In order to step towards passwordless authentication using OTPs (One Time Passcodes) being an option for sign in and account recovery at the Guardian, we need to add some addition Okta IDX API endpoints to facilitate this that weren't required when we implemented social authentication and create account with OTPs.
This PR simply sets up these API endpoints, but does not use them anywhere.
Some refactoring was also performed to share similar objects with different endpoints.
/identify
Used to start the authentication process for an existing user. Available after the initial call to the /introspect endpoint.
This endpoint takes the stateHandle as with other endpoints, which identifies the current request state and context.
It also takes an identifier parameter, which is the user's email, and a rememberMe property, which is a boolean in our case will always be true.
The response object will include a remediation with the select-authenticator-authenticate name. This includes a list of authenticators that the user can authenticate with by calling the /challenge endpoint. This includes the email authenticator, which is required for OTP authentication, and the password authenticator, for authentication with a password.
/challenge
Used to initiate a authentication request for a given authenticator.
Takes the stateHandle. Also takes an authenticator object, which is used to identify the authenticator to use. This has the id of the authenticator, and a methodType parameter, which is either email or password.
The response includes a remediation with the challenge-authenticator name, which has information on how to verify the given authenticator, which in our case would involve sending a credentials object which includes the passcode value (which is the value of the authenticator, whether thats a passcode or password), and the state handle, to the /challenge/answer endpoint, which has previously been implemented.
/recover
This endpoint becomes available if selecting the password authenticator after calling the /identify endpoint.
This is used in order to initiate a password reset flow.
It just takes the stateHandle in the body.
The response will include a authenticator-verification-data remediation name. Like /identify it is a list of authenticators which can be used to verify that the user is able to perform this request. In this case the only available authenticator will be email. As with /identify the /challenge endpoint must be called with the given authenticator.
All deployment options
- [Deploy build 9733 of `identity:identity-gateway` to CODE](https://riffraff.gutools.co.uk/deployment/deployAgain?project=identity%3Aidentity-gateway&build=9733&stage=CODE&updateStrategy=MostlyHarmless&action=deploy)
- [Deploy parts of build 9733 to CODE by previewing it first](https://riffraff.gutools.co.uk/preview/yaml?project=identity%3Aidentity-gateway&build=9733&stage=CODE&updateStrategy=MostlyHarmless)
- [What's on CODE right now?](https://riffraff.gutools.co.uk/deployment/history?projectName=identity%3Aidentity-gateway&stage=CODE)
github-actions[bot]
commented
1 month ago
What does this change?
In order to step towards passwordless authentication using OTPs (One Time Passcodes) being an option for sign in and account recovery at the Guardian, we need to add some addition Okta IDX API endpoints to facilitate this that weren't required when we implemented social authentication and create account with OTPs.
This PR simply sets up these API endpoints, but does not use them anywhere.
Some refactoring was also performed to share similar objects with different endpoints.
/identifyUsed to start the authentication process for an existing user. Available after the initial call to the
/introspectendpoint.This endpoint takes the
stateHandleas with other endpoints, which identifies the current request state and context. It also takes anidentifierparameter, which is the user's email, and arememberMeproperty, which is a boolean in our case will always betrue.The response object will include a remediation with the
select-authenticator-authenticatename. This includes a list of authenticators that the user can authenticate with by calling the/challengeendpoint. This includes theemailauthenticator, which is required for OTP authentication, and thepasswordauthenticator, for authentication with a password./challengeUsed to initiate a authentication request for a given authenticator.
Takes the
stateHandle. Also takes anauthenticatorobject, which is used to identify the authenticator to use. This has theidof the authenticator, and amethodTypeparameter, which is eitheremailorpassword.The response includes a remediation with the
challenge-authenticatorname, which has information on how to verify the given authenticator, which in our case would involve sending acredentialsobject which includes thepasscodevalue (which is the value of the authenticator, whether thats a passcode or password), and the state handle, to the/challenge/answerendpoint, which has previously been implemented./recoverThis endpoint becomes available if selecting the
passwordauthenticator after calling the/identifyendpoint.This is used in order to initiate a password reset flow.
It just takes the
stateHandlein the body.The response will include a
authenticator-verification-dataremediation name. Like/identifyit is a list of authenticators which can be used to verify that the user is able to perform this request. In this case the only available authenticator will beemail. As with/identifythe/challengeendpoint must be called with the given authenticator.