Email OTP based user authentication (first factor)

[malshan1998]

Epic

Enabling the user authentication by using email OTP as the first factor.

Description

Many modern applications have the feature of authenticating users by using OTP, as first factor of authentication. It is important to include that feature in CIAM. This epic focuses on the addition of email OTP based user authentication feature.

Authentication flow

1. Open Application to Login
2. If Email OTP is configured as a first factor, enter the username of the user
3. User is redirected to the email OTP entering page
4. An email with OTP will be sent
5. User enters the OTP into the OTP entering page and click "Continue"
6. User will be logged in

Milestone plan

MVP-01 : Improving email OTP as a first factor

• [ ] <24/02/2023> Integrating the Identifier-first flow
• [ ] <28/02/2023> Handling the error when wrong username is added
• [ ] <01/03/2023> Asgardeo frontend restriction removal
• [ ] <02/03/2023> Unit tests
• [ ] <07/03/2023> E2E tests
• [ ] <07/03/2023> PR Review
• [ ] <08/03/2023> Documentation

MVP-02 : Finalise threat model doc

• [ ] <09/03/2023> Threat model doc

MVP-03 : Implementing security features

• [ ] <10/03/2023> Recaptcha integration
• [ ] <15/03/2023> Enabling the configuration of OTP strength
• [ ] <16/03/2023> Handling unit tests
• [ ] <20/03/2023> E2E tests
• [ ] <21/03/2023> PR review
• [ ] <22/03/2023> Documentation

[melanisilva]

• [ ] Is this document impacted?
• [ ] Is the end-to-end (e2e) testing complete?
• [ ] Are unit tests available?
• [ ] Are integration tests available?
• [ ] Has this feature been tested on the latest Jenkins build after merging the changes? (Please Attach Proof, Screenshots, Screen recordings)
• [ ] Are all the relevant sub-tasks updated as complete (e.g., Cloud readiness tasks and migrations, docs)?
• [ ] Have demo sessions been completed? (If yes, please attach the recording link)
• [ ] Does this change impact the on-prem environment only or required to be specifically onboarded to Asgardeo?

⭐ Please provide links to relevant Unit tests and integration tests

@amanda-ariyaratne Could we please have this checklist updated?

[amanda-ariyaratne]

• [x] Is this document impacted? https://github.com/wso2/product-is/issues/16845

• [ ] Is the end-to-end (e2e) testing complete? --> Not applicable for this feature

• [x] Are unit tests available? --> Added with this PR https://github.com/wso2-extensions/identity-outbound-auth-email-otp/pull/156

• [ ] Are integration tests available? --> No. There are no integration tests available for any of the email sending flows as there is no SMTP server being mocked in the test integration test suite. I am currently doing an analysis for how we can implement integration tests to cover email sending scenarios. For the alpha release, this is not a blocker.

• [x] Has this feature been tested on the latest Jenkins build after merging the changes? (Please Attach Proof, Screenshots, Screen recordings)

https://github.com/wso2/product-is/assets/28347418/f004bd9f-4d67-407a-b067-9e4f2d94f293

https://github.com/wso2/product-is/assets/28347418/ed16423f-3d1e-42f2-8594-ce08596e66fe

• [ ] Are all the relevant sub-tasks updated as complete (e.g., Cloud readiness tasks and migrations, docs)?

• [ ] Have demo sessions been completed? (If yes, please attach the recording link)

• [ ] Is this an IS-specific feature?