Multi-Attribute login with WSO2 Identity Server
WSO2 recently announced it’s latest IAM product version which is WSO2 Identity Server 5.10.0.
In my previous article, I talked about a major architectural change related to the user store managers has been introduced with the latest version.
As I mentioned earlier with the new changes, a set of core APIs has been added to support the Multi-attribute login capability where the users will be able to have multiple login identifiers such as username, email address, mobile number, or any other identifier that’s unique across the system as for their preference. But it’s not fully supported OOTB in the IS 5.10.0 as the WSO2 IS is still using the old APIs for the basic authentication.
Therefore in this article lets see how we can use new user core APIs to write a custom local authenticator to support multi-attribute login in the WSO2 IS.
There can be multiple use cases of multi-attribute login as below,
- Users can provide the username or mobile no as the unique login identifier and the password without selecting the attribute name.
- Users will be provided to choose a unique login identifier in the login screen and provide the value and the password accordingly.
- Users can provide multiple attributes as the login identifier such as first name and last name which will be unique together and the password.
So users will need to have a unique login identifier attribute for any scenario. If you are familiar with Facebook you can see the first scenario as I have mentioned above. Facebook allows users to enter email or phone as the login identifier.
So we have two new authenticate APIs in the user core which can be used to implement the above scenarios based on your requirements.
So for the first two scenarios, you can use the below API where you can pass any single attribute as the username and authenticate the user.
AuthenticationResult authenticateWithID(String preferredUserNameClaim, String preferredUserNameValue, Object credential, String profileName) throws UserStoreException;For the third scenario where you have multiple login identifiers, you can use the second API as below and passed the LoginIdentifier list and authenticate the user.
AuthenticationResult authenticateWithID(List<LoginIdentifier> loginIdentifiers, String domain, Object credential) throws UserStoreException;So you can use any of the above API as for your requirement and write a custom authenticator by extending the current BasicAuthenticator. Please refer to the documentation to get more details about writing a custom local authenticator.
Then you can enable a multi attribute login support for your applications. You can see a sample scenario where I have enabled multi-attribute login for the user portal via a custom authenticator below, You can get the sample authenticator source code from here.
I hope you get a basic idea about the new authenticate APIs and how to use it to extend the WSO2 Identity server as for your requirements. So now you can try it out and see how it works for you.
References:
