Wednesday, September 14, 2016

Email OTP Two Factor Authentication through Identity Server

In this post, I will explain how to use Email OTP two authenticator through WSO2 Identity server. In this demonstration, I am using SMTP mail transport which was used to send the OTP code via email at the time authentication happens.






















Add the authenticator configuration  <IS_HOME>/repository/conf/identity/application-authentication.xml file under the <AuthenticatorConfigs> section.

<AuthenticatorConfig name="EmailOTP" enabled="true">
     <Parameter name="GmailClientId">gmailClientIdValue</Parameter>
     <Parameter name="GmailClientSecret">gmailClientSecretValue</Parameter>
     <Parameter name="SendgridAPIKey">sendgridAPIKeyValue</Parameter>
     <Parameter name="EMAILOTPAuthenticationEndpointURL">https://localhost:9443/emailotpauthenticationendpoint/emailotp.jsp</Parameter>
     <Parameter name="EmailOTPAuthenticationEndpointErrorPage">https://localhost:9443/emailotpauthenticationendpoint/emailotpError.jsp</Parameter>
     <Parameter name="EmailAddressRequestPage">https://localhost:9443/emailotpauthenticationendpoint/emailAddress.jsp</Parameter>
     <Parameter name="GmailRefreshToken">gmailRefreshTokenValue</Parameter>
     <Parameter name="GmailEmailEndpoint">https://www.googleapis.com/gmail/v1/users/[userId]/messages/send</Parameter>
     <Parameter name="SendgridEmailEndpoint">https://api.sendgrid.com/api/mail.send.json</Parameter>
     <Parameter name="accessTokenRequiredAPIs">Gmail</Parameter>
     <Parameter name="apiKeyHeaderRequiredAPIs">Sendgrid</Parameter>
     <Parameter name="SendgridFormData">sendgridFormDataValue</Parameter>
     <Parameter name="SendgridURLParams">sendgridURLParamsValue</Parameter>
     <Parameter name="GmailAuthTokenType">Bearer</Parameter>
     <Parameter name="GmailTokenEndpoint">https://www.googleapis.com/oauth2/v3/token</Parameter>
     <Parameter name="SendgridAuthTokenType">Bearer</Parameter>
     <Parameter name="usecase">association</Parameter>
     <Parameter name="secondaryUserstore">primary</Parameter>
     <Parameter name="EMAILOTPMandatory">true</Parameter>
     <Parameter name="sendOTPToFederatedEmailAttribute">false</Parameter>
     <Parameter name="federatedEmailAttributeKey">email</Parameter>
     <Parameter name="EmailOTPEnableByUserClaim">true</Parameter>
     <Parameter name="CaptureAndUpdateEmailAddress">true</Parameter>
     <Parameter name="showEmailAddressInUI">true</Parameter>
</AuthenticatorConfig>

Configure the Service Provider and Identity Provider Configuration as we normally configure for Two factor authentication. Now we will configure EmailOTP Identity provider for SMTP transport.






 
 
 
 
 
 
 
SMTP transport sender configuration.
   Add the SMTP transport sender configuration in the <IS_HOME>/repository/conf/axis2/axis2.xml file.
  Here you need to replace {USERNAME}, {PASSWORD} and {SENDER'S_EMAIL_ID} with real values.

<transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
       <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
       <parameter name="mail.smtp.port">587</parameter>
       <parameter name="mail.smtp.starttls.enable">true</parameter>
       <parameter name="mail.smtp.auth">true</parameter>
       <parameter name="mail.smtp.user">{USERNAME}</parameter>
       <parameter name="mail.smtp.password">{PASSWORD}</parameter>
       <parameter name="mail.smtp.from">{SENDER'S_EMAIL_ID}</parameter>
</transportSender>

Comment <module ref="addressing"/> module from axis2.xml in <IS_HOME>/repository/conf/axis2.
Email Template configuration.
Add the email template in the <IS_HOME>/repository/conf/email/email-admin-config.xml file.

