CIAM Solutions — FAQ4: How to achieve MFA in a Native API flow using WSO2 Identity Server?
Native apps are applications that are developed for a specific operating system that they use. These applications have their own UIs and always tend to use REST APIs in order to provide a better user experience.
There is a common myth in the developer mindset that building native applications provide a better user experience than in hybrid applications which use the native browser for central authentication as it includes redirections which can cause distractions. But the bitter truth is, there is no such industry-standard protocol to Single Sign-On or Federation if you follow a native approach with REST APIs. Everything you find in the market is something offered by a specific Identity Provider to meet the customer/developer demands.
Commonly used approaches for Native Apps
Option 1: Basic Authentication REST API
a. Resource Owner Password Credentials Grant
This is the most common grant offered by OAuth2.0 specifications to authenticate a user and issue an access token. In the WSO2 Identity Server, if you use scope=oidc, you can receive all the user information on an Id_token with the access token.
This is the most commonly used REST API offered by any vendor in the CIAM market. Due to security issues, many tend to use abbreviations of password grant which is a good decision if you cannot compromise the user experience.
Like all other vendors in the market, WSO2 Identity Server provides Resource Owner Password Credentials as a REST API option that you can use to integrate authentication to your Native UIs.
b. Request Path Authentication
A request path authenticator is a special type of local authenticator meant to authenticate requests that contain the user’s credentials. This means that you can use the Single-Sign-On mechanism without having an identity provider login page to prompt the end-user for credentials. This is a special REST API provided by WSO2 Identity Server to achieve Basic or username/password authentication.
Both options a and b are Single Step or Single Factor Authentication mechanisms which you can use to achieve Multi-Factor Authentication easily if needed. But to start with implementing a non-critical app, one of these is more than enough.
To make the flow “a” more secure you can follow below:
- You can have the machine-to-machine authentication(client app-server) via client credential token along with user token which assure the request is coming from the same device — To achieve this a Native app should create an SP in WSO2 Identity Server when an App is installed in the mobile. Whenever it is un-installed it should be deleted. Open ID Connect Dynamic Client Registration will be helpful for this.
Option 2: Multi-Factor Authentication REST API
In WSO2 Identity Server's latest WUM of Identity Server 5.10, there are REST APIs for SMS OTP, Email OTP, TOTP, and FIDO2. Hence, you can do the below to achieve MFA flow till the WSO2 team release the official MFA REST approach by the End of H1 2022.
a) Write a custom end-point for the login flow with MFA
You can write a custom endpoint and host it in the WSO2 Identity Server web apps folder.
This endpoint can call the static steps of basic authentication and any preferred MFA REST API. Upon all step completion you can call a custom Grant and issue an access token for the authenticated user. Each API call should be secured by a correlation_id by the end-point, which can act as a one-time secret for each API call.
b) Use an API-Gateway to do the orchestration and call a custom grant
Instead of writing a custom endpoint, you can do the same steps within a Gateway as well. After calling all the steps in the static authentication flow, you can call the backchannel custom grant to get the access token for the user.
In both cases, the custom grant can be written binding to the device_id or mobile number or any preferred attribute that is defined within the flow to match the business requirement.
WSO2 Identity Server will soon get this feature to the product, but still, due to different business requirements, we might have to further customize it. Hence, you can always use one of the above approaches to solving your problem of MFA.
If you are a WSO2 subscribed customer and if you have this requirement, contact us! We will talk to you about a solution.
