Jump to content

Johno2518

Clients
  • Posts

    25
  • Joined

  • Last visited

 Content Type 

Downloads

Release Notes

IPS4 Guides

IPS4 Developer Documentation

Invision Community Blog

Development Blog

Deprecation Tracker

Providers Directory

Forums

Events

Store

Gallery

Posts posted by Johno2518

  1. 16 hours ago, Stuart Silvester said:

    I'm afraid there isn't, you would need to use the Authorization Code flow to use MFA.

    Hmm ok, I might need to switch to another Identity platform as this will provide greater flexibility (and the ability to use the device code grant type if needed).

     

    16 hours ago, Stuart Silvester said:

    You should see both, the table has a filter at the top to switch between the types.

    I've got the All tab selected and only failures (401's) showing.

    image.thumb.png.5370b8e4d8dba113f4e77222815302a9.png

     

    16 hours ago, Stuart Silvester said:

    These will always be available on the /core/me endpoint, but they're not generally available in the member object anywhere else. -- These can be considered 'sensitive' because they are related to the anonymous sign in functionality, if they were to be available it could leak information about when the user was anonymously active.

    So the /core/me endpoint should have the tooltip removed in that case and left on for /core/members for lastVisit and lastPost properties. As for secondary groups, might be helpful to add another API permission e.g. /core/me/secondarygroups and when enabled, allows all groups to be retrieved for the logged in user when calling /core/me endpoint otherwise the tooltip for secondary groups makes no sense as you'd need a user token to retrieve user ID from /core/me API Endpoint and then an API Key or Client Credentials token to then call /core/members/<id> just to retrieve secondary groups for that user which seems unnecessary.

  2. 40 minutes ago, Stuart Silvester said:

    The OAuth 2 spec does not have an MFA grant type, Auth0 however looks like it does have a custom one. We follow the standard OAuth 2.0 specification with our implementation. If you enable MFA in Invision Community, it will prompt the user during the login process.

    Ok great, is there an IPS URI and set of parameters that I can call externally (as I'm using Password grant type)?

     

    43 minutes ago, Stuart Silvester said:

    It logs the requests to AdminCP > Rest & OAuth > API logs. It can be useful for debugging and development.

    That's what I thought but I'm only seeing failed requests, no successful attempts. Is this normal?

    44 minutes ago, Stuart Silvester said:

    The /me endpoint is special too, the 'email' information within it is controlled by the 'email' scope that the user accepts when initially logging in. This is the only member object that will contain an email address when using OAuth.

    What about lastVisit and lastPost? They have the same protection (according to the icon/tip) as secondary groups but are coming through in the API response.

     

    45 minutes ago, Stuart Silvester said:

    This does appear to be a bug, we'll get this addressed.

    Great!

  3. Back on the secondary groups issue, I can see lastVisit and lastPost have the same caveat as secondary groups but that data is being presented when accessing /api/core/me.

    Can someone let me know is not providing secondary groups via /api/core/me a bug or is providing lastVisit and lastPost via that same endpoint a bug?

  4. @Marc Stridgen have the developers come back to you regarding MFA for an OAUTH Client?

    When a user is authenticating from my custom application as an IPS OAUTH Client - I would like to be able to force MFA and call something in IPS to do it (I'm not a PHP guy so reading the IPS code for handling MFA is not so straight forward).

    It might be worth adding device code as an available grant type as well.

  5. While waiting back from the developers - is anyone able to tell me what enabling Log permission does?

    Also, I'm now trying to make use of more API endpoints and this one is a little odd. The message for the "me" endpoint shows:

    image.thumb.png.15aa3f1c63bdfd8af1f61edd839ce23e.png

     

    However, hovering over secondary groups displays this message:

    image.thumb.png.2568972b13fd9d2fc87758fc805a4c9c.png

     

    This is confusing because on one hand we can't use API Grant key or client credentials grant type to access the endpoint but in order to retrieve secondary groups we need to? Also, why is secondary groups treated as confidential vs primary group? An end user should be able to access all their profile information so not sure why secondary groups are special.

    Interestingly the email address is coming through in my request but not secondary groups. I have added permissions for me/email (which seems counter intuitive since the email is included in profile information).

    Can anyone shed light on these odd messages and inconsistencies in responses for that endpoint?

  6. Hmm so looking at login.php under path applications\core\modules\admin\system I found the highlighted bit of code below. This assumes successful authentication/authorisation. After a bit of digging it seems the password grant type is deemed legacy and doesn't support MFA. Shame because I want to avoid a web based login page and redirection in my app when using the authorization code grant type.

    What have others used? Architecture is a desktop app talking to a web api which would in turn talk to IPS. There are other microservices running (either as web api or constantly running services) which will talk to the web api that handles authentication/authorisation to validate the token before performing the action requested by the desktop app.

     

    image.thumb.png.8fbe2187ead769adff4263dfbb82882f.png

     

     

  7. Hi,

    Just wondering if anyone knows how to enforce the MFA grant type for an OAUTH Client? Currently the grant type requested on the client is password. Theoretically since I setup MFA for all users I assumed it would be implicit (and I should get an error response saying MFA Required according to the spec) on OAUTH clients but it doesn't seem to be the case as it provides me an access token etc.

    This is what I currently have enabled.

    image.thumb.png.c4f3f55ee5b0029b6c51547547751650.png

     

    Also one other question, does anyone know what the "log" permission does when enabled on the scope?

    image.png.f32fa8ccc5874e1d17e3909f013e816c.png

     

    I feel like there needs to be more in the documentation regarding OAUTH in IPS as I can't seem to find much detail at all.

  8. Hi Lindy,

     

    Please see reply in ticket, this does not negate the requirement for Transport encryption which is also lightly touched on by

     

    Anyone who packet inspects the data over that network will be able to view all content in clear text. In AWS land this is the VPC, someone can packet inspect traffic and firewall rules will not prevent this.

    I look forward to seeing how Invision will address this vulnerability.

    I've enjoyed the conversations as its great to see different aspects of the designs/implementations of the software.

  9. Hi,

    I have split my IPS Web App and Database server and they are hosted separately (Azure Web Apps hosting IPS app and Azure Database for MySQL). Given that data can be captured over the wire in clear text leading to secure vulnerabilities (note blocking port 3306 will not prevent someone sniffing traffic and seeing the data in clear text). The services are hosted in the same datacentre however this will not hide/fix the issue. Only hosting the web app and DB on the same server would prevent this issue.

    Can you please enable an option in conf_global.php to enable IPS to initiate a secure connection to the database. Not sure what function is in use however if using the PHP MySQL_connect function, the last parameter is client_flags needs to be set to MYSQL_CLIENT_SSL.

    However this gets implemented, I think its a critical setting required for a modern micro services design.

    Thanks

    Jonathon

×
×
  • Create New...