    <configuration type="EmailOTP">
           <targetEpr></targetEpr>
           <subject>WSO2 IS EmailOTP Authenticator One Time    Password</subject>
           <body>
       Hi,
       Please use this OTP {OTPCode} to go with EmailOTP authenticator.
           </body>
           <footer>
       Best Regards,
       WSO2 Identity Server Team
       http://www.wso2.com
           </footer>
           <redirectPath></redirectPath>
    </configuration>


When authentication is happening in second step, the code will be sent to email  which is saved in email claim of  user's user profile.
If the user apply the code, WSO2 IS will validate the code and let the user sign in accordingly.

9 comments:

  1. In EmailOTP , we want to send the OTP through my SMTP server. Please suggest where I need to set my SMTP details, so that what ever the OTP is generated, that should be send through my SMTP server.

    ReplyDelete
    Replies
    1. You can add your SMTP server configuration in mailto transport sender of axis2.xml . This is mentioned in "SMTP transport sender configuration" section in this post.

      Delete
  2. We are unable to get into Email OTP page and are getting redirected to https://olocalhst:9443/authenticationendpoint/samlsso_notification.do?status=Error+when+processing+the+authentication+request%21&statusMsg=Please+try+login+again.&SAMLResponse=pZLLbsJADEX3%2FYrR7AN5QZIRGYRaISGVTXksuqncxECkZAaNJ1X7900CETQLNl3a8r332PJs%2Fl2V7AsNFVql3Bu5nKHKdF6oY8p326UT87l8mhFUpX8Wb0hnrQjZ6iXlH2EQRbnvxkmWuBiHUQIhHkKYRp%2BTKSTgcbYiqnGlyIKyKfddL3LcxPH9rReISSCCaBS703fO9j2A3wI0SIrEJTLltVFCAxUkFFRIwmZis1i%2FimZUnI22OtMllxdC0QUattSmAvtY23aK3Dl0owKVLezPn%2BzHciBCYxtoLkudQXnSZGfjewrZX21jwdY0KJ91jmwPZY2Pc6ibvl4%2BR8P%2F57Oo7UktoSgx52N5Bb73GtivkQiOKHfNtgwacXuoDNrF2aGzGXj0gkH7Vvc%2FJH8B.

    When we checked the logs, we found the below trace,

    TID: [-1234] [] [2017-09-22 13:53:37,664] ERROR {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator} - Unable to get the access token
    org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: Unable to get the access token
    at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.initiateAuthenticationRequest(EmailOTPAuthenticator.java:158)
    at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:64)
    at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:466)
    at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:233)
    at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:175)
    at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:127)
    at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:142)
    at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doPost(CommonAuthenticationHandler.java:46)
    at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doGet(CommonAuthenticationHandler.java:37)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.sendRequestToFramework(SAMLSSOProviderServlet.java:1004)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handleRequest(SAMLSSOProviderServlet.java:160)
    at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.doPost(SAMLSSOProviderServlet.java:108)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37).

    any idea on how to resolve this issue?

    ReplyDelete
    Replies
    1. The issue occurs while sending otp code. Please check your configuration, wso2 identity server version, etc. You can get more details from WSO2 official document -
      https://docs.wso2.com/display/ISCONNECTORS/Configuring+EmailOTP+Authenticator

      Delete
    2. This comment has been removed by the author.

      Delete
    3. We followed the given link too and getting the below exception.

      Caused by: org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: Error while getting the SMTP configuration
      at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.sendOTP(EmailOTPAuthenticator.java:550)
      at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.initiateAuthenticationRequest(EmailOTPAuthenticator.java:150)
      ... 62 more
      Where as the same axis2 configuration for mailto sender works fine in ESB.

      Delete
    4. You should comment ref="addressing" module in axis2.xml.

      Delete
    5. It works now. Thanks a bunch for the help. :)

      Delete
  3. Thanks for your information, it was really very helpfull.. email lookup

    ReplyDelete

Create a REST API with Spring Boot

In this post, I will explain how to create a simple a REST API with Spring Boot Spring Boot Spring Boot is a framework that provides inbuil...