Authentication Tree OTP with REST

This topic has 11 replies, 5 voices, and was last updated 1 month ago by Scott Heger.

  • Author
    Posts
  • #27841
     ldeng_lowes
    Participant

    Hi there, we are designing our authentication process using ForgeRock Authentication Tree with OTP as a second factor.

    start -> Data Store Decision -> HOTP Generator -> OTP Twilio SMS Sender -> OTP Collector Decision -> Success/Failure

    In the Auth Tree, user credentials will be verified with Data Store first and once verified successfully, an OTP will be generated and sent to user via SMS using 3rd party SMS provider such as Twilio. And then the user will need to enter the received OTP and verified through “OTP Collector Decision” Auth Node.

    The question is that this authentication tree will be interacting with our front-end application through REST API. So no AM GUI is involved. I’m wondering whether this is doable as there are several callbacks within the process, especially the OTP Collector Decision part.

    It would be great if you can provide some feedback and documentation on how to approach this. Thanks.

    Best,

    Le

    #27842
     Andrew Potter
    Participant

    Hi Le

    In short, yes. Anything the AM GUI can do, can be done in custom UI.

    The easiest way to work out what your custom UI should do is see what the AM UI does with the browser developer tools open. This way you’ll see the REST calls you need to make.

    The ForgeRock Identity Cloud documentation also has an example: https://developer.forgerock.com/docs/identity-cloud/how-tos/verification-code
    It’s not precisely what you want, but inspecting the AM GUI calls, and referencing this might help you.
    The calls you need to make given your config are essentially 6, 7, and 9.

    As you’re using the REST API, have you looked at the SDKs?
    They dynamically handle callbacks for you so you don’t need to redeploy the app if your tree configuration changes.
    SDKs are documented here: https://sdks.forgerock.com/
    They support custom UI too, so consider this tutorial: https://sdks.forgerock.com/javascript/05_custom-ui/

    Let’s also address Twilio – this node might be a better option as it’s more flexible, but that’s up to you!: https://backstage.forgerock.com/marketplace/api/catalog/entries/AXETwHU7nnbgOG9zpJP1

    #27843
     Jatinder Singh
    Participant

    +1 Andrew’s suggestion.

    If JavaScript SDK is not an option, you can use AM’s REST API as suggested above. You will have to manage callback templates in your custom APP (frontend app) to transform to/from AM callbacks. E.g.

    1. AM sends JSON response with callbacks to your custom app;
    2. Custom app transforms AM’s response into renderable UI (injecting AuthID as well);
    3. User interacts with the UI form and clicks submit;
    4. Custom app receives user’s response > transforms into AM callbacks using predefined template and using the AuthID from user’s response > sends it to AM.
    5. AM receives users’ response and processes it.

    As you can see it can get slightly tedious having to manage those callback templates, and for that reason SDK is a better choice.

    Hope this helps!

    #27844
     ldeng_lowes
    Participant

    You guys rock. This is very helpful. Thanks very much, Andrew and Jatinder!

    Best,
    Le

    #27845
     nalowes3690
    Participant

    Get an access token for your tenant. Substitute your tenant name, username, and password in the following REST call:

    curl -X POST \
    https://openam-{tenantName}.forgeblocks.com/am/json/realms/root/authenticate \
    -H ‘Content-Type: application/json’ \
    -d ‘{
    “userName”:”<Username>”,
    “password”:”<Password>”
    }’

    —- in the above where is access token being generated that can be sent as bearer token? The above information is found at : https://developer.forgerock.com/docs/identity-cloud/how-tos/verification-code

    #27850
     Andrew Potter
    Participant

    That guide is specific to the ForgeRock Identity Cloud Express edition: https://developer.forgerock.com/docs/identity-cloud which uses the ForgeRock platform software, but adds some management APIs.

    Unfortunately, it looks like the document referenced is not completely correct. Step 1 should probably be using the Express-specific /siginin API to get the tenant access_token: https://developer-api.forgerock.com/?version=latest#dac5ecf8-b3a4-4306-860f-e8f0f086ef95

    #27858
     ldeng_lowes
    Participant

    Can we do OTP retrieval through REST API instead of email or SMS? Like:

    start -> Data Store Decision -> HOTP Generator -> OTP API (for retrieving OTP through REST calls) -> OTP Collector Decision -> Success/Failure

    Not sure if any tree node is available in market place.

    Best,
    Le

    #27864
     Andrew Potter
    Participant

    I suppose you could store the OTP in the user profile using https://backstage.forgerock.com/marketplace/api/catalog/entries/AWAwxWmg-2E1SFPSnRUq then you can use the REST API (https://backstage.forgerock.com/docs/am/6.5/maintenance-guide/index.html#rest-api-read-identity) to read the user’s profile…but why? What’s the use case?

    #27865
     ldeng_lowes
    Participant

    That sounds good. Will try it out.

    The reasons is that currently upstream app which calls AM API triggers email sending by calling another app’s api. They don’t want to set up SMTP server directly but want to see if it is doable by directly retrieving OTP from AM’s API.

    Best,
    Le

    #27867
     ldeng_lowes
    Participant

    How do we find the list of available objects in a shared state? I searched through the documentation and did a number of trial-and-errors, but still not sure what name to use for retrieving OTP value.

    #27869
     Jatinder Singh
    Participant

    It’s a map of k-v pairs. You can iterate through the map to get access to its k-v. And if you log shared state variable, it will print all of its k-v pairs.

    #27872
     Scott Heger
    Participant

    As mentioned in another recent post, another option to see what you have access to in different parts of AM you can attach your IDE to a debugger (enable in your AM container), and set break points near where you want to find out what is available. You’ll find lots of great information that way.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?