OpenID Connect – Username, password and OTP
This authenticator is used for username-password-otp authorization in OpenID Connect scenarios.
Configuration Properties
Example configuration
LDAP user store is used in this example.
HTTP Authenticators
{
"id" : "unpwotp",
"alias" : "unpwotp",
"name" : "OIDCPostUidPasswordAndOTP",
"configuration" : {
"userValidationPipeID" : "UserLookupAndAuthWithLDAP",
"otpValidationPipeID" : "ValidateSentOtp",
"allowedRP": [
"myApp"
]
}
}
Pipes
{
"id" : "UserLookupAndAuthWithLDAP",
"valves" : [ {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "local_ldap",
"base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
"attributes" : "commonName,uid,mail,mobile"
}
}, {
"name" : "LDAPBindValve",
"config" : {
"connection_ref" : "local_ldap",
"password_param_name" : "password"
}
} ,{
"name" : "OTPGeneratorValve",
"config" : {
"length" : "6",
"name" : "generated_otp"
}
}, {
"name" : "OTPBySMSValve",
"config" : {
"userid_param_name" : "username",
"gw_username" : "testkonto",
"gw_password" : "{enc}p38dlZnPiEXBkEtPf6xfSuCE2pxzNkKBOvZgZHzHQJM="
}
} ]
} ,{
"id" : "ValidateSentOtp",
"valves" : [ {
"name" : "SessionLoadValve",
"config" : {
"id" : "{{request.session_id}}"
}
}, {
"name" : "OTPValidationValve",
"config" : {
"provided_otp_param_name" : "{{request.otp}}",
"generated_otp_param_name" : "generated_otp"
}
}, {
"name": "ItemCreateValve",
"config": {
"dest_id": "{{request.username}}
"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "redirect_uri",
"value": "{{request.redirect_uri}}"
}
},
{
"name": "UUIDCreateValve",
"enabled": "true",
"config": {
"name": "code"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "state",
"value": "{{request.state}}"
}
},
{
"name": "SessionClearAllAliasValve",
"config": {}
},
{
"name": "SessionBindValve",
"config": {
"alias": "{{item.code}}"
}
},
{
"name": "PropertyKeepValve",
"config": {
"name": "redirect_uri,state,code"
}
}
]
}
Database Connection
{
"id" : "local_ldap",
"type" : "ldap",
"description" : "Connection to local OpenDJ",
"config" : {
"host" : "localhost",
"port" : "389",
"bind_dn" : "cn=Directory Manager",
"password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
"use_ssl" : "false",
"ssl_trust_all" : "false",
"follow_referrals" : "false",
"auto_reconnect" : "true",
"use_keep_alive" : "true",
"response_timeout_ms" : "30000",
"pool_initial_size" : "1",
"pool_max_size" : "2"
}
}
Notes
Please be aware that this authenticator only is not sufficient to complete a full OpenIDConnect authentication scenario! This only describes the authorization endpoint part. To complete with token endpoint configuration, please view this document.