Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding authenticator enrollment and verification to authentication client #695

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Adding authenticator enrollment and verification to authentication client #695

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
39ef913
Adding authenticator enrollment and verification to authentication cl…
Dec 28, 2023
841b2b2
requested changes from PR
Jan 11, 2024
9e9011c
Merge branch 'master' into mfa
czf Jan 11, 2024
0a09a7c
Apply suggestions from code review
czf Jan 16, 2024
8e3d9db
Missed cleanup
Apr 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions src/Auth0.AuthenticationApi/AuthenticationApiClient.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
using System;
using System.Collections.Generic;
using System.Dynamic;
using System.Linq;
using System.Net.Http;
using System.Threading;
using System.Threading.Tasks;
Expand Down Expand Up @@ -350,7 +351,30 @@ await AssertIdTokenValidIfExisting(response.IdToken, request.ClientId, request.S
}

/// <inheritdoc/>
public async Task<MfaOobTokenResponse> GetTokenAsync(MfaOobTokenRequest request, CancellationToken cancellationToken = default)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}

var body = new Dictionary<string, string>()
{
{ "grant_type", "http://auth0.com/oauth/grant-type/mfa-oob" },
{ "client_id", request.ClientId },
{ "client_secret", request.ClientSecret },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is added through ApplyClientAuthentication

Suggested change
{ "client_secret", request.ClientSecret },

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

made change

{ "mfa_token", request.MfaToken},
{ "oob_code", request.OobCode},
{ "binding_code", request.BindingCode}
};
czf marked this conversation as resolved.
Show resolved Hide resolved
return await connection.SendAsync<MfaOobTokenResponse>(
HttpMethod.Post,
tokenUri,
body,
cancellationToken: cancellationToken);
}

/// <inheritdoc/>
public Task RevokeRefreshTokenAsync(RevokeRefreshTokenRequest request, CancellationToken cancellationToken = default)
{
if (request == null)
Expand Down Expand Up @@ -494,6 +518,22 @@ public Task<PushedAuthorizationRequestResponse> PushedAuthorizationRequestAsync(
cancellationToken: cancellationToken
);
}

/// <inheritdoc/>
public Task<AssociateNewAuthenticatorResponse> AssociateNewAuthenticatorAsync(AssociateMfaAuthenticatorRequest request, CancellationToken cancellationToken = default)
czf marked this conversation as resolved.
Show resolved Hide resolved
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}

return connection.SendAsync<AssociateNewAuthenticatorResponse>(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return connection.SendAsync<AssociateNewAuthenticatorResponse>(
return connection.SendAsync<AssociateMfaAuthenticatorResponse>(

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

made change

HttpMethod.Post,
BuildUri("mfa/associate"),
request,
BuildHeaders(request.Token),
cancellationToken);
}

/// <summary>
/// Disposes of any owned disposable resources such as a <see cref="IAuthenticationConnection"/>.
Expand Down
23 changes: 23 additions & 0 deletions src/Auth0.AuthenticationApi/IAuthenticationApiClient.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,15 @@ public interface IAuthenticationApiClient : IDisposable
/// </remarks>
Task<AccessTokenResponse> GetTokenAsync(DeviceCodeTokenRequest request, CancellationToken cancellationToken = default);

/// <summary>
/// Requests an Access Token using Oob MFA verification.
/// </summary>
/// <param name="request"><see cref="MfaOobTokenRequest"/> containing request details to verify oob.</param>
/// <param name="cancellationToken">The cancellation token to cancel operation.</param>
/// <returns><see cref="Task"/> representing the async operation containing
/// a <see cref="MfaOobTokenResponse" /> with the requested tokens.</returns>
Task<MfaOobTokenResponse> GetTokenAsync(MfaOobTokenRequest request, CancellationToken cancellationToken = default);

/// <summary>
/// Revokes refresh token provided in request.
/// </summary>
Expand Down Expand Up @@ -180,5 +189,19 @@ public interface IAuthenticationApiClient : IDisposable
/// a <see cref="PushedAuthorizationRequestResponse" /> with the details of the response.</returns>
Task<PushedAuthorizationRequestResponse> PushedAuthorizationRequestAsync(PushedAuthorizationRequest request,
CancellationToken cancellationToken = default);

