Wednesday, September 14, 2016

Email OTP Two Factor Authentication through Identity Server

In this post, I will explain how to use Email OTP two authenticator through WSO2 Identity server. In this demonstration, I am using SMTP mail transport which was used to send the OTP code via email at the time authentication happens.






















Add the authenticator configuration  <IS_HOME>/repository/conf/identity/application-authentication.xml file under the <AuthenticatorConfigs> section.

<AuthenticatorConfig name="EmailOTP" enabled="true">
     <Parameter name="GmailClientId">gmailClientIdValue</Parameter>
     <Parameter name="GmailClientSecret">gmailClientSecretValue</Parameter>
     <Parameter name="SendgridAPIKey">sendgridAPIKeyValue</Parameter>
     <Parameter name="EMAILOTPAuthenticationEndpointURL">https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp</Parameter>
     <Parameter name="EmailOTPAuthenticationEndpointErrorPage">https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp</Parameter>
     <Parameter name="EmailAddressRequestPage">https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp</Parameter>
     <Parameter name="GmailRefreshToken">gmailRefreshTokenValue</Parameter>
     <Parameter name="GmailEmailEndpoint">https://www.googleapis.com/gmail/v1/users/[userId]/messages/send</Parameter>
     <Parameter name="SendgridEmailEndpoint">https://api.sendgrid.com/api/mail.send.json</Parameter>
     <Parameter name="accessTokenRequiredAPIs">Gmail</Parameter>
     <Parameter name="apiKeyHeaderRequiredAPIs">Sendgrid</Parameter>
     <Parameter name="SendgridFormData">sendgridFormDataValue</Parameter>
     <Parameter name="SendgridURLParams">sendgridURLParamsValue</Parameter>
     <Parameter name="GmailAuthTokenType">Bearer</Parameter>
     <Parameter name="GmailTokenEndpoint">https://www.googleapis.com/oauth2/v3/token</Parameter>
     <Parameter name="SendgridAuthTokenType">Bearer</Parameter>
     <Parameter name="usecase">association</Parameter>
     <Parameter name="secondaryUserstore">primary</Parameter>
     <Parameter name="EMAILOTPMandatory">true</Parameter>
     <Parameter name="sendOTPToFederatedEmailAttribute">false</Parameter>
     <Parameter name="federatedEmailAttributeKey">email</Parameter>
     <Parameter name="EmailOTPEnableByUserClaim">true</Parameter>
     <Parameter name="CaptureAndUpdateEmailAddress">true</Parameter>
     <Parameter name="showEmailAddressInUI">true</Parameter>
</AuthenticatorConfig>

Configure the Service Provider and Identity Provider Configuration as we normally configure for Two factor authentication. Now we will configure EmailOTP Identity provider for SMTP transport.






 
 
 
 
 
 
 
SMTP transport sender configuration.
   Add the SMTP transport sender configuration in the <IS_HOME>/repository/conf/axis2/axis2.xml file.
  Here you need to replace {USERNAME}, {PASSWORD} and {SENDER'S_EMAIL_ID} with real values.

<transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
       <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
       <parameter name="mail.smtp.port">587</parameter>
       <parameter name="mail.smtp.starttls.enable">true</parameter>
       <parameter name="mail.smtp.auth">true</parameter>
       <parameter name="mail.smtp.user">{USERNAME}</parameter>
       <parameter name="mail.smtp.password">{PASSWORD}</parameter>
       <parameter name="mail.smtp.from">{SENDER'S_EMAIL_ID}</parameter>
</transportSender>

Comment <module ref="addressing"/> module from axis2.xml in <IS_HOME>/repository/conf/axis2.
Email Template configuration.
Add the email template in the <IS_HOME>/repository/conf/email/email-admin-config.xml file.

    <configuration type="EmailOTP">
           <targetEpr></targetEpr>
           <subject>WSO2 IS EmailOTP Authenticator One Time    Password</subject>
           <body>
       Hi,
       Please use this OTP {OTPCode} to go with EmailOTP authenticator.
           </body>
           <footer>
       Best Regards,
       WSO2 Identity Server Team
       http://www.wso2.com
           </footer>
           <redirectPath></redirectPath>
    </configuration>


When authentication is happening in second step, the code will be sent to email  which is saved in email claim of  user's user profile.
If the user apply the code, WSO2 IS will validate the code and let the user sign in accordingly.

SMS OTP Two Factor Authentication through Identity Server

In this post, I will explain how to use SMS OTP multifactor authenticator through WSO2 Identity server. In this demonstration, I am using Twilio SMS Provider which was used to send the OTP code via SMS at the time authentication happens.


SMS OTP Authentication Flow



















The SMS OTP authenticator of WSO2 Identity Server allows to authenticate the system using multifactor authentication. This authenticator authenticates with user name and password as a first step, then sending the one time password to the mobile via SMS as a second step. WSO2 IS will validate the code and let the user sign in accordingly

Add the authenticator configuration <IS_HOME>/repository/conf/identity/application-authentication.xml file under the <AuthenticatorConfigs> section.

<AuthenticatorConfig name="SMSOTP" enabled="true">
    <Parameter name="SMSOTPAuthenticationEndpointURL">https://localhost:9443/smsotpauthenticationendpoint/smsotp.jsp</Parameter>
    <Parameter name="SMSOTPAuthenticationEndpointErrorPage">https://localhost:9443/smsotpauthenticationendpoint/smsotpError.jsp</Parameter>
    <Parameter name="MobileNumberRegPage">https://localhost:9443/smsotpauthenticationendpoint/mobile.jsp</Parameter>
    <Parameter name="RetryEnable">true</Parameter>
    <Parameter name="ResendEnable">true</Parameter>
    <Parameter name="BackupCode">true</Parameter>
    <Parameter name="SMSOTPEnableByUserClaim">false</Parameter>
    <Parameter name="SMSOTPMandatory">false</Parameter>
    <Parameter name="usecase">association</Parameter>
    <Parameter name="secondaryUserstore">primary</Parameter>
    <Parameter name="CaptureAndUpdateMobileNumber">true</Parameter>
    <Parameter name="SendOTPDirectlyToMobile">false</Parameter>
</AuthenticatorConfig>

Configure the Service Provider and Identity Provider Configuration as we normally configure for Two factor authentication. Now we will configure SMS OTP Identity provider for Twilio specific SMS Provider.

Go to ​ https://www.twilio.com/try­twilio​  and create a twilio account.

While registering the account, verify your mobile number and click on console home
https://www.twilio.com/console​  to get free credits (Account SID and Auth Token).




Twilio uses a POST method with headers and the text message and phone number are sent asthe payload. So the fields would be as follows.

SMS URL             https://api.twilio.com/2010­04­01/Accounts/{AccountSID}/SMS/Messages.json
HTTP Method     POST
HTTP Headers    Authorization: Basic base64{AccountSID:AuthToken}
HTTP Payload    Body=$ctx.msg&To=$ctx.num&From={FROM_NUM}

You can go to SMS OTP Identity Provider and configure to send the SMS using Twilio SMS Provider.

Twilio SMS Provider Config





















When authentication is happening in second step, the code will be sent to mobile no which is saved in mobile claim of  user's user profile.
If the user apply the code, WSO2 IS will validate the code and let the user sign in accordingly.

Algorithm

BinaryGap A  binary gap  within a positive integer N is any maximal sequence of consecutive zeros that is surrounded by ones at both end...