Re: [Architecture] [RRT] Forcing the challenge question for Identity Server

2018-05-30 Thread Indunil Upeksha Rathnayake 
Hi Rosen,

In the PostAuthenticationHandler, from the authentication context, you can
retrieve the authenticated user and tenant domain. From the
PostAuthenticationHandler, ChallengeQuestionManager OSGI service can be
invoked to get the challenge questions that authenticated user has not
answered.

You can refer pre and post flows in ConsentMgtPostAuthnHandler[2], which we
are currently using for retrieving and managing user consent. From that,
you will be able to get some idea on, consent page redirection from the
PostAuthenticationHandler and retrieving back the user claims for which
user has provided the consent. I think, in your case also, may be able to
use the same approach.

[1]
https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/ChallengeQuestionManager.java
[2]
https://github.com/wso2/carbon-identity-framework/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/ConsentMgtPostAuthnHandler.java#L188

Thanks and Regards

On Tue, May 29, 2018 at 11:20 PM, Rosen Silva  wrote:

> Hi All,
>
> I'm implementing a feature for IS 5.5.0 to force users to add answers to
> challenge questions.
> This feature is implemented using PostAuthenticationHandler.
>
>  The logic executes in the following order,
> * Check whether the user has already added the answers from the post
> authenticator
> * If not, redirect users to a webpage (JSP file) to get the answers to the
> challenge questions
> * Check whether users have added the challenge questions
> * Let users log in to sp if the user has filled the answers to challenge
> questions
>
>
> Clarifications with implementing the JSP page for retrieving and updating
> answers to challenge questions
>
> AFAIK we can't use admin service for retrieve and update security
> questions since we don't have the cookie while in the post-authentication
> flow.
> One possibility is to send the challenge questions to the webpage with the
> HTTP serverlet request and get the answers back to post authentication
> handler through serverlet response and add the answers to the challenge
> questions.
>
> Your input is appreciated.
>
> Thanks and regards,
> --
>
> *Rosen Silva*
> Software Engineer - WSO2
>
> Email: ros...@wso2.com
> Mobile: +94770677418
> Web: https://wso2.com/
>



-- 
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Emailindu...@wso2.com
Mobile   0772182255
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [RRT] Forcing the challenge question for Identity Server

2018-05-30 Thread Dimuthu Leelarathne 
Hi,

In the original design we are calling OSGI services from a class on the BE
server. The flow is to retrieve the questions from the OSGi service send it
to the FE. I would prefer this method over calling admin services because
it means the JSP applications needs to store Admin credentials in a config
file leading to even more concerns.

thanks,
Dimuthu


On Wed, May 30, 2018 at 2:15 PM, Rosen Silva  wrote:

