lib_UserManager

User management and Authentication for your projects

The lib_UserManager enables your projects to include user management and authentication in your apps. This library will handle :

• user login with user/password using a salted password security
• user login using OpenID (Google, Azure & linkedin)

When using user/password, the library will use the lib_usermanager_fullsync database to store userids and salted/hashed password

Symbols :

symbol	Usage
lib_UserManager.adminPassword.secret	LDAP admin account password
lib_UserManager.adminUser	LDAP admin account user
lib_UserManager.ldapBasePath	LDAP Search Root Path
lib_UserManager.ldapDomainName	LDAP DOMAIN Name
lib_UserManager.ldapServer	LDAP server address:port
lib_UserManager.smtp.server	SMTP server address
lib_UserManager.smtp.port	SMTP server port
lib_UserManager.smtp.sauthtype	SMTP server authentication type
lib_UserManager.smtp.sender	SMTP sender mail address
lib_UserManager.smtp.user	SMTP server user account
lib_UserManager.smtp.password.secret	SMTP server password
lib_UserManager.LDAP_USER_ID_ATTRIBUTE	LDAP User ID attribute to search.
lib_UserManager.LDAP_GROUP_OBJECT_CLASS	Object class identifying groups
lib_UserManager.ldapBasePathGroup	Base path used to search for LDAP groups
lib_UserManager.LDAP_GROUP_DISPLAY_ATTRIBUTE	The display name attribute for groups

Authentication Modes And Required Symbols

Internal Login (SignIn / CheckSecureToken)

No lib_UserManager.* symbol is required for the standard internal login (SignIn).

CheckSecureToken validates JWT signatures with the Convertigo engine property:

• CRYPTO_PASSPHRASE (engine property, not a lib_UserManager.* symbol)

Active Directory Login (SignInAD / SignInADBulk)

symbol	Required	Usage
lib_UserManager.ldapServer	yes	Active Directory LDAP URL (ldap://host:port or ldaps://host:port)
lib_UserManager.ldapBasePath	yes	Base DN used to search users
lib_UserManager.adminUser	yes	Service account used to perform LDAP searches
lib_UserManager.adminPassword.secret	yes	Service account password
lib_UserManager.ldapDomainName	optional	Domain prefix automatically prepended to user when needed

LDAP Login (SignInLDAPBulk)

symbol	Required	Usage
lib_UserManager.ldapServer	yes	LDAP URL (ldap://host:port or ldaps://host:port)
lib_UserManager.ldapBasePath	yes	Base DN used to search users
lib_UserManager.ldapBasePathGroup	yes	Base DN used to search groups
lib_UserManager.adminUser	yes	LDAP service account
lib_UserManager.adminPassword.secret	yes	LDAP service account password
lib_UserManager.LDAP_USER_ID_ATTRIBUTE	optional	User identifier attribute (default uid)
lib_UserManager.LDAP_GROUP_OBJECT_CLASS	optional	LDAP objectClass used to find groups (default group)
lib_UserManager.LDAP_GROUP_DISPLAY_ATTRIBUTE	optional	Group display attribute (default cn)
lib_UserManager.ldapDomainName	optional	Domain prefix helper for user login

OpenID/OAuth Login (Google, Microsoft, LinkedIn, OpenID)

OpenID/OAuth login is handled by lib_OAuth.

No additional lib_UserManager.* symbol is required for provider configuration. Configure provider credentials and endpoints in the lib_OAuth project symbols.

For more technical informations : documentation

• Installation
• Sequences
  • AddUser
  • CheckSecureToken
  • ConfirmAccount
  • CreateAccount
  • DeleteUser
  • ForgotPassword
  • ForgotPasswordWithBrand
  • GenerateSecureToken
  • GetAllAdGroups
  • GetDomainUsersGroupName
  • GetUAllserAttributes
  • GetUserAttribute
  • GetUserByAttributeNameAndValue
  • HashAndSalt
  • ListUsers
  • ModifyPassword
  • RemoveDraftedAccounts
  • SetUserAttribute
  • SignIn
  • SignInAD
  • SignInADBulk
  • SignInLDAPBulk
  • SignOut

