-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for MFA using OIDC conformant endpoints #146
Changes from all commits
0ce7183
912897a
b55c181
fdc2bd9
422af71
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -157,17 +157,23 @@ public boolean isInvalidConfiguration() { | |
|
||
/// When MFA code is required to authenticate | ||
public boolean isMultifactorRequired() { | ||
return "a0.mfa_required".equals(code); | ||
return "mfa_required".equals(code) || "a0.mfa_required".equals(code); | ||
} | ||
|
||
/// When MFA is required and the user is not enrolled | ||
public boolean isMultifactorEnrollRequired() { | ||
return "a0.mfa_registration_required".equals(code); | ||
return "a0.mfa_registration_required".equals(code) || "unsupported_challenge_type".equals(code); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The error is the specific challenge type is not expected vs enrolment in general. Should we clarify this? As it could be they don't support OTP but do OOB? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
} | ||
|
||
/// When the MFA Token used on the login request is malformed or has expired | ||
public boolean isMultifactorTokenInvalid() { | ||
return "expired_token".equals(code) && "mfa_token is expired".equals(description) || | ||
"invalid_grant".equals(code) && "Malformed mfa_token".equals(description); | ||
} | ||
|
||
/// When MFA code sent is invalid or expired | ||
public boolean isMultifactorCodeInvalid() { | ||
return "a0.mfa_invalid_code".equals(code); | ||
return "a0.mfa_invalid_code".equals(code) || "invalid_grant".equals(code) && "Invalid otp_code.".equals(description); | ||
} | ||
|
||
/// When password used for SignUp does not match connection's strength requirements. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't think of a better name right now but it would be good to be consistent on platforms, In swift the counterpart might be defined as
login(withOTP:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally we can have a single "login" method that just sets the
client_id
and the path/oauth/token
. But then users will need to know for each grant type what parameters are accepted. That's the reason we now have a new login "with otp" method that helps to construct this request.So in swift what are you doing, is that "withOTP" like a flag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, so in Swift there are 2 login methods one is /ro the other grant
password-realm
. In this case if I hadlogin(withOTP otp: String, mfaToken: String)
The auto-complete would show 3 logins and it's based on the params, in Swift the guideline is to create methods that have meaninful names. You could have
login(otp: String, token: String)
which isn't as informative.When the user calls this method they would write
login(withOTP: "12356", mfaToken: "blah")
theotp
is used inside the method.