> Hi,
>
> @Farasath: We can call the related OSGi services and get the challenge
> questions.
>
> It is also possible to authenticate the Admin service without a cookie by
> using the following authenticate method used in
> UserIdentityManagementAdminServiceClient  [1
> ],
> [2
> 
> ].
>
> public UserIdentityManagementAdminServiceClient() throws AxisFault {
>
> stub = new UserIdentityManagementAdminServiceStub(serviceURL);
> ServiceClient client = stub._getServiceClient();
> IdentityManagementServiceUtil.getInstance().authenticate(client);
> }
>
> public void authenticate(ServiceClient client) {
> Options option = client.getOptions();
> HttpTransportProperties.Authenticator auth = new 
> HttpTransportProperties.Authenticator();
> auth.setUsername(accessUsername);
> auth.setPassword(accessPassword);
> auth.setPreemptiveAuthentication(true);
> 
> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE,
>  auth);
> option.setManageSession(true);
> }
>
> Is it a good idea to use a similar authentication method as above
> UserIdentityManagementAdminServiceClient to retrieve challenge questions?
>
>
> [1] https://github.com/wso2/carbon-identity-framework/
> blob/master/components/identity-mgt/org.wso2.carbon.
> identity.mgt.endpoint/src/main/java/org/wso2/carbon/identity/mgt/endpoint/
> serviceclient/UserIdentityManagementAdminServiceClient.java
> [2]  https://github.com/wso2/carbon-identity-framework/
> blob/master/components/identity-mgt/org.wso2.carbon.
> identity.mgt.endpoint/src/main/java/org/wso2/carbon/identity/mgt/endpoint/
> IdentityManagementServiceUtil.java
>
> Thanks and regards,
>
> On Wed, May 30, 2018 at 5:23 AM Farasath Ahamed 
> wrote:
>
>>
>>
>> On Tuesday, May 29, 2018, Rosen Silva  wrote:
>>
>>> Hi All,
>>>
>>> I'm implementing a feature for IS 5.5.0 to force users to add answers to
>>> challenge questions.
>>> This feature is implemented using PostAuthenticationHandler.
>>>
>>>  The logic executes in the following order,
>>> * Check whether the user has already added the answers from the post
>>> authenticator
>>> * If not, redirect users to a webpage (JSP file) to get the answers to
>>> the challenge questions
>>> * Check whether users have added the challenge questions
>>> * Let users log in to sp if the user has filled the answers to challenge
>>> questions
>>>
>>>
>>> Clarifications with implementing the JSP page for retrieving and
>>> updating answers to challenge questions
>>>
>>> AFAIK we can't use admin service for retrieve and update security
>>> questions since we don't have the cookie while in the post-authentication
>>> flow.
>>> One possibility is to send the challenge questions to the webpage with
>>> the HTTP serverlet request and get the answers back to post authentication
>>> handler through serverlet response and add the answers to the challenge
>>> questions.
>>>
>> Can you explain how we plan to retrieve the available challenge questions
>> of the tenant in this approach?
>>
>>>
>>> Your input is appreciated.
>>>
>>> Thanks and regards,
>>> --
>>>
>>> *Rosen Silva*
>>> Software Engineer - WSO2
>>>
>>> Email: ros...@wso2.com
>>> Mobile: +94770677418
>>> Web: https://wso2.com/
>>>
>>
>>
>> --
>> Farasath Ahamed
>> Senior Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>>
>>
>
> --
>
> *Rosen Silva*
> Software Engineer - WSO2
>
> Email: ros...@wso2.com
> Mobile: +94770677418
> Web: https://wso2.com/
>



-- 
Dimuthu Leelarathne
Director, Rapid Response Team

WSO2, Inc. (http://wso2.com)
email: dimut...@wso2.com
Mobile: +94773661935
Blog: http://muthulee.blogspot.com

Lean . Enterprise . Middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [RRT] Forcing the challenge question for Identity Server

2018-05-29 Thread Farasath Ahamed 
On Tuesday, May 29, 2018, Rosen Silva  wrote:

> Hi All,
>
> I'm implementing a feature for IS 5.5.0 to force users to add answers to
> challenge questions.
> This feature is implemented using PostAuthenticationHandler.
>
>  The logic executes in the following order,
> * Check whether the user has already added the answers from the post
> authenticator
> * If not, redirect users to a webpage (JSP file) to get the answers to the
> challenge questions
> * Check whether users have added the challenge questions
> * Let users log in to sp if the user has filled the answers to challenge
> questions
>
>
> Clarifications with implementing the JSP page for retrieving and updating
> answers to challenge questions
>
> AFAIK we can't use admin service for retrieve and update security
> questions since we don't have the cookie while in the post-authentication
> flow.
> One possibility is to send the challenge questions to the webpage with the
> HTTP serverlet request and get the answers back to post authentication
> handler through serverlet response and add the answers to the challenge
> questions.
>
Can you explain how we plan to retrieve the available challenge questions
of the tenant in this approach?

>
> Your input is appreciated.
>
> Thanks and regards,
> --
>
> *Rosen Silva*
> Software Engineer - WSO2
>
> Email: ros...@wso2.com
> Mobile: +94770677418
> Web: https://wso2.com/
>


-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture