Add support for MFA using OIDC conformant endpoints

README.md

@@ -280,6 +280,32 @@ authentication
 
 > The default scope used is `openid`
 
+
+#### Login using MFA with One Time Password code
+
+This call requires the client to have the *MFA* Client Grant Type enabled. Check [this article](https://auth0.com/docs/clients/client-grant-types) to learn how to enable it.
+
+When you sign in to a multifactor authentication enabled connection using the `login` method, you receive an error standing that MFA is required for that user along with an `mfa_token` value. Use this value to call `loginWithOTP` and complete the MFA flow passing the One Time Password from the enrolled MFA code generator app.
+
+
+```java
+authentication
+ .loginWithOTP("the mfa token", "123456")
+ .start(new BaseCallback<Credentials>() {
+ @Override
+ public void onSuccess(Credentials payload) {
+ //Logged in!
+ }
+
+ @Override
+ public void onFailure(AuthenticationException error) {
+ //Error!
+ }
+ });
+```
+
+
+
 #### Passwordless Login
 
 This feature requires your Application to have the *Resource Owner* Legacy Grant Type enabled. Check [this article](https://auth0.com/docs/clients/client-grant-types) to learn how to enable it. Note that Passwordless authentication *cannot be used* with the [OIDC Conformant Mode](#oidc-conformant-mode) enabled.

auth0/src/main/java/com/auth0/android/Auth0.java

@@ -216,6 +216,7 @@ public boolean isTLS12Enforced() {
 
  /**
  * Set whether to enforce TLS 1.2 on devices with API 16-21.
+ *
  * @param enforced whether TLS 1.2 is enforced on devices with API 16-21.
  */
  public void setTLS12Enforced(boolean enforced) {

auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.java

@@ -40,12 +40,12 @@
 import com.auth0.android.request.Request;
 import com.auth0.android.request.internal.AuthenticationErrorBuilder;
 import com.auth0.android.request.internal.GsonProvider;
+import com.auth0.android.request.internal.OkHttpClientFactory;
 import com.auth0.android.request.internal.RequestFactory;
 import com.auth0.android.result.Credentials;
 import com.auth0.android.result.DatabaseUser;
 import com.auth0.android.result.Delegation;
 import com.auth0.android.result.UserProfile;
-import com.auth0.android.request.internal.OkHttpClientFactory;
 import com.auth0.android.util.Telemetry;
 import com.google.gson.Gson;
 import com.squareup.okhttp.HttpUrl;
@@ -54,6 +54,7 @@
 import java.util.Map;
 
 import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_AUTHORIZATION_CODE;
+import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_MFA_OTP;
 import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_PASSWORD;
 import static com.auth0.android.authentication.ParameterBuilder.GRANT_TYPE_PASSWORD_REALM;
 import static com.auth0.android.authentication.ParameterBuilder.ID_TOKEN_KEY;
@@ -81,6 +82,8 @@ public class AuthenticationAPIClient {
  private static final String OAUTH_CODE_KEY = "code";
  private static final String REDIRECT_URI_KEY = "redirect_uri";
  private static final String TOKEN_KEY = "token";
+ private static final String MFA_TOKEN_KEY = "mfa_token";
+ private static final String ONE_TIME_PASSWORD_KEY = "otp";
  private static final String DELEGATION_PATH = "delegation";
  private static final String ACCESS_TOKEN_PATH = "access_token";
  private static final String SIGN_UP_PATH = "signup";
@@ -97,7 +100,8 @@ public class AuthenticationAPIClient {
  private static final String HEADER_AUTHORIZATION = "Authorization";
 
  private final Auth0 auth0;
- @VisibleForTesting final OkHttpClient client;
+ @VisibleForTesting
+ final OkHttpClient client;
  private final Gson gson;
  private final RequestFactory factory;
  private final ErrorBuilder<AuthenticationException> authErrorBuilder;
@@ -235,6 +239,39 @@ public AuthenticationRequest login(@NonNull String usernameOrEmail, @NonNull Str
  return loginWithToken(requestParameters);
  }
 
