By: Master Kumar user 25 Aug 2018 at 1:14 p.m. CDT

14 Responses
Master Kumar gravatar
I am using gluu server 3.1.3 on centos and enabled SCIM. After that enabled the default custom script under user registration. Now on creating a user was trying to check whether all the functions/methods with in the custom script are getting called, but observed that only init and destroy functions/methods are getting called when we click on Add Person in admin ui. So not sure what we missing as we wanted to know when will the preRegistration, postRegistration functions/methods gets called. Wanted to perform some action after successful registration in postRegistration like redirect to a different page or send an email, in preRegistration wanted to do some validation. I am also planning to see if multi-tenant can be achieved. Do let me know how to fix this issue.

By Jose Gonzalez staff 27 Aug 2018 at 10:28 a.m. CDT

Jose Gonzalez gravatar
Hi, The user registration script is used in the scenario in which you allow your installation to perform self-registration. If you want to attach custom logic when addition or edition takes place in oxtrust, the script you have to weak is the one appearing in the "update user" tab. It provides you with: - updateUser - postUpdateUser - addUser - postAddUser - deleteUser - postDeleteUser This is not related to SCIM by the way. If you want to intercept SCIM API calls, there is a different tab where you can plug your custom logic.

By Master Kumar user 28 Aug 2018 at 7 a.m. CDT

Master Kumar gravatar
When we are adding user using Add Person from the Gluu Server or calling the API (https://test.testmydom.com/identity/restv1/scim/v2/Users) getting the below error in oxtrust.log 2018-08-28 04:13:09,065 ERROR [qtp1744347043-298064] [org.gluu.oxtrust.ldap.service.AttributeService] (AttributeService.java:558) - Failed to find attribute 'oxTrustEmail' metadata For both the cases we have enabled the custome script under Configuration -> Manage Custom Scripts -> User Registration -> user_confirm_registration I noticed that print statements in init and destroy methods are getting envoked. And thought that postRegistration/preRegistration methods will get called at some point during or after registration but its not happening so. As you said did try the self registration also using the url https://test.testmydom.com/identity/register I have also enabled the script in SCIM tab, but still not able to see the print statements in the logs. So can you please guide me on what is missing to address my requirement.

By Jose Gonzalez staff 28 Aug 2018 at 8:01 a.m. CDT

Jose Gonzalez gravatar
> getting the below error in oxtrust.log Can you attach a bigger section of your log?. I need more context. Please set your oxtrust log level to TRACE, do a user insertion using SCIM API, and send otrust.log and oxtrust_script.log. To change log level go to "Configuration" > "JSON configuration" > "oxtrust config" and search for log level. Then wait 1 min. Also, can you clarify if despite the error being shown, the operation completes successfully? are users actually added?

By Master Kumar user 29 Aug 2018 at 5:22 a.m. CDT

Master Kumar gravatar
Yes, I have set the log level to ALL and still was not able to see the messages in print statements in the logs after that only i had the question earlier. Yes the operation is getting completed successfully and user is getting added irrespective of whether the SCIM custom script is in disabled/enabled state.

By Jose Gonzalez staff 29 Aug 2018 at 7:55 a.m. CDT

Jose Gonzalez gravatar
> do a user insertion using SCIM API, and send otrust.log and oxtrust_script.log. I'd like to have those

By Master Kumar user 29 Aug 2018 at 11:49 a.m. CDT

Master Kumar gravatar
Here is what i see in the logs 2018-08-29 09:47:12,086 INFO [oxTrustScheduler_Worker-4] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialization 2018-08-29 09:47:12,087 INFO [oxTrustScheduler_Worker-4] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialized successfully 2018-08-29 11:20:30,784 INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): Current id = kavya 2018-08-29 11:20:30,785 INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): testProp1 = Test value 1 2018-08-29 11:20:30,786 INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): testProp2 = Test value 2 2018-08-29 14:11:04,179 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialization 2018-08-29 14:11:04,181 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialized successfully 2018-08-29 14:11:04,237 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (init): Initialized successfully 2018-08-29 14:11:04,336 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialization 2018-08-29 14:11:04,336 INFO [ForkJoinPool.commonPool-worker-1] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User registration. Initialized successfully

By Jose Gonzalez staff 29 Aug 2018 at 5:13 p.m. CDT

Jose Gonzalez gravatar
I am not sure if I really understand your goals: > still was not able to see the messages in print statements in the logs I can see them: ``` INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): testProp1 = Test value 1 2018-08-29 11:20:30,786 INFO [qtp1744347043-831] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - ScimEventHandler (createUser): testProp2 = Test value 2 2018-08-29 14:11:04,179 ``` The `createUser` function of SCIM script is actually being called as expected. The user registration script has nothing to do with the SCIM API calls.

By Master Kumar user 30 Aug 2018 at 12:20 p.m. CDT

Master Kumar gravatar
Yes, the createUser is getting called as you said. But wanted to know when will the post, pre methods get called. As i wanted to send email after the user is created successfully, so wrote the code for send email functionality in postCreateUser method and then created the user. User got created successfully, but the postCreateUser method did get called. So can you please let me know how to achieve the required.

By Jose Gonzalez staff 30 Aug 2018 at 2:07 p.m. CDT

Jose Gonzalez gravatar
Hi Sam, As you wrote above, it sounded like both createUser and postCreateUser methods were actually called ... createUser is the *pre* method, *postCreateUser* is the post one... Please check the `getApiVersion` method, I think there is a comment there stating that you should return 2 if you want the *post* methods getting called. When returning 1 only the *pre* count. Hope this helps.

