REST API request in WSO2 Identity Server’s Adaptive Authentication

REST API request in WSO2 Identity Server’s Adaptive Authentication

In some instances, we need to consume third-party API responses in the WSO2 Identity Server’s Adaptive Authentication.

Before we begin, we need to understand that even though the Adaptive Authentication is written in JavaScript, it is been compiled and executed via the Back-end through JAVA.

Therefore, we won’t be able to use the JavaScript’s HTTP Request functions such as XMLHttpRequest(), jQuery.get(), and async-await in our functions. To fulfill this WSO2 Identity Server provides the Java-based HTTP Request methods. Java native HttpGet and HttpPost functions can be used to fulfill our business requirements. When Adaptive Authentication is compiled and executed using Java, the native function will call at the server-side and complete the execution. But client initialization and logic are already written in the WSO2 Identity Server.

Now let’s see how we can use the REST APIs in the Adaptive Authentication.

Prerequisites

1. REST API Server
2. WSO2 Identity Server
3. Configure Adaptive Authentication based authentication

Step 1: Sample REST API Server

Setup your REST API server which fulfills your requirements. Since this blog is written for an introduction purpose, I haven’t used any authentication mechanism.

Sample REST API NODE JS Sever

The above sample checks the user’s email address domain and if it is a corporate domain it will allow the user to log in. if not the user will be prompt for a second factor to continue.

Step 2: Configure the Adaptive Authentication Script

Before you begin to configure make sure that you have installed the WSO2 Identity Server and the product is running.

1. Log in to the management console using admin/admin credentials.
2. Add the email address to the users under the Users and Roles managements.
3. Under the Service Providers section, click Add.
4. Enter a name for the Service Provider under Service Provider Name and click Register.
5. Expand Local and Outbound Configuration and choose Advanced Authentication.
6. Click the Script-Based Conditional Authentication field, and add the following script.

For GET request [1]

function onLoginRequest(context) {
    executeStep(1, {
        onSuccess: function (context) {
            var user = context.steps[1].subject;
            var email = user.localClaims['http://wso2.org/claims/emailaddress'];
            var organization = user.localClaims['http://wso2.org/claims/organization'];

            httpGet('http://localhost:3000/validate?email=' + email + '&organization=' + organization, {
                onSuccess : function(context, data) {
                    Log.info('--------------- Received mfa_required ' + data.mfa.required);
                    if (data.mfa.required) {
                        executeStep(2);
                    }
                }, onFail : function(context, data) {
                    Log.info('--------------- Failed to call URL');
                }
            });
        }
    });
}

For POST Request [2]

function onLoginRequest(context) {
    executeStep(1, {
        onSuccess: function (context) {
            var user = context.steps[1].subject;
            var email = user.localClaims['http://wso2.org/claims/emailaddress'];
            var organization = user.localClaims['http://wso2.org/claims/organization'];

            httpPost('http://localhost:3000/validate', {"email": email, 'organization': organization}, {
                onSuccess : function(context, data) {
                    Log.info('--------------- Received mfa_required ' + data.mfa.required);
                    if (data.mfa.required) {
                        executeStep(2);
                    }
                }, onFail : function(context, data) {
                    Log.info('--------------- Failed to call URL');
                }
            });
        }
    });
}

7. Add two authentication steps.

• Creating the first authentication step:
• Click Add Authentication Step.
• Select basic under Local Authenticators of Step 1 and click Add Authenticator (Adding basic authentication as a first step prompts the user to enter user credentials as the first step of authentication when logging in to the application).
• Creating the second authentication step:
• Click Add Authentication Step.
• Select Demo Hardware Key under Local Authenticators of Step 2 and click Add Authenticator.

8. Click Update.

Sample Adaptive Authentication Script for GET/POST Request

Note: Skip the Steps 3 and 4 if you have already configured the Service Provider

Step 3: Let’s try it out.

1. Access the application.
2. Click Login and enter [admin/admin] credentials. You are prompted to use the hardware key after basic authentication according to the authentication step defined in the JavaScript above and the response from the API.
3. Proceed to the 2nd factor if the user’s email address is not a corporate address.
4. Next, log out of the application and login again as a different user.

References

[1] https://github.com/wso2-extensions/identity-conditional-auth-functions/blob/master/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/HTTPGetFunctionImpl.java#L66

[2] https://github.com/wso2-extensions/identity-conditional-auth-functions/blob/master/components/org.wso2.carbon.identity.conditional.auth.functions.http/src/main/java/org/wso2/carbon/identity/conditional/auth/functions/http/HTTPPostFunctionImpl.java#L69

[3] https://github.com/nsivanoly/WSO2-IS-node-adaptive-Authentication-httpget-httppost