Email Authentication
Purpose
Support for registration using email as 2nd factor to verify registration code.
It also supports password reset, by generating and sending a password reset email with a new code - when the user then enters this code, he can enter a new password and continue using that, having confirmed his access to his email address.
Features
- Registration / reset code generation
- OTP generation, sending and validation
- Code verification
- Password change
- New user registration
- Sending emails
Overview
The Email Authentication plugin has the following classname; dk.itp.portalprotect.useradmin.server.EmailUAAuthenticationPlugin - it uses Ceptor User Administration Server as user identity store, so it works with users stored there - e.g. API Management Developers.
Configuration
The following configuration properties exist:
Property | Value | Description |
|---|---|---|
| useradminservers | <url> Default: localhost:15000 | URL to useradmin server |
| ua_userid | <userid> | Userid to use when authenticating to useradmin server |
| ua_password | <password> | Password to use when authenticating to useradmin server |
| useridpassword.autounlockminutes | <value in minutes> Default: 0 | If nonzero, and user was automatically locked due to too many failed password attempts, he will automatically be unlocked after the specified number of minutes. |
| useridpassword.maximuminvalidpasswordattempts | <number> Default: 0 | If nonzero, and if invalid login attempts reaches this limit, the user is automatically locked. |
| registrationmail.smtp.host | <hostname> | Hostname of SMTP server |
| registrationmail.smtp.port | <number> Default: 25 | Port number of SMTP server |
| registrationmail.smtp.protocol | Default: smtps | Protocol to use when connecting to SMTP server |
| registrationmail.smtp.user | <userid> | Userid to authenticate to SMTP server - can optionally be encrypted/obfuscated - see Encrypting or Obfuscating Passwords |
| registrationmail.smtp.password | <password> | Password to use when authenticating with the SMTP server - can optionally be encrypted/obfuscated - see Encrypting or Obfuscating Passwords |
| registrationmail.from | <email address> | Email address that the messages are sent from |
| registrationmail.mimetype | <mimetype> | Mimetype to send emails with - should be text/plain or text/html |
| registrationmail.replyto | <email address> | Reply-to email address |
| registrationmail.subject | <string> | Subject of registration email |
| registrationmail.message | <string> | Registration email message |
| registrationmail.reset.subject | <string> | Subject of password reset email |
| registrationmail.reset.message | <string> | Password reset email message |
| registrationmail.otp.subject | <string> | Subject of OTP email |
| registrationmail.otp.message | <string> | OTP email message |
Dynamic Email Message Content
Both the registration email and password email can contain the following strings, which are replaced with the dynamic information before being transmitted:
- {username}
Replaced with the users name - {userid}
Replaced with the userid - {code}
Replaced with the generated registration code - \n
Replaced with linefeed
Using the Email Authentication Plugin
Creating New User
To create a new user, from an Agent; call:
CreateUserCredentials creds = new CreateUserCredentials(); // Fill in any details we want in the new user record creds.userid = "userid@example.com"; creds.email = "userid@example.com"; creds.password = "somePassword"; creds.firstname = "Sample"; creds.firstname = "User"; creds.company = "example.com"; Agent.getInstance().executeAuthpluginCommand( getSessionId(), AuthTypes.AUTHTYPE_EMAIL, "adduser", creds );
This wil lcreate the new user in the database, generate a registration code and send it to him.
For compatibility reasons, it is also possible to call it without using a CreateUserCredentials object, but a string array instead, like the example below - but in this case you are limited to specifying userid, email and username.
Agent.getInstance().executeAuthpluginCommand( getSessionId(), AuthTypes.AUTHTYPE_EMAIL, "adduser", new String[] {"userid", "userid@example.com", "Sample User"});
This will create a new user, and a userid/password challenge (login method ID 1) with the password, and the status set to inactive.
It will also create a new challenge code, and store that in a new challenge (login method ID 11) for the same user - the code is stored BCrypt encrypted.
After creation, an email with the registration code is sent - if the sending of the email fails for some reason, the created user/challenges are deleted again, and an error is returned.
Login / Verify Code
Simply do a regular login to authenticate the user
Agent.getInstance().login( getSessionId(), AuthTypes.AUTHTYPE_EMAIL, userid, registration_code);
If the call completes without errors, the code was correct.
Converting Authenticated User to Regular User
After authenticating, you can ask the plugin to convert to the user to a regular user - this means it removes the registration code challenge, and activates the userid/password challenge again.
Do the following:
Agent.getInstance().executeAuthpluginCommand( getSessionId(), AuthTypes.AUTHTYPE_EMAIL, "converttouidpw", new String[] {encryptedPassword});
Note that this requires that the user has previously authenticated using the correct userid/registration code. If the supplied password is not null or empty, this will be set on the userid/password challenge.
Send Reset Password Email
To send a new password reset email, call:
Agent.getInstance().executeAuthpluginCommand( getSessionId(), AuthTypes.AUTHTYPE_EMAIL, "resetpw", new String[] {userid});
This will lookup the user record, find the registered email address and generate a new password reset email to this user.
A new registration/rest code challenge is also created, and the code is saved within it - when the user later authenticates, his new password can be set.
Change Password
To change the password, after authenticating using this plugin, call
Agent.getInstance().changePassword( getSessionId(), "oldpassword", "newpassword" );
If the old password is empty, the plugin will not validate it, and simply store the new password, otherwise it will fail unless the supplied password is correct.
After changing the password, it will delete an eventual earlier sent registration code challenge.
Generate OTP email
To send a new One-Time-PIN email, call:
Agent.getInstance().newToken( getSessionId(), AuthTypes.AUTHTYPE_EMAIL, "emailotp");
This will lookup the user record, find the registered email address and generate a new one-time pin email to this user.
Before calling this, login with userid and password using the userid/password authentication plugin AuthTypes.AUTHTYPE_USERADMINISTRATION - but before calling login, set the state variable "require_otp" to "true" - if that is set, it will not complete the login, but will wait for a pending 2nd factor to be used.
The OTP will be stored in the session, and is available for use when logging in.
Verify OTP
Verify OTP code previously sent via email
Agent.getInstance().login( getSessionId(), AuthTypes.AUTHTYPE_EMAIL, userid, new String[] {otpcode});
This will verify the code against the earlier sent one.
User Administration Server Login Methods
The email authentication plugin uses the challenge with the login method ID 11 (LoginMethods.LOGINMETHOD_EMAILREGCODE) to store the generated registration/reset code - and the login method ID 1 (Loginmethods.LOGINMETHOD_USERID_PASSWORD) to store updated passwords, and for generated users
© Ceptor ApS. All Rights Reserved.