Most of the new mobile Apps use Mobile number with SMS OTP to authenticate the user without username/password how can we do the same to generate Access Token using WSO2 Identity Server, considering the following points:
User have to enter his/her mobile number in the App
User have to enter the SMS OTP in the App
WSO2IS to send the SMS OTP
In the last step to generate Access Token from WSO2 for the user
Following is the expected flow
Mobile-SMS Flow
You can create a custom authenticator for this and manage SMS-OTPs from the custom authenticator you can follow this link and integrate the below two functionalities for your application.
SMSOtpService.generateSMSOTP(userId);
This will generate a SMS-OTP for the input of userID (scim-id) and the output will be a transactionId alongside with smsOtp and through the WSO2IS SMS event handler, you can send OTP too.
SMSOtpService.validateSMSOTP(transactionId, userID, smsOTP);
This method will validate the SMS-OTP with the input fields of transactionID, userId(scim-id) and smsOtp.
You need to do few customizations but basically, you can use these two functions to generate and validate SMS-OTP
Related
I want to use Google Authenticator for 2-factor authentication with WSO2 identity server 5.7.0. The Google Authenticator should provide a One-Time Password which is valid only for a very short duration. Using the email id, password and OTP (generated from Google Authenticator) a user should be allowed to sign in into an application.
I cannot find how to implement google authenticator in the link mentioned below WSO2 Identity Server Authenticators and Connectors Documentation
Can anyone provide some steps in the direction to implement Google Authenticator with WSO2?
Note: I am not referring to using Google as a federated authenticator.
As for me for your use case you don't need google authenticator you need email otp[1]. You can configure your email otp to generate from google. You can enable it as a second factor in authentication. So the first user will login using user name and password then user will be asked for the otp that generated from google. That will be sent to the user email account.
If you want to use the google authenticator to get the otp not the email then you should use wso2 totp. [2]
[1]. https://docs.wso2.com/display/IS570/Configuring+Email+OTP
[2].https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator
How to custom the default authentication method-username/password in WSO2 Identity Server 5.7.0? i.e. use password plus any of mobile/email/username to authentication an end user and provide the user an JWT token as response.
Please refer to the following[1][2] as per your requirement you can use basic(username/password) as authentication step 1 and SMS OTP or email OTP as step 2. Following examples are based on SAML but as you need to get JWT token as a responce you need to register an OIDC application as a service provider.[3][4]
[1].https://docs.wso2.com/display/IS570/Configuring+Email+OTP#ConfiguringEmailOTP-ConfigureWSO2ISastheemailOTPprovider
[2].https://docs.wso2.com/display/ISCONNECTORS/Configuring+Multi-factor+Authentication+using+SMSOTP
[3].https://docs.wso2.com/display/IS570/Configuring+OAuth2-OpenID+Connect+Single-Sign-On
[4].https://docs.wso2.com/display/IS570/Try+Authorization+Code+Grant
I want to make a simple flow for registration app.
User sign up with only email -> The verification/registration link is sent to the email -> People register (putting in their password) on that link
I've googled anything but haven't found any way to make it with AWS Cognito.
Looks like Cognito is forcing users to sign up with at least email AND password to get the confirmation link
You can sign up users with adminCreateUser API call. They will receive an email with temporary passwords. This approach is configurable.
See: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
Use: AdminCreateUser
Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API. Specify the temporary password(will be your user's password) or allow Amazon Cognito to automatically generate one.
Specify whether provided email addresses and phone numbers are marked as verified for new users.
Specify custom SMS and email invitation messages for new users via the AWS Management Console.
Specify whether invitation messages are sent via SMS, email, or both.
After successful user creation,
1. authenticate user using same user credentials
Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)
2. After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.
3. Use RespondToAuthChallenge(Username, <SRP variables>, PASSWORD_VERIFIER
4. Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.
5. The user is prompted and enters a new password and any missing values for required attributes.
6. Call RespondToAuthChallenge(Username, <New password>, <User attributes>).
7. After successful password change user can be able to login using same credentials added by you.
Short answer
- In that case, you can specify the temporary password(will allow Amazon Cognito to automatically generate one.).
- all user users will be forced to change their password only at first login.
While using Android SDK Cognito does not add users automatically to the user pool if user logins with a 3rd parth identity provider like Google or Facebook.
What is the best way to do this? Should I register user from Android app?
After successful login I can look for the user with the related email and that I can show a user information for to let them enter their info.
Thank you.
What worked for me - let the users authenticate using Cognito (not FB or Google directly). The Cognito logon page can further delegate the social network authentication and adding users to the user pool
https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html
(I know this is the web endpoint)
I can show a user information for to let them enter their info
the id_token received after logon contains the user email if you request it, you don't need to add users to the pool to get this information
Is it possible to authenticate a user with just their mobile phone like whatsapp does on mobile?
The mobile hub asks for a password, along with phone number.
So should i randomly generate it on the users mobile.
Then store it in keychain for future logins?
Cognito provides a custom authentication flow where you can add your own custom challenge to authenticate the user by using lambda functions. Basically you generate a code in your lambda that you send to the mobile phone number and the user enters the code to authenticate.
An example is given in the following AWS presentation (towards the end)
https://www.youtube.com/watch?v=8DDIxqIW1sM