Create user without password

When I create a user from within the UI, it only asks me for the email address and the role. I never have to provide a password. However, when I use the management API, I MUST specify a password, otherwise, I get an error. Since the UI uses the management API underneath, how is the UI able to create a user without a password but I can’t?

Solved Solved
0 4 286
1 ACCEPTED SOLUTION

@Shawn Castrianni

When you create a user from the Edge UI, the SMTP server sends an email to the user account for setting the password. At this time, the user record is not created in the data store. It will be in a temporary data store with a set expiry for the invitation. Only when the user responds to the invite and sets a password, the user record is created in the data store similar to what the management API does.

When you use the management API to create the user, you are directly dealing with the user data store which would have a constraint for the mandatory fields.

View solution in original post

4 REPLIES 4

@Shawn Castrianni

When you create a user from the Edge UI, the SMTP server sends an email to the user account for setting the password. At this time, the user record is not created in the data store. It will be in a temporary data store with a set expiry for the invitation. Only when the user responds to the invite and sets a password, the user record is created in the data store similar to what the management API does.

When you use the management API to create the user, you are directly dealing with the user data store which would have a constraint for the mandatory fields.

I may not have provided enough information in my original post. this is for my Private Cloud installation with SSO/SAML configured. In this case apigee does not manage the passwords, the IDP for SAML does. Also, I watched the log files of the edge-management-ui/edge-management-server components and saw that when I created a user in the UI, it made a call to the edge-management-server with a similar POST body as what I was trying except the log file purposely hid the password so that it could not be obtained by looking through the logs. So I am thinking that the UI is using some undocumented management api feature to do this. Because when I read the user back using the management api, the password field is NOT included in the HTTP response.

It is possible that internally a temporary password is used when the user is created from the UI. I am only guessing since the complete details of how the Edge UI uses the management API is not published in the documentation.

Fetching user data through the management API never returns the password, that is the expected behavior.

Good point. When I create the user from the M API, it returns the created user JSON object in the response which includes the password. I mistakenly thought that response was the response from getting a user from the M API which, you are correct, does NOT return the password. So, yes, it most likely is putting some temp password inside. Thanks.