/// <summary>
/// Sends a Mfa enrollment request
/// </summary>
/// <param name="request"><see cref="AssociateMfaAuthenticatorRequest"/>containing information to enroll a new Authenticator.</param>
/// <param name="cancellationToken">The cancellation token to cancel operation.</param>
/// <returns><see cref="Task"/> representing the async operation containing
/// a <see cref="AssociateNewAuthenticatorResponse" /> with the details of the response.</returns>
/// <returns></returns>
Task<AssociateNewAuthenticatorResponse> AssociateNewAuthenticatorAsync(
AssociateMfaAuthenticatorRequest request,
CancellationToken cancellationToken = default);
czf marked this conversation as resolved.
Show resolved Hide resolved


}
}
52 changes: 52 additions & 0 deletions src/Auth0.AuthenticationApi/Models/AssociateMfaAuthenticatorRequest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
using System.Collections.Generic;
using System.Linq;
using Newtonsoft.Json;

namespace Auth0.AuthenticationApi.Models
{
public class AssociateMfaAuthenticatorRequest
{
[JsonIgnore]
public string Token { get; set; }

/// <summary>Your application's Client ID.</summary>
[JsonProperty("client_id", Required = Required.Always)]
czf marked this conversation as resolved.
Show resolved Hide resolved
public string ClientId { get; set; }

/// <summary>
/// A JWT containing a signed assertion with your application credentials. Required when Private Key JWT is your application authentication
/// method.
/// </summary>
[JsonProperty("client_assertion")]
public string ClientAssertion { get; set; }

/// <summary>
/// Your application's Client Secret. Required when the Token Endpoint Authentication Method field in your Application Settings is Post or
/// Basic.
/// </summary>
[JsonProperty("client_secret")]
public string ClientSecret { get; set; }

/// <summary>
/// The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer. Required when Private Key JWT is the application authentication
/// method.
/// </summary>
[JsonProperty("client_assertion_type")]
public string ClientAssertionType { get; set; }

/// <summary>The type of authenticators supported by the client. Value is an array with values "otp" or "oob".</summary>
[JsonProperty("authenticator_types", Required = Required.Always)]
czf marked this conversation as resolved.
Show resolved Hide resolved
public List<string> AuthenticatorTypes { get; set; }

/// <summary>
/// The type of OOB channels supported by the client. An array with values "auth0", "sms", "voice". Required if authenticator_types include
/// oob.
/// </summary>
[JsonProperty("oob_channels")]
public List<string> OobChannels { get; set; }

/// <summary>The phone number to use for SMS or Voice. Required if oob_channels includes sms or voice.</summary>
[JsonProperty("phone_number")]
public string PhoneNumber { get; set; }
}
}
29 changes: 29 additions & 0 deletions src/Auth0.AuthenticationApi/Models/AssociateNewAuthenticatorResponse.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
using System.Collections.Generic;
using Newtonsoft.Json;

namespace Auth0.AuthenticationApi.Models
{
public class AssociateNewAuthenticatorResponse
czf marked this conversation as resolved.
Show resolved Hide resolved
{
[JsonProperty("oob_code")]
public string OobCode { get; set; }

[JsonProperty("binding_method")]
public string BindingMethod { get; set; }

[JsonProperty("secret")]
public string Secret { get; set; }

[JsonProperty("barcode_uri")]
public string BarcodeUri { get; set; }

[JsonProperty("authenticator_type")]
public string AuthenticatorType { get; set; }

[JsonProperty("oob_channel")]
public string OobChannel { get; set; }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not as mentioned in the docs, as the docs mention oob_channels for the response. I think the code is correct, but the docs is not. I will need to verify this with the corresponding team.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I ran into it when first trying to test with postman.


