Custom Form for Custom Authentication Module

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of Peter Major Peter Major 1 week, 1 day ago.

  • Author
    Posts
  • #18026
    Profile photo of rasarkar rasarkar 
    Participant

    Hi Everyone,

    We have a requirement to send OTP to any of the 3 different mobile numbers that the user has in his profile. We are thinking of implementing a custom authentication module by extending the HOTP module code. As a part of this customization we need to customize the UI form as well and show the 3 different mobile numbers with radio button options. User selects any one of the numbers and clicks on request OTP. Can anyone tell me how can I create this custom UI and hook with my custom auth module?

    Regards
    Ranajoy

    #18027
    Profile photo of Andy Cory Andy Cory 
    Participant

    The default HOTP module has a UI already to allow end users to submit the OTP code they have received to their device. This is displayed after the OTP is sent, of course – you’ll need to add a custom form prior to this in order to allow the user to choose which number to use. How to customise a form is one part of the task, you’ll also need to read up about the call-back mechanism in order to link the new form into the customised HOTP flow.

    Customisation of the XUI is extensively covered in docs at https://backstage.forgerock.com/docs/am/5.1/ui-customization-guide for the latest version. Earlier versions are also documented, though UI customisation doesn’t have its own dedicated document. For earlier versions, look in the developers guide and reference guide. The developers guide also has information about custom authentication modules.

    In which attributes are the three mobile numbers you mention stored? Are they all stored in a multi-valued attribute, or in individually-named attributes?

    Andy

    #18028
    Profile photo of rasarkar rasarkar 
    Participant

    Hi Andy,

    The values are stored in individually named attributes. I was thinking of extending the existing HOTP module code and add names for other attributes. Can I do that?

    Also can you share any details/ documentation links regarding OpenAM callbacks?

    Regards
    Ranajoy

    #18029
    Profile photo of Andy Cory Andy Cory 
    Participant

    Hi Ranajoy

    I was thinking of extending the existing HOTP module code and add names for other attributes. Can I do that?

    Taking the source code for the HOTP module as a template, I would expect that to be possible. The default HOTP module has configuration in which you specify the attribute that contains the number to which the OTP should be sent. Therefore, without customising the HOTP module, it’s possible to configure three instances of the HOTP module, each with a different attribute. Each module should be put into its own authentication chain. The problem then would be that you need to know which of the three chains to use before starting the flow, and I can’t think of a way to do that. You could write a simple custom auth module that presents the user with your three radio buttons, but it’s too late by then, you’ve started the authentication. If that were possible it would most likely be a better option, since a simple authentication module like that is likely to be easier to maintain than a custom version of the HOTP module.

    Unless someone can come up with a way of knowing which chain to call, your first idea of a custom HOTP module might be the only option.

    Also can you share any details/ documentation links regarding OpenAM callbacks?

    Customisation of authentication modules, including mapping the callbacks to the UI, is available on the ForgeRock Backstage portal, but you need to look at the docs for the version of OpenAM you are working on. On versions before AM5 the developers guide and reference guide are the best sources. Foe example, look here for v13 -> https://backstage.forgerock.com/docs/openam/13/dev-guide#sec-auth-spi. In AM5 it would be the document I linked to above. Aside from the official ForgeRock documentation there are examples of custom auth modules with addition UI elements in various blogs and GitHub repositories. A neat example would be this one -> https://forum.forgerock.com/2017/04/pwned-authentication-module/.

    Andy

    #18108
    Profile photo of rasarkar rasarkar 
    Participant

    Hi Andy,

    Thanks for the last reply. It was really helpful. I went through the pwned authentication module and it seems they have not given any details about the addition of new UI elements. I couldn’t find any resources either.

    Can you please help me with this one thing? I really do not have a clue about this.

    Thanks
    Rana

    #18150
    Profile photo of Andy Cory Andy Cory 
    Participant

    Hi Rana

    It’s not something I’ve had to do, since my customers have always provided their own UI and driven OpenAM using the REST interface. I know that ForgeRock have made the UI extensible, so in the event I needed to do this I would be in the same position as yourself, and would resort to Google. Sorry I can’t give a concrete example beyond pointing at the product documentation.

    Andy

    #18170
    Profile photo of Peter Major Peter Major 
    Moderator

    You should be able to use ChoiceCallbacks in the callback descriptor XML file of the authentication module and then most likely you won’t need any UI customization. Just create a new state in the callback descriptor XML, use ChoiceCallbacks, and then potentially from the authentication modules you can replace the callbacks so that they contain the real values associated with the user. If the number of phone numbers can change, then that becomes a lot more tricky, should be still doable (or this is maybe when you could customize the UI to hide those away).

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?