-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passwordless | Sign in with passcodes #2942
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
coldlink
force-pushed
the
mm/passcodes-signin-active
branch
from
October 14, 2024 15:14
a0b09f2
to
499f078
Compare
coldlink
force-pushed
the
mm/passcodes-signin-active
branch
4 times, most recently
from
October 16, 2024 09:11
25f7b0e
to
3e7bd1b
Compare
1 task
coldlink
force-pushed
the
mm/passcodes-signin-active
branch
from
October 16, 2024 10:09
3e7bd1b
to
3b2ba67
Compare
coldlink
changed the base branch from
main
to
mm/passcodes-signin-active-refactor-fixes
October 16, 2024 10:17
coldlink
force-pushed
the
mm/passcodes-signin-active
branch
from
October 16, 2024 10:34
3b2ba67
to
b0a77db
Compare
Base automatically changed from
mm/passcodes-signin-active-refactor-fixes
to
main
October 16, 2024 14:03
An error occurred while trying to automatically change base from
mm/passcodes-signin-active-refactor-fixes
to
main
October 16, 2024 14:03
coldlink
force-pushed
the
mm/passcodes-signin-active
branch
5 times, most recently
from
October 17, 2024 15:22
aa24e7c
to
369152c
Compare
coldlink
force-pushed
the
mm/passcodes-signin-active
branch
from
October 18, 2024 10:12
369152c
to
c166bd9
Compare
- `usePasscodeSignIn` determines if the option to sign in with passcodes is available - `signInCurrentView` tracks whether the `password` or `password` view of the sign in page at the point of user submission, so if the user navigates back to the sign in page, it would be on the view they last selected
coldlink
force-pushed
the
mm/passcodes-signin-active
branch
from
October 22, 2024 10:52
c166bd9
to
a366a92
Compare
coldlink
force-pushed
the
mm/passcodes-signin-active
branch
from
October 22, 2024 10:57
a366a92
to
a1638a5
Compare
coldlink
added
the
passwordless
PRs/Issues related to passwordless/passcode functionality
label
Oct 23, 2024
akinsola-guardian
approved these changes
Oct 23, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
Following on from passcodes for registration and reset password, the next step including an option to sign in via passcodes too.
This functionality has been added behind the
usePasscodeSignIn
query parameter flag, so we're able to test this behaviour in production, and implement and UI/UX improvements before we go fully live with it to all users.User status behaviour
This PR implements this behaviour for all user statuses described below:
ACTIVE
- withemail
authenticatoremail
factor challenge email.ACTIVE
- with onlypassword
authenticatoremail
factor verification email.ACTIVE
email
factor challenge/verification email depending on which ACTIVE the user ended up in.IDX API calls
The general IDX API flow for users to sign in via passcodes for users in the ACTIVE state is as follows:
POST /oauth2/<custom_auth_server>/v1/interact
endpoint/authorize
endpoint)profile
application to do this (this is the gateway one)interaction_handle
POST /idp/idx/introspect
endpoint with theinteraction_handle
in the post bodystateHandle
key, which identifies the current authentication requestexpiresAt
key here, which initially is set to 2 hours in the futurestateHandle
in the body to get the current transaction state to see if it’s validPOST /idp/idx/identify
endpoint with theemail
,rememberMe=true
, andstateHandle
in the body/introspect
endpoint but with different thingsexpiresAt
key has now changed to 5 minsremediation
key has everything in it relating to how to resolve the current requestemail
authenticator, then the user can be sent a passcode to sign inpassword
authenticator, then we have to set a placeholder password for the user, and send them an email verifcation codeAt this point, depending on if the user has the
email
authenticator or not the steps become differentFor users who have the
email
authenticator it's as follows.POST /idp/idx/challenge
withstateHandle
authenticator:methodType=email,id=email_authenticator_id
remediation
step now says we need to enter a passcodeexpiresAt
has updated to 30 minutesPOST /idp/idx/challenge/answer
withstateHandle
,credentials:passcode=<passcode>
in bodyremediation
/login/token/redirect?stateToken=${stateHandle.split('~')[0]}
idx
cookiestateToken
is thestateHandle
everything before the first~
characterinteract
call at the start and completes the interaction code flow, and eventually the user back to where they were goingFor users who only have the
password
authenticator it's as followsdangerouslySetPlaceholderPassword
method to set a placeholder password for the userPOST /idp/idx/challenge
withstateHandle
authenticator:methodType=password,id=password_authenticator_id
password
authenticator challengePOST /idp/idx/challenge/answer
withstateHandle
,credentials:passcode=<password>
in bodyPOST /idp/idx/credential/enroll
withstateHandle authenticator:methodType=email,id=email_authenticator_id
POST /idp/idx/challenge/answer
withstateHandle
,credentials:passcode=<passcode>
in bodyremediation
/login/token/redirect?stateToken=${stateHandle.split('~')[0]}
idx
cookiestateToken
is thestateHandle
everything before the first~
characterinteract
call at the start and completes the interaction code flow, and eventually the user back to where they were goingFor users in a non-ACTIVE state, we use the
forceUserIntoActiveState
function, which first callsdeactivateUser
followed byactivateUser
to get an activation/recovery token. It then sets a placeholder password for the user using thedangerouslySetPlaceholderPasswordUsingRecoveryToken
helper, which forces the user into theACTIVE
state. At this point the user will be in one of the above states, so we can calloktaIdxApiSignInPasscodeController
to send the user an OTP to sign in.Current UX
While we attempt to get support regarding improving our UX, the following behaviour is used in order to sign in with passcodes when the flag is used.
Tested
usePasscodeSignIn
flag