PhenixID web apps authentication – Username, password and OTP

This authenticator is used for username-password-otp authentication.

Modules required

  • auth-http
  • pipes

Configuration Properties

Name Description Default value Mandatory
successURL The URL to redirect the browser to after successful authentication.   Yes
loginTemplate Template to use for user interface (username and password prompt). login.template No
otp Template to use for user interface (one-time-password). otp.template No
userNameParamName Name of the username request parameter username No
passworParamterName Name of the password request parameter. password No
allowLanguageChange Enable / disable language change. Set ??? to allow language change.   No
translationKey Set key to use for fetching login page body text. login.messages.information.body No
headingtranslationKey Set key to use for fetching login page header text. login.messages.information.header No
userValidationPipeID Id of pipe used to validate username and password, and, in the case of otp by sms or email, generate and distribute the otp   Yes
otpValidationPipeID Id of pipe used to validate one-time-password   Yes
errorURL The URL to redirect the browser to after unsuccessful authentication.   No

Example configuration

LDAP user store is used in this example.

HTTP Authenticators 

{
  "id" : "unpwotp",
  "alias" : "unpwotp",
  "name" : "PostUidPasswordAndOTP",
    "configuration" : {
    "userValidationPipeID" : "UserLookupAndAuthWithLDAP",
    "otpValidationPipeID" : "ValidateSentOtp",
    "successURL" : "/otpadmin/"
  }
}

Pipes 

{
  "id" : "UserLookupAndAuthWithLDAP",
    "valves" : [ {
      "name" : "LDAPSearchValve",
      "config" : {
        "connection_ref" : "local_ldap",
        "base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
        "scope" : "SUB",
        "size_limit" : "0",
        "filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
        "attributes" : "commonName,uid,mail,mobile"
        }
      }, {
        "name" : "LDAPBindValve",
        "config" : {
          "connection_ref" : "local_ldap",
          "password_param_name" : "password"
        }
      } ,{
        "name" : "OTPGeneratorValve",
        "config" : {
          "length" : "6",
          "name" : "generated_otp"
        }
      }, {
        "name" : "OTPBySMSValve",
        "config" : {
          "userid_param_name" : "username",
          "gw_username" : "testkonto",
          "gw_password" : "{enc}p38dlZnPiEXBkEtPf6xfSuCE2pxzNkKBOvZgZHzHQJM="
        }
      } ]
  } ,{
    "id" : "ValidateSentOtp",
    "valves" : [ {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
        }
      }, {
      "name" : "OTPValidationValve",
      "config" : {
        "provided_otp_param_name" : "{{request.otp}}",
        "generated_otp_param_name" : "generated_otp"
      }
    },
  {
      "name": "ItemCreateValve",
      "config": {
         "dest_id": "{{request.username}}"
       }
     },
   {
      "name": "PropertyAddValve",
      "config": {
        "name": "roles",
        "value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
        "enable_multi_value": "true"
      }
    }
]
}

Read this article to get the correct value for the roles property.

Database Connection 

{
  "id" : "local_ldap",
  "type" : "ldap",
  "description" : "Connection to local OpenDJ",
  "config" : {
    "host" : "localhost",
    "port" : "389",
    "bind_dn" : "cn=Directory Manager",
    "password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
    "use_ssl" : "false",
    "ssl_trust_all" : "false",
    "follow_referrals" : "false",
    "auto_reconnect" : "true",
    "use_keep_alive" : "true",
    "response_timeout_ms" : "30000",
    "pool_initial_size" : "1",
    "pool_max_size" : "2"
  }
}