OpenID Connect – Username, password and OTP

This authenticator is used for username-password-otp authorization in OpenID Connect scenarios.

Configuration Properties

Name Description Default value Mandatory
loginTemplate Template to use for user interface (username and password prompt). login.template No
otp Template to use for user interface (one-time-password). otp.template No
userNameParamName Name of the username request parameter username No
passworParamterName Name of the password request parameter. password No
otpParamterName Name of the one-time password request parameter. otp No
userValidationPipeID Id of pipe used to validate username and password, and, in the case of otp by sms or email, generate and distribute the otp   Yes
otpValidationPipeID Id of pipe used to validate one-time-password   Yes
allowedRP Array of relying parties (client_id:s) allowed to use this authorization endpoint   Yes
requireConsent Present consent screen (true/false) to end user. false No
consentTemplate Template file to use for consent oidcconsent No

Example configuration

LDAP user store is used in this example.

HTTP Authenticators

{
  "id" : "unpwotp",
  "alias" : "unpwotp",
  "name" : "OIDCPostUidPasswordAndOTP",
    "configuration" : {
    "userValidationPipeID" : "UserLookupAndAuthWithLDAP",
    "otpValidationPipeID" : "ValidateSentOtp",
    "allowedRP": [
				"myApp"
			]
  }
}

Pipes

{
  "id" : "UserLookupAndAuthWithLDAP",
    "valves" : [ {
      "name" : "LDAPSearchValve",
      "config" : {
        "connection_ref" : "local_ldap",
        "base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
        "scope" : "SUB",
        "size_limit" : "0",
        "filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
        "attributes" : "commonName,uid,mail,mobile"
        }
      }, {
        "name" : "LDAPBindValve",
        "config" : {
          "connection_ref" : "local_ldap",
          "password_param_name" : "password"
        }
      } ,{
        "name" : "OTPGeneratorValve",
        "config" : {
          "length" : "6",
          "name" : "generated_otp"
        }
      }, {
        "name" : "OTPBySMSValve",
        "config" : {
          "userid_param_name" : "username",
          "gw_username" : "testkonto",
          "gw_password" : "{enc}p38dlZnPiEXBkEtPf6xfSuCE2pxzNkKBOvZgZHzHQJM="
        }
      } ]
  } ,{
    "id" : "ValidateSentOtp",
    "valves" : [ {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
        }
      }, {
      "name" : "OTPValidationValve",
      "config" : {
        "provided_otp_param_name" : "{{request.otp}}",
        "generated_otp_param_name" : "generated_otp"
      }
    },  {
      "name": "ItemCreateValve",
      "config": {
         "dest_id": "{{request.username}}"
       }
     },
{
				"name": "PropertyAddValve",
				"config": {
					"name": "redirect_uri",
					"value": "{{request.redirect_uri}}"
				}
			},
			{
				"name": "PropertyAddDateTimeValve",
				"config": {
					"name": "time",
					"format": "n"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "tmpcode",
					"value": "{{item.time}}{{request.username}}{{request.client_id}}"
				}
			},
			{
			"name": "PropertyStringBase64EncoderValve",
			"config": {
				"source": "tmpcode",
				"dest": "code"
			}
		},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "state",
					"value": "{{request.state}}"
				}
			},
			{
				"name": "SessionClearAllAliasValve",
				"config": {}
			},
			{
				"name": "SessionBindValve",
				"config": {
					"alias": "{{item.code}}"
				}
			},
			{
				"name": "PropertyKeepValve",
				"config": {
					"name": "redirect_uri,state,code"
				}
			}
]
}

 

Database Connection

{
  "id" : "local_ldap",
  "type" : "ldap",
  "description" : "Connection to local OpenDJ",
  "config" : {
    "host" : "localhost",
    "port" : "389",
    "bind_dn" : "cn=Directory Manager",
    "password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
    "use_ssl" : "false",
    "ssl_trust_all" : "false",
    "follow_referrals" : "false",
    "auto_reconnect" : "true",
    "use_keep_alive" : "true",
    "response_timeout_ms" : "30000",
    "pool_initial_size" : "1",
    "pool_max_size" : "2"
  }
}

Notes

Please be aware that this authenticator only is not sufficient to complete a full OpenIDConnect authentication scenario! This only describes the authorization endpoint part. To complete with token endpoint configuration, please view this document.