WSO2 Identity Server 5.10.0 - Unable to achieve EmailOTP based MFA

0
votes

I have enabled EmailOTP Identity Provider, using WSO2 Identity Server as Email Provider.

In my Service PRovider, I have enabled EmailOTP as the second step of Authentication.

Angular UI application is my front end, when I provide username/password on the login page (user OpenId Connect), the authorization code is getting generated, but the second step is not being invoked, i.e., OTP page is not being displayed and Email is not being sent to the recipient with OTP.

I have followed the steps mentioned here, except making Gmail as Identity Provider.

OpenIdConnect Configuration:

enter image description here

Local and Outbound Authentication Configuration:

enter image description here

EmailOTP IDP Configuration (did not use Gmail or SendGrid):

enter image description here

EMail Adapter and Authenticator Configuration:

[output_adapter.email]
from_address= "[email protected]"
username= "[email protected]"
password= "password"
hostname= "smpt.hostname"
port= 25
enable_start_tls= false
enable_authentication= true

[authentication.authenticator.basic.parameters]
showAuthFailureReason = true

[authentication.authenticator.email_otp]
name ="EmailOTP"
enable=true

[authentication.authenticator.email_otp.parameters]
EMAILOTPAuthenticationEndpointURL = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotp.jsp"
EmailOTPAuthenticationEndpointErrorPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotpError.jsp"
EmailAddressRequestPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailAddress.jsp"
usecase = "local"
secondaryUserstore = "primary"
EMAILOTPMandatory = false
sendOTPToFederatedEmailAttribute = false
federatedEmailAttributeKey = "email"
EmailOTPEnableByUserClaim = true
CaptureAndUpdateEmailAddress = true
showEmailAddressInUI = true
useEventHandlerBasedEmailSender = true

Script based authentication Configuration:

var onLoginRequest = function(context) {
    executeStep(1);
    executeStep(2);
};

OpenId Connect Configuration.

enter image description here https://is.docs.wso2.com/en/5.10.0/learn/configuring-email-otp/#configuring-email-otp

Endpoint details:

https://localhost:5004/oauth2/authorize?response_type=code&scope=openid&redirect_uri=http://localhost&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256&sectoken=<sec_token>

Tenant Domain Error:

The tenant domain user is being treated as a user of carbon.super domain.

TID: [-1234] [] [2021-02-01 17:13:47,683] [85d31877-3090-4139-9efb-d40f85c2e2eb] DEBUG {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator}
    - OTP Expiration Time not specified default value will be used
 TID: [-1234] [] [2021-02-01 17:13:47,684] [85d31877-3090-4139-9efb-d40f85c2e2eb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
    - Exception in Authentication Framework java.lang.NullPointerException
                at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.publishAuthenticationStepAttempt(AbstractApplicationAuthenticator.java:170)
                at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:94)
                at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.process(EmailOTPAuthenticator.java:139)
                at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:506)
                at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:480)
                at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:179)
                at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) er} - 
Error occurred while getting claims for user: [email protected] from userstore. org.wso2.carbon.user.core.UserStoreException: 30007 - UserNotFound: 
User tanoj123 does not exist in: PRIMARY
            at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
            at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValues(AbstractUserStoreManager.java:1758)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInLocalDialect(DefaultOIDCClaimsCallbackHandler.java:466)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:420)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.retrieveClaimsForLocalUser(DefaultOIDCClaimsCallbackHandler.java:296)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:146)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.handleCustomClaims(DefaultOIDCClaimsCallbackHandler.java:85)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims_aroundBody4(APIMJWTGenerator.java:166)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims(APIMJWTGenerator.java:156)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody_aroundBody2(APIMJWTGenerator.java:95)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody(APIMJWTGenerator.java:92)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT_aroundBody0(APIMJWTGenerator.java:69)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT(APIMJWTGenerator.java:60)
            at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken_aroundBody4(APIMTokenIssuerUtil.java:210)
            at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken(APIMTokenIssuerUtil.java:173)
            at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken_aroundBody0(APIMTokenIssuer.java:102)
            at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken(APIMTokenIssuer.java:51)
            at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.getNewAccessToken(AbstractAuthorizationGrantHandler.java:491)
            at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.createNewTokenBean(AbstractAuthorizationGrantHandler.java:390)
            at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.generateNewAccessToken(AbstractAuthorizationGrantHandler.java:344)
1
wso2wso2is
Can you provide a screenshot of your Authentication Step Configurations?sumedhe
And if there any error logs, please provide.sumedhe
@sumedhe - I have added the screenshots. I am not getting any errors but the Email OTP Page is not loading or getting redirected to from Angular Application.Prabakaran Thodithot Sembiyan
Can you add a screenshot of the adaptive authentication script section on the advanced configurations page?Maduranga Siriwardena
@MadurangaSiriwardena - I have added the code/scripts for the same, in the question.Prabakaran Thodithot Sembiyan

1 Answers

1
votes

In the shared logs, the following line can be observed.

BasicAuthRequestPathAuthenticator can handle the request

It means canHandle() method of the BasicAuthRequestPathAuthenticator has returned true since sectoken query parameter is defined. Then, the request path authentication has taken place.

BasicAuth RequestPathAuthentication does not support MFA and it is like the password grant. The user gets authenticated by just validating the passed credentials.

If your goal is to have the login page on your client application (Angular SPA), you can pass the username and password as two different parameters (POST OR GET; POST is recommended since the password will not be passed in the URL) in the oauth2/authorize request and get into the default basic authenticator instead of the RequestPathAuthenticator. Then MFA will work as expected.