WSO2TORIAL Using OneTimePasswords to login in WSO2 IS 5.3.0

Within WSO2 IS (Identity Server) you can have a onetime password generated. It is even possible to use this mechanism for users who do not want to remember passwords / want a new password for each login.

The trick is to setup the One Time Password feature and after each successful login a new password will be emailed to the user. Keep in mind this is a password in plaintext!

So how would we do this?

We first start by making the admin services available since this service actually still uses the SOAP based services rather than the REST services that are becoming more prevalent in WSO2 products.

So open the [IS_HOME]/repository/conf/carbon.xml file and make the following change: <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>

The second step is to set the SOAP based identity listener in [IS_HOME]/repository/conf/identity/identity.xml to true:

<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>

Now we need to instruct the Identity Server that it should send the OTP mails. Again this is done by changing the configuration file. Open [IS_HOME]/repository/conf/identity/identity-­mgt.properties file.

Please note that these four settings are not grouped together. So search for all four parameters and change them to reflect the values shown above.

Sending an email

This is a SOAP service that uses the AXIS2.xml file rather than the output-event-adapters.xml that REST uses. If you already changed that file you can use the values (but not the tags!). The examples below show the variables for

Setting the OTP to a user

We need to create a new claim that we will use to indicate that this user uses the OTP function. We will do so by adding a local claim. Fill in the values as shown in the screenshots and save the claim.

Check if everything is correct by opening the claims and search for the one you just added.

Now we need to create a new user and change the OTP value to true. So let’s create jackdoe as a user.

I already had a role (BasicUser) that allows login. If you do not want to create this, give them admin privileges. The OTP value is when we reopen the profile now a checkmark.

Logging in

So let’s log Jack Doe in.

We get to the User Portal so our login has succeeded.

When we try to log in again, after loggin out we get this message:

This is because the OTP service has sent a new password.

As you might see this mail has the new password but doesn’t look correct. The template used is for a (REST based) service. The result is that the first-name is not used and rather {user.claim.givenname}} is shown in the email as is the new OTP password in {} brackets.

The template uses the wrong layout. What we need to do is to edit the email-admin-config.xml  in the email directory in the conf directory as show below to get the right template. Do not forget to restart the Identity Server!

In that case the email shows the right values.

In theory this could also be done using the UI but the changes are not saved to the configuration file. This is a minor bug for which a public jira entry has been made.

Thanks to Chinmaya Tripathy for his contribution to this blog.

If you have any questions about this blogpost contact us via the comments section of this blog. View also our WSO2 Tutorials, webinars or white papers for more technical information. Need support? We do deliver WSO2 Product Support, WSO2 Development Support, WSO2 Operational Support and WSO2 Training Programs.