[JsonProperty("recovery_codes")]
public List<string> RecoveryCodes { get; set; }
}
}
32 changes: 32 additions & 0 deletions src/Auth0.AuthenticationApi/Models/MfaOobTokenRequest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
namespace Auth0.AuthenticationApi.Models
{
public class MfaOobTokenRequest
czf marked this conversation as resolved.
Show resolved Hide resolved
{
/// <summary>
/// Your application's Client ID.
/// </summary>
public string ClientId { get; set; }

/// <summary>
/// Your application's Client Secret.
/// Required when the Token Endpoint Authentication Method field at your Application Settings is Post or Basic.
/// </summary>
public string ClientSecret { get; set; }
czf marked this conversation as resolved.
Show resolved Hide resolved

/// <summary>
/// The mfa_token you received from mfa_required error or access token with enroll scope and audience: https://{yourDomain}/mfa/
/// </summary>
public string MfaToken { get; set; }

/// <summary>
/// The oob code received from the challenge request.
/// </summary>
public string OobCode { get; set; }

/// <summary>
/// A code used to bind the side channel (used to deliver the challenge) with the main channel you are using to authenticate.
/// This is usually an OTP-like code delivered as part of the challenge message.
/// </summary>
public string BindingCode { get; set; }
}
}
19 changes: 19 additions & 0 deletions src/Auth0.AuthenticationApi/Models/MfaOobTokenResponse.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
using Newtonsoft.Json;

namespace Auth0.AuthenticationApi.Models
{
public class MfaOobTokenResponse : TokenBase
{
/// <summary>
/// The value of the different scopes issued in the token
/// </summary>
[JsonProperty("scope")]
public string Scope { get; set; }

/// <summary>
/// The lifetime (in seconds) of the token
/// </summary>
[JsonProperty("expires_in")]
public int ExpiresIn { get; set; }
}
}
60 changes: 60 additions & 0 deletions tests/Auth0.AuthenticationApi.IntegrationTests/MfaTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
using System.Collections.Generic;
using System.Threading.Tasks;
using Auth0.AuthenticationApi.Models;
using Auth0.Tests.Shared;
using FluentAssertions;
using Xunit;

namespace Auth0.AuthenticationApi.IntegrationTests
{
public class MfaTests : TestBase
{
private readonly AuthenticationApiClient _authenticationApiClient;

public MfaTests()
{
_authenticationApiClient = new AuthenticationApiClient(GetVariable("AUTH0_AUTHENTICATION_API_URL"));
}

[Fact(Skip = "Run manually")]
public async Task Should_Receive_Associate_Response_For_Sms_Mfa_Enrollment()
{
var request =
new AssociateMfaAuthenticatorRequest()
{
Token = TestBaseUtils.GetVariable("AUTH0_AUTHENTICATOR_ENROLL_TOKEN"),
ClientId = TestBaseUtils.GetVariable("AUTH0_CLIENT_ID"),
ClientSecret = TestBaseUtils.GetVariable("AUTH0_CLIENT_SECRET"),
AuthenticatorTypes = new List<string>() { "oob" },
OobChannels = new List<string>() { "sms" },
PhoneNumber = TestBaseUtils.GetVariable("MFA_PHONE_NUMBER")
};
var response = await _authenticationApiClient.AssociateNewAuthenticatorAsync(request);
response.Should().NotBeNull();
response.AuthenticatorType.Should().Be("oob");
response.BindingMethod.Should().Be("prompt");
response.OobChannel.Should().Be("sms");

response.OobCode.Should().NotBeNullOrEmpty().And.StartWith("Fe26.");
}

[Fact(Skip = "Run manually")]
public async Task Should_Receive_MfaOobTokenResponse_For_Oob_Mfa_Verification()
{
var request = new MfaOobTokenRequest()
{
ClientId = TestBaseUtils.GetVariable("AUTH0_CLIENT_ID"),
ClientSecret = TestBaseUtils.GetVariable("AUTH0_CLIENT_SECRET"),
MfaToken = TestBaseUtils.GetVariable("MFA_TOKEN"),
OobCode = TestBaseUtils.GetVariable("MFA_OOB_CODE"),
BindingCode = TestBaseUtils.GetVariable("MFA_BINDING_CODE")
};

var response = await _authenticationApiClient.GetTokenAsync(request);
response.Should().NotBeNull();
response.AccessToken.Should().StartWith("ey");
response.ExpiresIn.Should().BeGreaterThan(0);
response.TokenType.Should().Be("Bearer");
}
}
}