April 27, 2020 at 2:33 pm #27841
Hi there, we are designing our authentication process using ForgeRock Authentication Tree with OTP as a second factor.
start -> Data Store Decision -> HOTP Generator -> OTP Twilio SMS Sender -> OTP Collector Decision -> Success/Failure
In the Auth Tree, user credentials will be verified with Data Store first and once verified successfully, an OTP will be generated and sent to user via SMS using 3rd party SMS provider such as Twilio. And then the user will need to enter the received OTP and verified through “OTP Collector Decision” Auth Node.
The question is that this authentication tree will be interacting with our front-end application through REST API. So no AM GUI is involved. I’m wondering whether this is doable as there are several callbacks within the process, especially the OTP Collector Decision part.
It would be great if you can provide some feedback and documentation on how to approach this. Thanks.
LeApril 27, 2020 at 3:52 pm #27842
In short, yes. Anything the AM GUI can do, can be done in custom UI.
The easiest way to work out what your custom UI should do is see what the AM UI does with the browser developer tools open. This way you’ll see the REST calls you need to make.
The ForgeRock Identity Cloud documentation also has an example: https://developer.forgerock.com/docs/identity-cloud/how-tos/verification-code
It’s not precisely what you want, but inspecting the AM GUI calls, and referencing this might help you.
The calls you need to make given your config are essentially 6, 7, and 9.
As you’re using the REST API, have you looked at the SDKs?
They dynamically handle callbacks for you so you don’t need to redeploy the app if your tree configuration changes.
SDKs are documented here: https://sdks.forgerock.com/
Let’s also address Twilio – this node might be a better option as it’s more flexible, but that’s up to you!: https://backstage.forgerock.com/marketplace/api/catalog/entries/AXETwHU7nnbgOG9zpJP1April 27, 2020 at 5:37 pm #27843Jatinder SinghParticipant
+1 Andrew’s suggestion.
1. AM sends JSON response with callbacks to your custom app;
2. Custom app transforms AM’s response into renderable UI (injecting AuthID as well);
3. User interacts with the UI form and clicks submit;
4. Custom app receives user’s response > transforms into AM callbacks using predefined template and using the AuthID from user’s response > sends it to AM.
5. AM receives users’ response and processes it.
As you can see it can get slightly tedious having to manage those callback templates, and for that reason SDK is a better choice.
Hope this helps!April 27, 2020 at 7:53 pm #27844
You guys rock. This is very helpful. Thanks very much, Andrew and Jatinder!
LeApril 27, 2020 at 8:46 pm #27845nalowes3690Participant
Get an access token for your tenant. Substitute your tenant name, username, and password in the following REST call:
curl -X POST \
-H ‘Content-Type: application/json’ \
—- in the above where is access token being generated that can be sent as bearer token? The above information is found at : https://developer.forgerock.com/docs/identity-cloud/how-tos/verification-codeApril 28, 2020 at 11:34 am #27850
That guide is specific to the ForgeRock Identity Cloud Express edition: https://developer.forgerock.com/docs/identity-cloud which uses the ForgeRock platform software, but adds some management APIs.
Unfortunately, it looks like the document referenced is not completely correct. Step 1 should probably be using the Express-specific /siginin API to get the tenant access_token: https://developer-api.forgerock.com/?version=latest#dac5ecf8-b3a4-4306-860f-e8f0f086ef95April 29, 2020 at 6:10 pm #27858
Can we do OTP retrieval through REST API instead of email or SMS? Like:
start -> Data Store Decision -> HOTP Generator -> OTP API (for retrieving OTP through REST calls) -> OTP Collector Decision -> Success/Failure
Not sure if any tree node is available in market place.
LeApril 30, 2020 at 12:13 pm #27864
I suppose you could store the OTP in the user profile using https://backstage.forgerock.com/marketplace/api/catalog/entries/AWAwxWmg-2E1SFPSnRUq then you can use the REST API (https://backstage.forgerock.com/docs/am/6.5/maintenance-guide/index.html#rest-api-read-identity) to read the user’s profile…but why? What’s the use case?April 30, 2020 at 1:54 pm #27865
That sounds good. Will try it out.
The reasons is that currently upstream app which calls AM API triggers email sending by calling another app’s api. They don’t want to set up SMTP server directly but want to see if it is doable by directly retrieving OTP from AM’s API.
LeApril 30, 2020 at 3:26 pm #27867
How do we find the list of available objects in a shared state? I searched through the documentation and did a number of trial-and-errors, but still not sure what name to use for retrieving OTP value.April 30, 2020 at 7:17 pm #27869Jatinder SinghParticipant
It’s a map of k-v pairs. You can iterate through the map to get access to its k-v. And if you log shared state variable, it will print all of its k-v pairs.April 30, 2020 at 8:53 pm #27872Scott HegerParticipant
As mentioned in another recent post, another option to see what you have access to in different parts of AM you can attach your IDE to a debugger (enable in your AM container), and set break points near where you want to find out what is available. You’ll find lots of great information that way.
You must be logged in to reply to this topic.