Skip to content

Add support for OOB multi-factor authentication #632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 20, 2021
Merged

Add support for OOB multi-factor authentication #632

merged 6 commits into from
Jul 20, 2021

Conversation

lbalmaceda
Copy link
Contributor

@lbalmaceda lbalmaceda commented Jul 20, 2021
edited
Loading

Changes

Whenever an mfa_required error is received from the server, and before showing the "MFA prompt" screen, the SDK will attempt to send an MFA challenge request to the registered OOB factor. If the user doesn't have any, the request will fail but the user will still be able to complete the authentication using the OTP generated from their favorite app.

This PR also bumps the dependencies and commits the line-endings setting so every IDE will pick up.

References

See SDK-2658.

Videos showing the usage

MFA with SMS (OOB)

MFA-SMS-Success.mp4

MFA with OTP (fallback, always available)

MFA-OTP.mp4

Testing

Some tests regarding legacy use cases, those related to /oauth/ro MFA, were removed. Functionality is unaffected.

  • This change adds unit test coverage

  • This change adds integration/UI test coverage

  • This change has been tested on the latest version of the platform/language or why not

Checklist

@lbalmaceda lbalmaceda added CH: Added medium Medium review labels Jul 20, 2021
@lbalmaceda lbalmaceda requested a review from a team as a code owner July 20, 2021 12:59
@lbalmaceda lbalmaceda added this to the v3-Next milestone Jul 20, 2021
lbalmaceda
lbalmaceda commented Jul 20, 2021
View reviewed changes
lib/src/main/java/com/auth0/android/lock/LockActivity.java
@@ -403,14 +431,16 @@ public void onDatabaseAuthenticationRequest(@NonNull DatabaseLoginEvent event) {
AuthenticationAPIClient apiClient = options.getAuthenticationAPIClient();
AuthenticationRequest request;
Map<String, String> parameters = new HashMap<>(options.getAuthenticationParameters());
if (TextUtils.isEmpty(event.getMFAToken()) || TextUtils.isEmpty(event.getVerificationCode())) {
if (TextUtils.isEmpty(event.getMultifactorToken())) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if there's no mfa_token, then log in normally

lib/src/main/java/com/auth0/android/lock/LockActivity.java
if (!TextUtils.isEmpty(event.getVerificationCode())) {
parameters.put(KEY_VERIFICATION_CODE, event.getVerificationCode());
}
} else if (MFA_CHALLENGE_TYPE_OOB.equals(lastDatabaseLogin.getMultifactorChallengeType())) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if there's an mfa_token and also the challenge type is "oob", complete the verification using OOB

lib/src/main/java/com/auth0/android/lock/LockActivity.java
} else {
request = apiClient.loginWithOTP(event.getMFAToken(), event.getVerificationCode());
// otp multi-factor authentication
request = apiClient.loginWithOTP(event.getMultifactorToken(), event.getMultifactorOTP());
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

otherwise, complete the verification using the OTP

lib/src/main/java/com/auth0/android/lock/LockActivity.java
});
if (error.isMultifactorRequired()) {
String mfaToken = (String) error.getValue(KEY_MFA_TOKEN);
requestMFAChallenge(mfaToken);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this logic was moved into a separate function requestMFAChallenge

lib/src/test/java/com/auth0/android/lock/LockActivityTest.java
@@ -440,50 +521,6 @@ public void shouldCallOIDCDatabaseSignInWithCustomAudience() {
assertThat(reqParams, hasEntry("extra", "value"));
}

@Test
public void shouldCallLegacyDatabaseSignInWithUsername() {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

legacy tests for /oauth/ro MFA, removed

@lbalmaceda lbalmaceda merged commit 35aca75 into main Jul 20, 2021
@lbalmaceda lbalmaceda deleted the feat-mfa-oob branch July 20, 2021 14:23
@lbalmaceda lbalmaceda modified the milestones: v3-Next, 3.1.0 Jul 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evansims evansims evansims approved these changes

Assignees
No one assigned
Labels
CH: Added medium Medium review
Projects
None yet
Milestone
3.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@lbalmaceda @evansims