Installation

1. In your Convertigo Studio use File->Import->Convertigo->Convertigo Project and hit the Next button

2. In the dialog Project remote URL field, paste the text below:

   Usage	Click the copy button
   To contribute	lib_UserManager=https://github.com/convertigo/c8oprj-lib-user-manager.git:branch=8.0.X
   To simply use	lib_UserManager=https://github.com/convertigo/c8oprj-lib-user-manager/archive/8.0.X.zip

3. Click the Finish button. This will automatically import the lib_UserManager project

Sequences

AddUser

Adds an user to the Internal Convertigo User database

variables

name	comment
askForPasswordReset	The user id as a valid email address
emailBody	Email content
emailLogo	Email logo to be added
emailSubject	Email subject
password	The inital password. (User will be able to change it afterwards)
targetApplicationName	Email where to send the reset password link to
user	The user id as a valid email address

CheckSecureToken

The CheckSecureToken sequence verifies the validity of a JWT by checking its structure, expiration, and signature. It extracts the payload, validates the password hash, and manages associated JWT tokens for the user. Additionally, it refreshes the JWT token.

variables

name	comment
token

ConfirmAccount

Confirms a user account if a passwordResetKey was provided, or sends an email to the user with a passwordResetKey and allow him to confirm account. It should be called by CreateAccount sequence.

variables

name	comment
email	Email where to send the reset password link to
emailLogo	Email logo to be added
emailSubject	Email subject
lang	The lang to be used in the email. It can be fr or en
passwordResetKey	Password reset key (Optional)
targetApplicationName	The Target application name to be used into the email template

CreateAccount

Creates a user account and sends validation email, to active this account

variables

name	comment
emailLogo	Email logo to be added
emailSubject	Email subject
lang	The language to be used into the email. Can be fr or en.
password	The inital password. (User will be able to change it afterwards)
targetApplicationName	target Application Name
user	The user id as a valid email address

DeleteUser

Deletes an user from the internal Convertigo database

variables

name	comment
user	The user ID as (The users email address)

ForgotPassword

Has to be called with email fields not empty to send an email reset link to the user, or with a newPassword an passwordResetKey not empty to excplicitly reset a password

variables

name	comment
email	Email where to send the reset password link to
emailBody	Email content
emailLogo	Email logo to be added
emailSubject	Email subject
newPassword	New password to be set
passwordResetKey	Password reset key
targetApplicationName	Email where to send the reset password link to

ForgotPasswordWithBrand

Has to be called with email fields not empty to send an email reset link to the user, or with a newPassword an passwordResetKey not empty to excplicitly reset a password

variables

name	comment
email	Email where to send the reset password link to
emailLogo	Email logo to be added
emailSubject	Email subject
lang	The lang to be used in the email. It can be fr or en
newPassword	New password to be set
passwordResetKey	Password reset key
targetApplicationName	The Target application name to be used into the email template

GenerateSecureToken

The GenerateSecureToken sequence creates a JWT token with a specified expiration and includes a password hash in the payload. It encodes the token using HMAC SHA256 and appends it to the user's document, managing JWT tokens for secure user authentication.

variables

name	comment
passwordHash
tokenExpiration
userName

GetAllAdGroups

Get all groups available in the AD

variables

name	comment
adminPassword	The Active Directory admin account password. If not provided or invalid, the group membership information will not be provided.
adminUser	A valid ActiveDirectory Admin Account with read privileges used to search for the user attributes. If this is not provided, the group membership information will not be returned.
domainNameUser
ldapBasePath	The active directory user user to sign in. May be a valid domain account ex: 'DOMAIN\user' or the user's email ex: 'user@domain.com' or just the users full name ex: 'John doe'
ldapServer	The Active Directory server ldap url as ldap(s)://server:port. Mandatory.

