Retrieve persons data after login

[TimoKramer]

Hi,
I am using kanidm for authentication and after a user logged in I want to retrieve its legalname. How do I do that?

I tried to use the users access-token to query the api /v1/person/<user_name> using it as bearer token but got 401.

EDIT: I get that it's supposed to be a JWT token but first why? and second what am I supposed to encrypt? It's a plain GET request so what's the payload of the JWT token?

[yaleman]

You shouldn't be encrypting anything, the JWT that comes back as the value of success.state from an auth flow is the bearer token to use.

Example from the Python lib's here.

[yaleman]

See that's a different login flow and associated permissions - per the docs (and OIDC/OAuth2 in general) you need to request the correct scopes and they'll be included in the authorization token when available.

[TimoKramer]

Please forgive me for not understanding this right away...

1. I can not retrieve persons metadata after they logged in with their very own token, right?
2. I have to log in with another account that has permission to read person metadata (idm_people_pii_read), right?
3. I have to use the login flow that you linked and I can not use an oauth2 login flow, right?

echo '{"step": {"init": "timo.kramer"}}' | xh https://mykanidminstance.foo/v1/auth
-> 
{
    "sessionid": "00000000-661e-6195-3700-99bbdab4e353",
    "state": {
        "choose": [
            "password"
        ]
    }
}

echo '{"step": {"begin": "password"}}' | xh https://mykanidminstance.foo/v1/auth "x-kanidm-auth-session-id:00000000-661e-6195-3700-99bbdab4e353" -v
->
{
    "invalidauthstate": "session id not present in cred presented to 'begin' step"
}

What am I doing wrong?

[yaleman]

If they're logging in with the Kanidm API flow they can access their own information. OAuth is a different flow.

[yaleman]

... and I don't know how the xh tool works so I'm not even sure what you're sending there. There's code in Python and Rust languages in the repo

[TimoKramer]

sorry for not being clear enough... on the server I am retrieving the token-introspection data after the users login... on the server I need to read the legalname, how would I do that if I can not read it with the oauth token? Would you log in with an admin account from the server and then read the persons metadata?

[yaleman]

if you’re doing it with OAuth, what scopes are you requesting.

…

On 2024-04-16 21:51 Timo Kramer wrote: sorry for not being clear enough... on the server I am retrieving the token-introspection data after the users login... on the server I need to read the legalname, how would I do that if I can not read it with the oauth token? Would you log in with an admin account from the server and then read the persons metadata? — Reply to this email directly, view it on GitHub <#2709 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABJB7ABKWOJGSMXQ6SEPELY5UGD3AVCNFSM6AAAAABGHIMJPGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TCMRZGMYDG>. You are receiving this because you commented.Message ID: ***@***.***>

[Firstyear]

https://kanidm.github.io/kanidm/stable/integrations/oauth2.html#create-the-kanidm-configuration

[TimoKramer]

I guess the way to go here would be to use an account with elevated privileges and authenticate with this account via rest-api. Then after a user logs in requesting its data with the elevated-privilges-account. I don't see the way to give each account elevated privileges to request its own data, I only see the permission to read all accounts data which I don't want to give unprivileged accounts.

[TimoKramer]

Thanks for your help

[yaleman]

Yep, if users need to see and edit their own full account details they'll need to authenticate against the Kanidm API, not OAuth/OIDC.