Hi, Your suggestions for the new claim name[1] are highly appreciated.
[1]https://github.com/wso2/carbon-identity-framework/pull/1975 *Anuradha Karunarathna* Intern-Software Engineering | WSO2,inc. On Sat, Nov 10, 2018 at 1:00 PM Anuradha Karunarathna <[email protected]> wrote: > Hi, > > I have developed a new adaptive authentication script considering the > number of failed login attempts of a user. Its basic scenario can be > explained as follows. > > Let's consider a scenario where you want to prompt an additional level of > authentication for a user who has exceeded a specific number of continuous > failed login attempts. Also, you want to consider the all failed login > attempts of a user until a successful login attempt even that continuous > failed attempts are made in several days. > > For that purpose, 'Failed Login Attempts' claim is used to keep track of > the number of failed login attempts of a user. Since this number reset to > 0 when a successful login happens, a new claim needs to be introduced to > store the number of failed login attempts just before a successful login > attempt. Here is the PR for that new claim[1 > <https://github.com/wso2/carbon-identity-framework/pull/1975>]. > > In order to update the number of failed login attempts, account locking > under login resident IDP's login policies needs to be enabled. Therefore, > 'Failed Lockout Count claim' also considered when counting the number of > failed login attempts just before a success. The changes need to be done in > AccountLockHandler can be found here[2 > <https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49> > ]. > > Follow instructions in [3 > <https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing>] > to test this template with WSO2is-5.7.0. > > The implemented script will be added as a default template under script > based adaptive authentication since it is a common use case. > > -Script- > > // This variable is used to define the number of invalid attempts allowed > before prompting the second factor > var invalidAttemptsToStepup = 3; > > var failedLoginAttemptsBeforeSuccessClaim= ' > http://wso2.org/claims/identity/failedLoginAttemptsBeforeSuccess'; > > function onLoginRequest(context) { > doLogin(context); > } > > function doLogin(context) { > executeStep(1, { > onSuccess : function(context){ > var user = context.steps[1].subject; > if (isExceedInvalidAttempts(user)) { > executeStep(2); > } > }, > onFail : function(context) { > // Retry the login.. > doLogin(context); > } > }); > } > > function isExceedInvalidAttempts(user) { > if (user.localClaims[failedLoginAttemptsBeforeSuccessClaim] >= > invalidAttemptsToStepup) { > return true; > } else { > return false; > } > } > > [1]https://github.com/wso2/carbon-identity-framework/pull/1975 > [2] > https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49 > [3] > https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing > *Anuradha Karunarathna* > Intern-Software Engineering | WSO2,inc. > > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
