How to custom the default authentication method-username/password in WSO2 Identity Server 5.7.0? i.e. use password plus any of mobile/email/username to authentication an end user and provide the user an JWT token as response.
Please refer to the following[1][2] as per your requirement you can use basic(username/password) as authentication step 1 and SMS OTP or email OTP as step 2. Following examples are based on SAML but as you need to get JWT token as a responce you need to register an OIDC application as a service provider.[3][4]
[1].https://docs.wso2.com/display/IS570/Configuring+Email+OTP#ConfiguringEmailOTP-ConfigureWSO2ISastheemailOTPprovider
[2].https://docs.wso2.com/display/ISCONNECTORS/Configuring+Multi-factor+Authentication+using+SMSOTP
[3].https://docs.wso2.com/display/IS570/Configuring+OAuth2-OpenID+Connect+Single-Sign-On
[4].https://docs.wso2.com/display/IS570/Try+Authorization+Code+Grant
Related
I want to use Google Authenticator for 2-factor authentication with WSO2 identity server 5.7.0. The Google Authenticator should provide a One-Time Password which is valid only for a very short duration. Using the email id, password and OTP (generated from Google Authenticator) a user should be allowed to sign in into an application.
I cannot find how to implement google authenticator in the link mentioned below WSO2 Identity Server Authenticators and Connectors Documentation
Can anyone provide some steps in the direction to implement Google Authenticator with WSO2?
Note: I am not referring to using Google as a federated authenticator.
As for me for your use case you don't need google authenticator you need email otp[1]. You can configure your email otp to generate from google. You can enable it as a second factor in authentication. So the first user will login using user name and password then user will be asked for the otp that generated from google. That will be sent to the user email account.
If you want to use the google authenticator to get the otp not the email then you should use wso2 totp. [2]
[1]. https://docs.wso2.com/display/IS570/Configuring+Email+OTP
[2].https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator
I have the MultiTenant web application that internally using different services and Restapi Service and login purpose username and password validation using WSO2IS and LDAP.LDAP is configured with WSO2IS UserStore.So when customer login into web application right now implemented like checking username and password is present in LDAP directory or not. Based on the LDAP directory response logging into the application.
Now I want to implement token-based authentication when client login into the application by using he/she tenant user credential, get the token from WSO2IS server, send token at the client side. So that while calling any service or RestApi call with using that token. If after time limit if it expire than regenerate the token And when the request to any service and Rest API validate token is valid or not. So if the valid token then only backend service send response otherwise send failure response.
I am stuck in the correct approach. I need exact approach for successfully implement authorization identity management service with WSO2 to handle access token for user validation and to validate Rest Service.
You can use OpenID Connect (OIDC) [1] in order to achieve your requirement.
OpenID Connect is an authentication protocol that is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.
You can use WSO2 IS and integrate your client application with OIDC [2][3] and get an access token on behalf of the user to communicate with external APIs.
Also you can use the OAuth Introspection endpoint [4] of the WSO2 IS in order to validate the access tokens as for your requirements.
[1] https://openid.net/connect
[2] https://docs.wso2.com/display/IS570/OpenID+Connect
[3] https://docs.wso2.com/display/IS570/OpenID+Connect+Authentication
[4] https://docs.wso2.com/display/IS570/Invoke+the+OAuth+Introspection+Endpoint
I am using WSO2 access Grant for securing a web application.when the user logs in with right credential, I generate the token successful by invoking /oauth2/token service. I store this at the client side and when user invokes the next set of APIs, user hits my API with this token. How can validate the token now ?how can I validate the token to check the scope ? Which serviceI can use for validating the token and user is passing the right token associated with him??
You can use OAuth Introspection Endpoint[1] to validate the token,scope
[1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+Introspection+Endpoint
Using java client, I have generated the SAMLRequest string
Is there a way to post the whole data, and skip the IdentityServer login page?
With the data which I pass, has to meet the authentication for SSO and then generate Oauth2Token.
You can use request path authentication and send the username, password in the same request, which will give you the SAML assertion. You can later use SAML2 bearer grant type to exchange that assertion to an oauth token.
I have a dataprovider with a REST service. They said that the authentication goes as follows:
1. Username and Password are passed in the request header
2. If the authentication is successful I get a token which I have to store and use this token to make further requests.
Now I started reading into REST Authentication and just do not understand what kind of authentication they use. I guess I have missunderstood something, so please correct me.
There are three kinds of authentication
1. Basic Authentication (sending username and password base 64 encoded in the header)
2. OpenID (here I send my username and password to a provider to receive a token)
3. OAuth (The caller is identified with a trusted token to let application call another application on a end-user's behalf without requiring the calling application to store the users's username and password)
I cannnot see, where to classify my providers method. 1. I am not sending UserName Password everytime. 2. I do not use a provider, 3. I am not doing application calls and do not use only tokens. Could anyone help me here?
When you send username and password to provider if correct, provider will create a token for this user and this token will be sent to you by provider.
After this, you can use this token in any session and you can check only this token for expiration, you do not have to send username and password everytime.