WSO2TORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0

Posted by Rob Blaauboer on 16 Mar, 2017
Rob Blaauboer

Within WSO2 IS (Identity Server) you can have a onetime password generated. It is even possible to use this mechanism for users who do not want to remember passwords / want a new password for each login.

The trick is to setup the One Time Password feature and after each successful login a new password will be emailed to the user. Keep in mind this is a password in plaintext!

So how would we do this?

We first start by making the admin services available since this service actually still uses the SOAP based services rather than the REST services that are becoming more prevalent in WSO2 products.

So open the [IS_HOME]/repository/conf/carbon.xml file and make the following change: <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

[IS_HOME]repositoryconfcarbon.xml - WSO2Tutorial Using one time passwords to login in wso2 IS 5.3.0.png

The second step is to set the SOAP based identity listener in [IS_HOME]/repository/conf/identity/identity.xml to true:

<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>

Setup SOAp based identity listener - WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0 .png

Now we need to instruct the Identity Server that it should send the OTP mails. Again this is done by changing the configuration file. Open [IS_HOME]/repository/conf/identity/identity-­mgt.properties file.

Notification.Sending.Enable=true
Notification.Sending.Internally.Managed=true
Authentication.Policy.Enable=true
Authentication.Policy.Check.OneTime.Password=true

Please note that these four settings are not grouped together. So search for all four parameters and change them to reflect the values shown above.

Identity Server send OTP mails - WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0 .png

Sending an email

This is a SOAP service that uses the AXIS2.xml file rather than the output-event-adapters.xml that REST uses. If you already changed that file you can use the values (but not the tags!). The examples below show the variables for

<transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
       <parameter name="mail.smtp.from">4trainingwso2@gmail.com</parameter>
       <parameter name="mail.smtp.user">4trainingwso2</parameter>
       <parameter name="mail.smtp.password">password</parameter>
       <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
 
       <parameter name="mail.smtp.port">587</parameter>
       <parameter name="mail.smtp.starttls.enable">true</parameter>
       <parameter name="mail.smtp.auth">true</parameter>
</transportSender> 


WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0 - Trnsport Sender.png

Setting the OTP to a user

We need to create a new claim that we will use to indicate that this user uses the OTP function. We will do so by adding a local claim. Fill in the values as shown in the screenshots and save the claim.

WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0 - Setting the OTP to a user 1.png

WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0- Setting the OTP to a user.png

Check if everything is correct by opening the claims and search for the one you just added.

Opening the claims - WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0.png

Now we need to create a new user and change the OTP value to true. So let’s create jackdoe as a user.

Create new user anf change OTP to true-WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0.png

Add new user step 2 - WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0.png

I already had a role (BasicUser) that allows login. If you do not want to create this, give them admin privileges. The OTP value is when we reopen the profile now a checkmark.

WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0-update profile 1.png

WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0- update profile 2.png

Logging in

So let’s log Jack Doe in.

Logging in - WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0.png

We get to the User Portal so our login has succeeded.

User portal WSO2 IS - WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0.png

When we try to log in again, after loggin out we get this message:

Log in attempt two IS user portal -WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0 .png

This is because the OTP service has sent a new password.

New password email OTP - WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0.png

As you might see this mail has the new password but doesn’t look correct. The template used is for a (REST based) service. The result is that the first-name is not used and rather {user.claim.givenname}} is shown in the email as is the new OTP password in {} brackets.

The template uses the wrong layout. What we need to do is to edit the email-admin-config.xml  in the email directory in the conf directory as show below to get the right template. Do not forget to restart the Identity Server!

Edit email-admin-config.xml - WSO2TUTORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0.png

In that case the email shows the right values.

Email one time password reset - wso2 tutorial IS 5.3.0.png

In theory this could also be done using the UI but the changes are not saved to the configuration file. This is a minor bug for which a public jira entry has been made.

Thanks to Chinmaya Tripathy for his contribution to this blog.

If you have any questions about this blogpost contact us via the comments section of this blog. View also our WSO2 Tutorialswebinars or white papers for more technical information. Need support? We do deliver WSO2 Product Support, WSO2 Development SupportWSO2 Operational Support and WSO2 Training Programs. 

Digital Transformation

 

Topics: WSO2 IS

Rob Blaauboer

Written by Rob Blaauboer

Rob is a Senior Business Consultant and Solution Architect with more than twenty years experience. In addition to his work he is an active blogger working on a number of articles on the ‘Internet of Things’ and a WSO2 ‘Getting Started with …’ series (WSO2 tutorial) in which he talks about WSO2 components and their purpose especially aimed at non technical readers. Rob is a WSO2 expert and official WSO2 trainer.