+ /**
+ * Log in a user using the One Time Password code after they have received the 'mfa_required' error.
+ * The MFA token tells the server the username or email, password and realm values sent on the first request.
+ * Requires your client to have the <b>MFA</b> Grant Type enabled. See <a href="https://auth0.com/docs/clients/client-grant-types">Client Grant Types</a> to learn how to enable it.* Example usage:
+ * <pre>
+ * {@code
+ * client.loginWithOTP("{mfa token}", "{one time password}")
+ * .start(new BaseCallback<Credentials>() {
+ * {@literal}Override
+ * public void onSuccess(Credentials payload) { }
+ *
+ * {@literal}Override
+ * public void onFailure(AuthenticationException error) { }
+ * });
+ * }
+ * </pre>
+ *
+ * @param mfaToken the token received in the previous {@link #login(String, String, String)} response.
+ * @param otp the one time password code provided by the resource owner, typically obtained from an
+ * MFA application such as Google Authenticator or Guardian.
+ * @return a request to configure and start that will yield {@link Credentials}
+ */
+ @SuppressWarnings("WeakerAccess")
+ public AuthenticationRequest loginWithOTP(@NonNull String mfaToken, @NonNull String otp) {
+ Map<String, Object> parameters = ParameterBuilder.newBuilder()
+ .setGrantType(GRANT_TYPE_MFA_OTP)
+ .set(MFA_TOKEN_KEY, mfaToken)
+ .set(ONE_TIME_PASSWORD_KEY, otp)
+ .asDictionary();
+
+ return loginWithToken(parameters);
+ }
+
  /**
  * Log in a user with a OAuth 'access_token' of a Identity Provider like Facebook or Twitter using <a href="https://auth0.com/docs/api/authentication#social-with-provider-s-access-token">'\oauth\access_token' endpoint</a>
  * The default scope used is 'openid'.

auth0/src/main/java/com/auth0/android/authentication/AuthenticationException.java

@@ -157,17 +157,23 @@ public boolean isInvalidConfiguration() {
 
  /// When MFA code is required to authenticate
  public boolean isMultifactorRequired() {
- return "a0.mfa_required".equals(code);
+ return "mfa_required".equals(code) || "a0.mfa_required".equals(code);
  }
 
  /// When MFA is required and the user is not enrolled
  public boolean isMultifactorEnrollRequired() {
- return "a0.mfa_registration_required".equals(code);
+ return "a0.mfa_registration_required".equals(code) || "unsupported_challenge_type".equals(code);
+ }
+
+ /// When the MFA Token used on the login request is malformed or has expired
+ public boolean isMultifactorTokenInvalid() {
+ return "expired_token".equals(code) && "mfa_token is expired".equals(description) ||
+ "invalid_grant".equals(code) && "Malformed mfa_token".equals(description);
  }
 
  /// When MFA code sent is invalid or expired
  public boolean isMultifactorCodeInvalid() {
- return "a0.mfa_invalid_code".equals(code);
+ return "a0.mfa_invalid_code".equals(code) || "invalid_grant".equals(code) && "Invalid otp_code.".equals(description);
  }
 
  /// When password used for SignUp does not match connection's strength requirements.

auth0/src/main/java/com/auth0/android/authentication/ParameterBuilder.java

@@ -53,6 +53,7 @@ public class ParameterBuilder {
  public static final String GRANT_TYPE_PASSWORD_REALM = "https://auth0.com/oauth/grant-type/password-realm";
  public static final String GRANT_TYPE_JWT = "urn:ietf:params:oauth:grant-type:jwt-bearer";
  public static final String GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code";
+ public static final String GRANT_TYPE_MFA_OTP = "https://auth0.com/oauth/grant-type/mfa-otp";
 
  public static final String SCOPE_OPENID = "openid";
  public static final String SCOPE_OFFLINE_ACCESS = "openid offline_access";

auth0/src/main/java/com/auth0/android/authentication/request/DelegationRequest.java

@@ -38,8 +38,8 @@
  * Represents a delegation request for Auth0 tokens that will yield a new delegation token.
  * The delegation response depends on the 'api_type' parameter.
  *
- * @param <T> type of object that will hold the delegation response. When requesting Auth0’s 'id_token' you can
- * use {@link Delegation}, otherwise you’ll need to provide an object that can be created from the JSON
+ * @param <T> type of object that will hold the delegation response. When requesting Auth0's 'id_token' you can
+ * use {@link Delegation}, otherwise you'll need to provide an object that can be created from the JSON
  * payload or just use {@code Map<String, Object>}
  */
 public class DelegationRequest<T> implements Request<T, AuthenticationException> {

auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.java

@@ -102,6 +102,8 @@ public void onFailure(AuthenticationException error) {
 
  /**
  * Checks if a non-expired pair of credentials can be obtained from this manager.
+ *
+ * @return whether there are valid credentials stored on this manager.
  */
  public boolean hasValidCredentials() {
  String accessToken = storage.retrieveString(KEY_ACCESS_TOKEN);

auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.java

@@ -177,6 +177,32 @@ public void shouldCreateClientWithContextInfo() throws Exception {
  assertThat(client.getBaseURL(), equalTo("https://" + DOMAIN + "/"));
  }
 