By Master Kumar user 30 Aug 2018 at 9:32 p.m. CDT

Master Kumar gravatar
Yes i have set the return value as 2 in getApiVersion already and even then postCreateUser is not getting called. And nor preCreateUser is getting called if the return value is 1 in getApiVersion For you reference Here is the scim_event_handler script from org.xdi.model.custom.script.type.scim import ScimType from org.xdi.util import StringHelper, ArrayHelper from java.util import Arrays, ArrayList from org.gluu.oxtrust.ldap.service import PersonService from org.xdi.service.cdi.util import CdiUtil from org.gluu.oxtrust.model import GluuCustomPerson import java class ScimEventHandler(ScimType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, configurationAttributes): print "ScimEventHandler (init): Initialized successfully" return True def destroy(self, configurationAttributes): print "ScimEventHandler (destroy): Destroyed successfully" return True def getApiVersion(self): #return 2 if you want the post* scripts being executed return 2 def createUser(self, user, configurationAttributes): print "ScimEventHandler (createUser): Current id = " + user.getUid() testProp1 = configurationAttributes.get("testProp1").getValue2() testProp2 = configurationAttributes.get("testProp2").getValue2() print "ScimEventHandler (createUser): testProp1 = " + testProp1 print "ScimEventHandler (createUser): testProp2 = " + testProp2 return True def updateUser(self, user, configurationAttributes): personService = CdiUtil.bean(PersonService) oldUser = personService.getPersonByUid(user.getUid()) print "ScimEventHandler (updateUser): Old displayName %s" % oldUser.getDisplayName() print "ScimEventHandler (updateUser): New displayName " + user.getDisplayName() return True def deleteUser(self, user, configurationAttributes): print "ScimEventHandler (deleteUser): Current id = " + user.getUid() return True def createGroup(self, group, configurationAttributes): print "ScimEventHandler (createGroup): Current displayName = " + group.getDisplayName() return True def updateGroup(self, group, configurationAttributes): print "ScimEventHandler (updateGroup): Current displayName = " + group.getDisplayName() return True def deleteGroup(self, group, configurationAttributes): print "ScimEventHandler (deleteGroup): Current displayName = " + group.getDisplayName() return True def postCreateUser(self, user, configurationAttributes): print "Inside postCreateUser Method" return True def postUpdateUser(self, user, configurationAttributes): return True def postDeleteUser(self, user, configurationAttributes): return True def postUpdateGroup(self, group, configurationAttributes): return True def postCreateGroup(self, group, configurationAttributes): return True def postDeleteGroup(self, group, configurationAttributes): return True Can you please look into it and let me know.

By Master Kumar user 31 Aug 2018 at 7:56 a.m. CDT

Master Kumar gravatar
Now email is working fine and it is being sent after creating the user, and in email i wanted to send an activation link so that when user access that link user should be activated. After user gets activated, should be able to login using the registered credentials. Any api for login? Please do let me know how can we do these two things.

By Master Kumar user 04 Sep 2018 at 7:03 a.m. CDT

Master Kumar gravatar
Can you please share the information as i would be able to proceed

By Jose Gonzalez staff 04 Sep 2018 at 8:05 a.m. CDT

Jose Gonzalez gravatar
Hi Sam, Here is a summary of steps to perform in order to solve your requirements. It needs some investigation from your side, but most of that is already covered in the Gluu CE docs or in the OpenID connect spec: 1. Ensure your activation process (triggered by a click on email) sets the LDAP `gluuStatus` attribute of the user to `active`. This can be done via SCIM by setting `active` property to `true` in JSON payload: `{ ... active: true ... }` 1. Create an openid connect client via oxTrust that your application will use. Use the already existing "oxTrust Admin GUI" client as a guide. Adjust the redirect URI and post-logout redirect URIs accordingly 1. Create an openid authorization request from your application. This is basically a redirection you send to your user's browser. Ensure you pass `acr` param that identifies the flow you'll create in next step. This is how a request looks like: `https://<domain-name>/oxauth/authorize?response_type=code+...&client_id=...&scope=openid+...&redirect_uri=...&state=...&acr_values=...` 1. Create a new custom authentication flow. This is done by creating a new custom script in Python. You can do so in oxTrust too ("configuration" > "manage custom scripts"). - Use the existing "basic" script all time as a guide. - Display name you use here will be the `acr` value of previous step. - Create a custom page xhtml for your script that autosubmits (that way you don't prompt for username+password). In `getPageForStep` of the script return this page name. Copy the file to `/opt/gluu/jetty/oxauth/custom/pages` - In `authenticate` routine of your script issue a call to `authenticationService.authenticate` passing the username only. The authentication flow is triggered when the authorization request is sent and ends when the `authenticate` method is called, finally this will cause a redirection back to the application (at redirect uri). Some reference docs: - openid spec: http://openid.net/specs/openid-connect-core-1_0.html. For simplicity you can use the "implicit flow" - authentication scripts: https://gluu.org/docs/ce/admin-guide/custom-script/ - openid flows and clients: https://gluu.org/docs/ce/admin-guide/openid-connect

By Jose Gonzalez staff 04 Sep 2018 at 8:09 a.m. CDT

Jose Gonzalez gravatar
I am closing this ticket since the original problem has been solved. You can open new ones if you like wrt to authentication.