Wednesday, September 14, 2016

Email OTP Two Factor Authentication through Identity Server

In this post, I will explain how to use Email OTP two authenticator through WSO2 Identity server. In this demonstration, I am using SMTP mail transport which was used to send the OTP code via email at the time authentication happens.






















Add the authenticator configuration  <IS_HOME>/repository/conf/identity/application-authentication.xml file under the <AuthenticatorConfigs> section.

<AuthenticatorConfig name="EmailOTP" enabled="true">
     <Parameter name="GmailClientId">gmailClientIdValue</Parameter>
     <Parameter name="GmailClientSecret">gmailClientSecretValue</Parameter>
     <Parameter name="SendgridAPIKey">sendgridAPIKeyValue</Parameter>
     <Parameter name="EMAILOTPAuthenticationEndpointURL">https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp</Parameter>
     <Parameter name="EmailOTPAuthenticationEndpointErrorPage">https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp</Parameter>
     <Parameter name="EmailAddressRequestPage">https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp</Parameter>
     <Parameter name="GmailRefreshToken">gmailRefreshTokenValue</Parameter>
     <Parameter name="GmailEmailEndpoint">https://www.googleapis.com/gmail/v1/users/[userId]/messages/send</Parameter>
     <Parameter name="SendgridEmailEndpoint">https://api.sendgrid.com/api/mail.send.json</Parameter>
     <Parameter name="accessTokenRequiredAPIs">Gmail</Parameter>
     <Parameter name="apiKeyHeaderRequiredAPIs">Sendgrid</Parameter>
     <Parameter name="SendgridFormData">sendgridFormDataValue</Parameter>
     <Parameter name="SendgridURLParams">sendgridURLParamsValue</Parameter>
     <Parameter name="GmailAuthTokenType">Bearer</Parameter>
     <Parameter name="GmailTokenEndpoint">https://www.googleapis.com/oauth2/v3/token</Parameter>
     <Parameter name="SendgridAuthTokenType">Bearer</Parameter>
     <Parameter name="usecase">association</Parameter>
     <Parameter name="secondaryUserstore">primary</Parameter>
     <Parameter name="EMAILOTPMandatory">true</Parameter>
     <Parameter name="sendOTPToFederatedEmailAttribute">false</Parameter>
     <Parameter name="federatedEmailAttributeKey">email</Parameter>
     <Parameter name="EmailOTPEnableByUserClaim">true</Parameter>
     <Parameter name="CaptureAndUpdateEmailAddress">true</Parameter>
     <Parameter name="showEmailAddressInUI">true</Parameter>
</AuthenticatorConfig>

Configure the Service Provider and Identity Provider Configuration as we normally configure for Two factor authentication. Now we will configure EmailOTP Identity provider for SMTP transport.






 
 
 
 
 
 
 
SMTP transport sender configuration.
   Add the SMTP transport sender configuration in the <IS_HOME>/repository/conf/axis2/axis2.xml file.
  Here you need to replace {USERNAME}, {PASSWORD} and {SENDER'S_EMAIL_ID} with real values.

<transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
       <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
       <parameter name="mail.smtp.port">587</parameter>
       <parameter name="mail.smtp.starttls.enable">true</parameter>
       <parameter name="mail.smtp.auth">true</parameter>
       <parameter name="mail.smtp.user">{USERNAME}</parameter>
       <parameter name="mail.smtp.password">{PASSWORD}</parameter>
       <parameter name="mail.smtp.from">{SENDER'S_EMAIL_ID}</parameter>
</transportSender>

Comment <module ref="addressing"/> module from axis2.xml in <IS_HOME>/repository/conf/axis2.
Email Template configuration.
Add the email template in the <IS_HOME>/repository/conf/email/email-admin-config.xml file.

    <configuration type="EmailOTP">
           <targetEpr></targetEpr>
           <subject>WSO2 IS EmailOTP Authenticator One Time    Password</subject>
           <body>
       Hi,
       Please use this OTP {OTPCode} to go with EmailOTP authenticator.
           </body>
           <footer>
       Best Regards,
       WSO2 Identity Server Team
       http://www.wso2.com
           </footer>
           <redirectPath></redirectPath>
    </configuration>


When authentication is happening in second step, the code will be sent to email  which is saved in email claim of  user's user profile.
If the user apply the code, WSO2 IS will validate the code and let the user sign in accordingly.

No comments:

Post a Comment

Email OTP Two Factor Authentication through Identity Server

In this post, I will explain how to use Email OTP two authenticator through WSO2 Identity server. In this demonstration,  I am using SMTP m...