+ @Test
+ public void shouldLoginWithMFAOTPCode() throws Exception {
+ mockAPI.willReturnSuccessfulLogin();
+ final MockAuthenticationCallback<Credentials> callback = new MockAuthenticationCallback<>();
+
+ Auth0 auth0 = new Auth0(CLIENT_ID, mockAPI.getDomain(), mockAPI.getDomain());
+ auth0.setOIDCConformant(true);
+ AuthenticationAPIClient client = new AuthenticationAPIClient(auth0);
+ client.loginWithOTP("ey30.the-mfa-token.value", "123456")
+ .start(callback);
+ assertThat(callback, hasPayloadOfType(Credentials.class));
+
+ final RecordedRequest request = mockAPI.takeRequest();
+ assertThat(request.getHeader("Accept-Language"), is(getDefaultLocale()));
+ Map<String, String> body = bodyFromRequest(request);
+
+ assertThat(request.getPath(), equalTo("/oauth/token"));
+ assertThat(body, hasEntry("client_id", CLIENT_ID));
+ assertThat(body, hasEntry("grant_type", "https://auth0.com/oauth/grant-type/mfa-otp"));
+ assertThat(body, hasEntry("mfa_token", "ey30.the-mfa-token.value"));
+ assertThat(body, hasEntry("otp", "123456"));
+ assertThat(body, not(hasKey("username")));
+ assertThat(body, not(hasKey("password")));
+ assertThat(body, not(hasKey("connection")));
+ }
+
  @Test
  public void shouldLoginWithUserAndPassword() throws Exception {
  mockAPI.willReturnSuccessfulLogin();

auth0/src/test/java/com/auth0/android/authentication/AuthenticationExceptionTest.java

@@ -138,20 +138,61 @@ public void shouldReturnNullIfMapDoesNotExist() throws Exception {
  assertThat(ex4.getValue("key"), is(nullValue()));
  }
 
+ @Test
+ public void shouldHaveExpiredMultifactorTokenOnOIDCMode() throws Exception {
+ values.put(ERROR_KEY, "expired_token");
+ values.put(ERROR_DESCRIPTION_KEY, "mfa_token is expired");
+ AuthenticationException ex = new AuthenticationException(values);
+ assertThat(ex.isMultifactorTokenInvalid(), is(true));
+ }
+
+ @Test
+ public void shouldHaveMalformedMultifactorTokenOnOIDCMode() throws Exception {
+ values.put(ERROR_KEY, "invalid_grant");
+ values.put(ERROR_DESCRIPTION_KEY, "Malformed mfa_token");
+ AuthenticationException ex = new AuthenticationException(values);
+ assertThat(ex.isMultifactorTokenInvalid(), is(true));
+ }
+
+ @Test
+ public void shouldRequireMultifactorOnOIDCMode() throws Exception {
+ values.put(ERROR_KEY, "mfa_required");
+ values.put("mfa_token", "some-random-token");
+ AuthenticationException ex = new AuthenticationException(values);
+ assertThat(ex.isMultifactorRequired(), is(true));
+ assertThat((String) ex.getValue("mfa_token"), is("some-random-token"));
+ }
+
  @Test
  public void shouldRequireMultifactor() throws Exception {
  values.put(CODE_KEY, "a0.mfa_required");
  AuthenticationException ex = new AuthenticationException(values);
  assertThat(ex.isMultifactorRequired(), is(true));
  }
 
+ @Test
+ public void shouldRequireMultifactorEnrollOnOIDCMode() throws Exception {
+ values.put(ERROR_KEY, "unsupported_challenge_type");
+ values.put(ERROR_DESCRIPTION_KEY, "User is not enrolled with guardian");
+ AuthenticationException ex = new AuthenticationException(values);
+ assertThat(ex.isMultifactorEnrollRequired(), is(true));
+ }
+
  @Test
  public void shouldRequireMultifactorEnroll() throws Exception {
  values.put(CODE_KEY, "a0.mfa_registration_required");
  AuthenticationException ex = new AuthenticationException(values);
  assertThat(ex.isMultifactorEnrollRequired(), is(true));
  }
 
+ @Test
+ public void shouldHaveInvalidMultifactorCodeOnOIDCMode() throws Exception {
+ values.put(ERROR_KEY, "invalid_grant");
+ values.put(ERROR_DESCRIPTION_KEY, "Invalid otp_code.");
+ AuthenticationException ex = new AuthenticationException(values);
+ assertThat(ex.isMultifactorCodeInvalid(), is(true));
+ }
+
  @Test
  public void shouldHaveInvalidMultifactorCode() throws Exception {
  values.put(CODE_KEY, "a0.mfa_invalid_code");

codecov.yml

@@ -15,7 +15,7 @@ coverage:
  default:
  enabled: true
  target: 80%
- threshold: 10%
+ threshold: 30%
  if_no_uploads: error
  changes:
  default: