Two-Step adapter authentication
improve this page | report issueOverview
This tutorial demonstrates how to implement "Two-Step" adapter-based authentication.
Two-Step means that after the initial authentication that uses, for example, a username and a password, an additional authentication step is required, such as a login pin, a secret word, or similar identification. In this example, a secret word is implemented for the second authentication step. The code snippets and sample application in this tutorial are based on the existing adapter-based authentication sample. The changes extend the application from single-step to Two-Step.
Session-independent mode
By default, MobileFirst Platform Foundation 7.1 applications run in a session-independent mode, meaning that you can no longer use HTTP sessions or global variables to persist data across requests. Instead, MobileFirst apps must use a third-party database to store applicative states.
To learn more about the session-independent mode, see its topic in the user documentation.
To demonstrate how to store user data, the tutorial uses the WL.Server.getClientId
API and a Cloudant database.
Agenda
- Prerequisite - Creating an IBM Cloudant account
- Configuring the authenticationConfig.xml file
- Creating the server-side authentication components
- Creating the client-side authentication components
- Sample application
Prerequisite - Creating an IBM Cloudant account
This sample uses IBM Cloudant Database to save user data. To run the sample and understand how to work with Cloudant, first sign up for a free account and create a database.
Then proceed as follows:
- Change the database permissions - Follow the instructions in the Changing Database Permissions tutorial.
- Basic authentication - The basic authentication value is passed as part of every request to the database. Instead of using your username and password to identify, use base-64 encoding to generate a string that is created by concatenating the API
key
andpassword
, separated by a column character in the following manner:key:password
. You use it later to send requests to the database.
For more information, read the Cloudant Basic Authentication documentation.
Configuring the authenticationConfig.xml file
Realms
Add a realm or replace the existing AuthLoginModule
realm in the realms
section of the authenticationConfig.xml
file:
Security tests
Add a security test or replace the existing AuthSecurityTest
in the securityTests
section of the authenticationConfig.xml
file:
To review the remaining/existing sample components, see the Adapter-based authentication tutorial.
Creating the server-side authentication components
To put in place the Two-Step authentication process, several changes are necessary to the adapter file (whether XML or JavaScript) and to the database.
Adapter XML file
Edit the AuthAdapter.xml
file:
- Change the domain name to your Cloudant domain:
- Add the following procedure:
- Protect the
getSecretData
method with the newTwoStepAuthAdapter-securityTest
Adapter JavaScript file
Edit the AuthAdapter-impl.js
file:
- Create a variable to save the basic authentication encoded string you have generated before:
- Create a variable to save your database name:
- Update the
onAuthRequired
function to return that authentication step 1 is required:
- Update the
submitAuthenticationStep1
function:- Add the following line to get the client ID:
- To save the
userIdentity
for the next authentication step, write it to the database. Use theclientId
variable as the document_id
key:
- If step 1 authentication was successful, return that step 2 is required:
- Add the following line to get the client ID:
- Add
submitAuthenticationStep2
function to handle the second authentication step:- Get the client ID and read it from the database:
- If step 2 authentication was successful, delete the client document from database:
- Get the client ID and read it from the database:
Database actions
To handle the database actions, use the WL.Server.invokeHttp
method and Cloudant REST API.
- Write to the database:
- Read from database:
- Delete from the database:
To learn more about IBM Cloudant REST API, see the Cloudant documentation.
Creating the client-side authentication components
- In
index.html
, use theTwoStepAuthRealm
instead of the existing realm: - Add a second authentication screen:
- Finally, update the challenge handler accordingly.
In this example, a new challenge handler (a new.js
file), calledTwoStepAuthRealmChallengeProcessor.js
, is created for this purpose.- The response is checked as in the original sample application:
- Add another case for the second authentication step:
- Perform the second authentication step:
To review the remaining/existing sample client-side implementation, see the Adapter-based authentication in hybrid applications tutorial.
Sample application
Click to download the sample application.
▲Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.