search

okta / okta-mobile-swift

okta-mobile-swift
https://github.com/okta/okta-mobile-swift
Apache License 2.0
44 stars 18 forks source link

Email OTP login with Okta mobile swift ‘OktaDirectAuth’ #186

Closed cesmejia closed 2 days ago

cesmejia commented 4 months ago

Describe the bug?

I'm working with the OktaDirectAuth library… I was wondering if this library supports entering en email opt code to log in ‘natively’ (without WebAuthenticationUI).

It looks like email does not count as OTP (and probably neither SMS), an email OTP never works but if you try Google authenticator or Okta verify, they work without any issues…

What is expected to happen?

Using OktaDirectAuth: When getting an OTP via email (via factors/verify API), you should be able to log in.

What is the actual behavior?

I just tried using the Okta Authentication API to send a OTP via email ({{url}}/api/v1/users/{{userId}}/factors/{{factorId}}/verify). I’m getting the code but when I try to use that code on the Okta-mobile-swift OktaDirectAuth app it says the OTP is incorrect

53aa3fde3d467d92744c0e9b448c9101a144e8cd_2_308x500

Reproduction Steps?

  1. Run the DirectAuthentication demo from the samples
  2. Send a OTP code via email using the Okta factors API: ({{url}}/api/v1/users/{{userId}}/factors/{{factorId}}/verify)
  3. In the app, Select 'One-time-code'
  4. Check you email and get the code
  5. Click the Sign-In button
  6. You get an error alert: 'otp' provided is either empty or incorrect

Additional Information?

No response

SDK Version(s)

1.7.1

Build Information

No response

mikenachbaur-okta commented 1 month ago

@cesmejia In this case the otp option refers to a time-based OTP code used by various authenticator apps (see the OTP primary factor SDK docs and the underlying server API documentation).

For SMS verification you'd want to look at the OOB (aka "out-of-band") authentication factor, using the SMS OOB Channel.

That should do what you want. If you want to test the workflow in your own environment, you can try the DirectAuth sample application.

cesmejia commented 1 month ago

Thanks a lot for your answer Alex! What about email? Is it also oob?

On Thu 11 Jul 2024 at 4:50 p.m. Alex Nachbaur @.***> wrote:

@cesmejia https://github.com/cesmejia In this case the otp option refers to a time-based OTP code used by various authenticator apps (see the OTP primary factor SDK docs https://okta.github.io/okta-mobile-swift/development/oktadirectauth/documentation/oktadirectauth/directauthenticationflow/primaryfactor/otp(code:) and the underlying server API documentation https://developer.okta.com/docs/guides/configure-direct-auth-grants/aotp/main/ ).

For SMS verification you'd want to look at the OOB (aka "out-of-band") authentication factor https://okta.github.io/okta-mobile-swift/development/oktadirectauth/documentation/oktadirectauth/directauthenticationflow/primaryfactor/oob(channel:), using the SMS OOB Channel https://okta.github.io/okta-mobile-swift/development/oktadirectauth/documentation/oktadirectauth/directauthenticationflow/oobchannel/sms .

That should do what you want. If you want to test the workflow in your own environment, you can try the DirectAuth sample application https://github.com/okta/okta-mobile-swift/tree/master/Samples/DirectAuthSignIn .

— Reply to this email directly, view it on GitHub https://github.com/okta/okta-mobile-swift/issues/186#issuecomment-2224080937, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF53Y5AX7N6ZUBBZPSGKJCLZL4DZ5AVCNFSM6AAAAABGAZIVA6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRUGA4DAOJTG4 . You are receiving this because you were mentioned.Message ID: @.***>

mikenachbaur-okta commented 2 days ago

@cesmejia Email would be considered an OOB factor, similar to Phone, but it is not currently supported by the Direct Auth server APIs. As soon as support is introduced on the server however, those capabilities will be exposed in this SDK at that time.

Please feel free to "watch" this project to be notified of upcoming releases.