GetDomainUsersGroupName

Gives the localized Domain Users group, where all users automatically belong

variables

name	comment
adminPassword	The Active Directory admin account password. If not provided or invalid, the group membership information will not be provided.
adminUser	A valid ActiveDirectory Admin Account with read privileges used to search for the user attributes. If this is not provided, the group membership information will not be returned.
domainNameUser
ldapBasePath	The active directory user user to sign in. May be a valid domain account ex: 'DOMAIN\user' or the user's email ex: 'user@domain.com' or just the users full name ex: 'John doe'
ldapServer	The Active Directory server ldap url as ldap(s)://server:port. Mandatory.
sAMAccountName

GetUAllserAttributes

Gets a given attribute from an user account

variables

name	comment
attribute	The attribute name
user	The user where we have to get the attribute from

GetUserAttribute

Gets a given attribute from an user account

variables

name	comment
attribute	The attribute name
user	The user where we have to get the attribute from

GetUserByAttributeNameAndValue

Gets an user by attribute name and value

variables

name	comment
attrName
attrValue

HashAndSalt

Utility sequence to Hash and Salt passwords

variables

name	comment
hash
password
salt

ListUsers

Lists users from the internal Convertigo User database

ModifyPassword

Modify a password for a given user

variables

name	comment
password	New password to be set
user	User email to set the new password on

RemoveDraftedAccounts

Remove any drafts accounts not confirmed by email. Has to be scheduled.

variables

name	comment
doDelete	Perform effectively deletions operations if true
hours	Any account aged more than this number of hours, will be deleted.

SetUserAttribute

Sets a given attribute on an user account if the account doesn't exists, an account will be created with a fake radom password

variables

name	comment
attribute	The attribute name
user	The user where we have to set the attribute on
value	The attribute value

SignIn

Performs a user sign in for a given user with its id (email) and password

variables

name	comment
password	The user's password
rememberMe	Stay logged in for an extended period, even after closing the browser
user	The userID (user's email)

SignInAD

Sign in using an ActiveDirectory account. Will also return the list of groups the user belongs to

variables

name	comment
adminPassword	The Active Directory admin account password. If not provided or invalid, the group membership information will not be provided.
adminUser	A valid ActiveDirectory Admin Account with read privileges used to search for the user attributes. If this is not provided, the group membership information will not be returned.
domainNameUser
ldapBasePath	The active directory user user to sign in. May be a valid domain account ex: 'DOMAIN\user' or the user's email ex: 'user@domain.com' or just the users full name ex: 'John doe'
ldapServer	The Active Directory server ldap url as ldap(s)://server:port. Mandatory.
password	The users password
user	The active directory user user to sign in. May be a valid domain account ex: 'DOMAIN\user' or the user's email ex: 'user@domain.com' or just the users full name ex: 'John doe'

SignInADBulk

Sign in using an ActiveDirectory account. Will also return the list of groups the user belongs to

variables

name	comment
adminPassword	The Active Directory admin account password. If not provided or invalid, the group membership information will not be provided.
adminUser	A valid ActiveDirectory Admin Account with read privileges used to search for the user attributes. If this is not provided, the group membership information will not be returned.
domainNameUser
ldapBasePath	The active directory user user to sign in. May be a valid domain account ex: 'DOMAIN\user' or the user's email ex: 'user@domain.com' or just the users full name ex: 'John doe'
ldapServer	The Active Directory server ldap url as ldap(s)://server:port. Mandatory.
password	The users password
user	The active directory user user to sign in. May be a valid domain account ex: 'DOMAIN\user' or the user's email ex: 'user@domain.com' or just the users full name ex: 'John doe'

SignInLDAPBulk

variables

name	comment
adminPassword	The LDAP service account password. If not provided or invalid, the group membership information will not be provided.
adminUser	A valid LDAP service Account with read privileges used to search for the user attributes. If this is not provided, the group membership information will not be returned.
domainNameUser	Domain name to prefix to user in case of azure AD
groupAttribute	Object class identifying groups
groupDisplayAttribute	The display name attribute for groups
ldapBasePath	The LDAP user user to sign in. May be a valid domain account ex: 'DOMAIN\user' or the user's email ex: 'user@domain.com' or just the users full name ex: 'John doe'
ldapBasePathGroup	Base path used to search for LDAP groups
ldapServer	The LDAP server url as ldap(s)://server:port. Mandatory.
password	The LDAP users password
user	The LDAP user to sign in. May be a valid domain account ex: 'DOMAIN\user' or the user's email ex: 'user@domain.com' or just the users full name ex: 'John doe'
userIdAttribute	User ID attribute to search

SignOut

The SignOut sequence logs out the authenticated user by removing their associated JWT token from the user's document and clearing the authenticated user session.

variables

name	comment
token