Enable MFA support for OIDC conformant clients #451
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
"It's based on a still not released library, so tests will fail 💃" ? This old I presume as your tests all pass. |
|
Also noticed no CodeCov in this repo? |
cocojoe
reviewed
Jul 19, 2018
| @@ -169,6 +170,38 @@ public void shouldCallLegacyDatabaseLoginWithVerificationCode() throws Exception | |||
| assertThat(reqParams, hasEntry("mfa_code", "123456")); | |||
| } | |||
|
|
|||
| @Test | |||
| public void shouldCallOIDCDatabaseLoginWithOTPCodeAndMFAToken() throws Exception { | |||
There was a problem hiding this comment.
Just one test? What about Login with OTP but no token etc?
There was a problem hiding this comment.
Those cases are already tested on the auth0.android SDK. There's no scenario where OTP is defined but the Token is not. If you're looking for the "legacy mfa" behavior check the test right above this one. https://github.com/auth0/Lock.Android/pull/451/files#diff-d3f9a8a9ba90477d9b0ffd039c4faf4cR152
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OIDC conformant clients were not able to authenticate after an mfa challenge was requested. This PR adds support for them. I also enhanced the errors that we display in the widget.
For legacy mode:
For OIDC mode:
This might change once theUsers will see a "THE USER HAS NOT ENROLLED MULTIFACTOR AUTHENTICATION" message.association_requirederror is introduced to the API.mfa_tokenlasts 10 minutes. If it expires, the user needs to retry the authentication from the beginning. So an expired MFA token will take the user back to the "username / password" form and display a "THE CODE IS INVALID OR HAS EXPIRED" message.General notes about this PR:
- It's based on a still not released library, so tests will fail 💃-> auth0/Auth0.Android#146/rosending again theemail/username,passwordandmfa_code(the OTP) values./oauth/tokenfirst with the password grant, which will fail due to "mfa_required" and will include anmfa_tokenvalue. A second call is required on/oauth/tokenthis time with mfa-otp grant and the previousmfa_tokenvalue along with theotpcode given by the user obtained from the 2FA/MFA app.