enterprise . middleware > Mobile : +94(0) 714652035 > <https://wso2.com/signature> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
