Versions Compared

Old Version 1

changes.mady.by.user Frank Timmerbeil

Saved on

compared with

New Version 2

changes.mady.by.user Alexandre Nunesse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We choose Google Authenticator, a "Time-based One-time Password" (TOTP) implementation.

Switching on MFA

As an authenticated user, that has editing rights to the targeted user

PUT
{{baseUrl}}[users] /users/{useriduserId}/googleauth

Body:
{"enabled":true}

Result
user dto:
{
...
 "googleAuthEnabled": true,
 "googleAuthPending": true,
...
}

The call of this endpoints sets above two flags for the user. They indicate, that from now on MFA is enabled, and that the "enrollment" is pending.

...

Switching on MFA for an already enabled user, would set both flags to "true", starting a new "enrollment".

Authenticating using MFA

After switching on the MFA, a shared secret has to be exchange exchanged during the first login process:

...

Enroll, step 1:

In the first step, we login with user name and password:

POST
{{baseUrl}}[app-login-controller] /app/auth

Body:
{"username":"example@azeti.net","password":"Welcome123"}

Result
A reduced app object:

{
...
   "token" :"eyJh....",
   "nextAuthentications": [
        "GOOGLE_AUTH"
    ],
    "secret": "M5EDV7WC2CMEWWPO"
...
}

...

A specific appConfig is returned for MFA users:
token is not the regular authentication token, but a special factor-1 token. It can only be used to authenticatie authenticate for the endpoint, that we call in the next step.
...
After creating the account, the mobile app shows verification codes, that keep changing after a short time interval.
...
Enroll, step 2:
We use the above factor-1 token , and the verification code, in this example "453453", that the mobile app currently shows for new account.
Header : X-Authorization: {{token}}
POST
{{baseUrl}}/app/mfauth

Body:
{ "googleAuth": "453453"}

Result
Regular app object:
...
[app-login-controller] /app/mf-auth
After this step, the user is successfully logged in, meaning, the returned token is a regular token.
The "googleAuthPending" flag for this user s now set to "false", googleAuthEnabled is still "true"
...
Login, step 1:
The MFA logins from now on don't exchange the secret anymore. Anything else works the same.
POST
{{baseUrl}}/app/auth

Body:
{"username":"example@azeti.net","password":"Welcome123"}

Result
A reduced app object:

{
...
   "token" :"eyJh....",
   "nextAuthentications": [
        "GOOGLE_AUTH"
    ],
    "secret": null,
...
}[app-login-controller] /app/auth
The following logins, step 2:
We use the above factor-1 token, and the verification code,in this example "345645", that  that the mobile app currently shows.
Header : X-Authorization: {{token}}
POST
{{baseUrl}}/app/mfauth

Body:
{ "googleAuth": "345645"}

Result
Regular app object:
...[app-login-controller] /app/mf-auth
After this step, the user is successfully logged in, meaning, the returned token is a regular token.
...