...
We choose Google Authenticator, a "Time-based One-time Password" (TOTP) implementation.
Switching on MFA
As an authenticated user, that has editing rights to the targeted user
PUT {{baseUrl}}[users] /users/{useriduserId}/googleauth Body: {"enabled":true} Result
user dto: { ... "googleAuthEnabled": true, "googleAuthPending": true, ... }
The call of this endpoints sets above two flags for the user. They indicate, that from now on MFA is enabled, and that the "enrollment" is pending.
...
Switching on MFA for an already enabled user, would set both flags to "true", starting a new "enrollment".
Authenticating using MFA
After switching on the MFA, a shared secret has to be exchange exchanged during the first login process:
...
Enroll, step 1:
In the first step, we login with user name and password:
POST {{baseUrl}}[app-login-controller] /app/auth Body: {"username":"example@azeti.net","password":"Welcome123"} Result A reduced app object: { ... "token" :"eyJh....", "nextAuthentications": [ "GOOGLE_AUTH" ], "secret": "M5EDV7WC2CMEWWPO" ... }
...
A specific appConfig is returned for MFA users:
token is not the regular authentication token, but a special factor-1 token. It can only be used to authenticatie authenticate for the endpoint, that we call in the next step.
...
After creating the account, the mobile app shows verification codes, that keep changing after a short time interval.
...
Enroll, step 2:
We use the above factor-1 token , and the verification code, in this example "453453", that the mobile app currently shows for new account.
Header : X-Authorization: {{token}} POST {{baseUrl}}/app/mfauth Body: { "googleAuth": "453453"} Result Regular app object:
...
[app-login-controller] /app/mf-auth
After this step, the user is successfully logged in, meaning, the returned token is a regular token.
The "googleAuthPending" flag for this user s now set to "false", googleAuthEnabled is still "true"
...
Login, step 1:
The MFA logins from now on don't exchange the secret anymore. Anything else works the same.
POST {{baseUrl}}/app/auth Body: {"username":"example@azeti.net","password":"Welcome123"} Result A reduced app object: { ... "token" :"eyJh....", "nextAuthentications": [ "GOOGLE_AUTH" ], "secret": null, ... }[app-login-controller] /app/auth
The following logins, step 2:
We use the above factor-1 token, and the verification code,in this example "345645", that that the mobile app currently shows.
Header : X-Authorization: {{token}} POST {{baseUrl}}/app/mfauth Body: { "googleAuth": "345645"} Result Regular app object:
...[app-login-controller] /app/mf-auth
After this step, the user is successfully logged in, meaning, the returned token is a regular token.
...