Jump to content


  • Posts

  • Joined

  • Last visited

Recent Profile Visitors

1,151 profile views

Johno2518's Achievements

  1. Hmm ok, I might need to switch to another Identity platform as this will provide greater flexibility (and the ability to use the device code grant type if needed). I've got the All tab selected and only failures (401's) showing. So the /core/me endpoint should have the tooltip removed in that case and left on for /core/members for lastVisit and lastPost properties. As for secondary groups, might be helpful to add another API permission e.g. /core/me/secondarygroups and when enabled, allows all groups to be retrieved for the logged in user when calling /core/me endpoint otherwise the tooltip for secondary groups makes no sense as you'd need a user token to retrieve user ID from /core/me API Endpoint and then an API Key or Client Credentials token to then call /core/members/<id> just to retrieve secondary groups for that user which seems unnecessary.
  2. Ok great, is there an IPS URI and set of parameters that I can call externally (as I'm using Password grant type)? That's what I thought but I'm only seeing failed requests, no successful attempts. Is this normal? What about lastVisit and lastPost? They have the same protection (according to the icon/tip) as secondary groups but are coming through in the API response. Great!
  3. Found another bug, I don't see the below options unless I enable Authorization Code grant type. De-selecting that grant type makes the below options disappear even though they are relevant for Resource Owner which I still do have enabled.
  4. Back on the secondary groups issue, I can see lastVisit and lastPost have the same caveat as secondary groups but that data is being presented when accessing /api/core/me. Can someone let me know is not providing secondary groups via /api/core/me a bug or is providing lastVisit and lastPost via that same endpoint a bug?
  5. @Marc Stridgen have the developers come back to you regarding MFA for an OAUTH Client? When a user is authenticating from my custom application as an IPS OAUTH Client - I would like to be able to force MFA and call something in IPS to do it (I'm not a PHP guy so reading the IPS code for handling MFA is not so straight forward). It might be worth adding device code as an available grant type as well.
  6. While waiting back from the developers - is anyone able to tell me what enabling Log permission does? Also, I'm now trying to make use of more API endpoints and this one is a little odd. The message for the "me" endpoint shows: However, hovering over secondary groups displays this message: This is confusing because on one hand we can't use API Grant key or client credentials grant type to access the endpoint but in order to retrieve secondary groups we need to? Also, why is secondary groups treated as confidential vs primary group? An end user should be able to access all their profile information so not sure why secondary groups are special. Interestingly the email address is coming through in my request but not secondary groups. I have added permissions for me/email (which seems counter intuitive since the email is included in profile information). Can anyone shed light on these odd messages and inconsistencies in responses for that endpoint?
  7. Hi Marc, Thanks! It might be good to add device code as a grant type. I could potentially be happy telling a user to jump onto my web site (IPS) to authenticate and type the code shown in my custom app. If not I may need to force MFA the same way IPS does it currently.
  8. Hmm so looking at login.php under path applications\core\modules\admin\system I found the highlighted bit of code below. This assumes successful authentication/authorisation. After a bit of digging it seems the password grant type is deemed legacy and doesn't support MFA. Shame because I want to avoid a web based login page and redirection in my app when using the authorization code grant type. What have others used? Architecture is a desktop app talking to a web api which would in turn talk to IPS. There are other microservices running (either as web api or constantly running services) which will talk to the web api that handles authentication/authorisation to validate the token before performing the action requested by the desktop app.
  9. Hi, Just wondering if anyone knows how to enforce the MFA grant type for an OAUTH Client? Currently the grant type requested on the client is password. Theoretically since I setup MFA for all users I assumed it would be implicit (and I should get an error response saying MFA Required according to the spec) on OAUTH clients but it doesn't seem to be the case as it provides me an access token etc. This is what I currently have enabled. Also one other question, does anyone know what the "log" permission does when enabled on the scope? I feel like there needs to be more in the documentation regarding OAUTH in IPS as I can't seem to find much detail at all.
  10. Hi Lindy, Please see reply in ticket, this does not negate the requirement for Transport encryption which is also lightly touched on by Anyone who packet inspects the data over that network will be able to view all content in clear text. In AWS land this is the VPC, someone can packet inspect traffic and firewall rules will not prevent this. I look forward to seeing how Invision will address this vulnerability. I've enjoyed the conversations as its great to see different aspects of the designs/implementations of the software.
  11. Hi, I have split my IPS Web App and Database server and they are hosted separately (Azure Web Apps hosting IPS app and Azure Database for MySQL). Given that data can be captured over the wire in clear text leading to secure vulnerabilities (note blocking port 3306 will not prevent someone sniffing traffic and seeing the data in clear text). The services are hosted in the same datacentre however this will not hide/fix the issue. Only hosting the web app and DB on the same server would prevent this issue. Can you please enable an option in conf_global.php to enable IPS to initiate a secure connection to the database. Not sure what function is in use however if using the PHP MySQL_connect function, the last parameter is client_flags needs to be set to MYSQL_CLIENT_SSL. However this gets implemented, I think its a critical setting required for a modern micro services design. Thanks Jonathon
  • Create New...