Friday, December 28, 2018

Adaptive Authentication with WSO2 Identity Server

In one of my previous blog post Conditional Authentication! What and Why, I explained the necessity to "adopt" the authentication flow according to the user’s risk profile or the situation.

In this post, let's see how to implement a use case with WSO2 Identity Server 5.7.0. We will use the example of the user management system from my previous blog post. For convenience, I'll add the use case below.
There is a user management system in your company. All the users can login to the system and manage their profile and change their password. But if you are an admin user in the system, you can add users, delete users, reset passwords of other users and do all the risky tasks in the system. While all the users can login to the system with just username and password, if you are an admin user, you have to enter your “Time-based One Time Password” (TOTP).
First, download the WSO2 Identity Server 5.7.0 from the official download page and start it if you haven't done it already. Now configure the application in Identity Server and add the inbound authentication configuration as described in this documentation.

Now we are ready to configure the adaptive authentication for this service provider. Go to the "Local & Outbound Authentication Configuration" section of the service provider configuration and click on the "Advanced Authentication" button. You will be redirected to below page.


Expand the "Script Based Adaptive Authentication" section and you will be able to see a list of templates available.


From the available template list, we will be using the "Role-Based" template. To use it click on the "+" next to "Role-Based" label. Now the editor will be populated with below template.

// Role-Based from Template...

// This script will step up authentication for any user belonging
// to one of the given roles
// If the user has any of the below roles, authentication will be stepped up
var rolesToStepUp = ['admin', 'manager'];

function onLoginRequest(context) {
    executeStep(1, {
        onSuccess: function (context) {
            // Extracting authenticated subject from the first step
            var user = context.currentKnownSubject;
            // Checking if the user is assigned to one of the given roles
            var hasRole = hasAnyOfTheRoles(user, rolesToStepUp);
            if (hasRole) {
                Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString());
                executeStep(2);
            }
        }
    });
}

// End of Role-Based.......

The script is pretty much self-explanatory. First, we execute step 1, which is configured to basic authentication in the "Authentication Step Configuration" section. The after successful execution of the first step, we check whether the logged in user has the "admin" or the "manager" roles. If so, we execute step 2, which is configured to either TOTP or FIDO authentication.

Click on the "Update" button and then save the service provider configuration.

Now we are ready to test the adaptive authentication.
First, try to log in as an admin user. After entering the admin credentials, the user will be prompted for a second factor.
Next, try to log in as a normal user (a user that don't have admin or the manager roles). Just by entering the username and the password, the user will be able to log in.

So now we have implemented the scenario successfully. Identity Server has a set of pre-defined templates for adaptive authentication. Explore them and see the use cases you can implement. Adaptive Authentication JS API Reference document contains more information about each API and objects used in the authentication script. Using them you can implement many more use cases.

Centering Widgets with ConstraintLayout in Android

Placing widgets in the exact place you want on an Android layout is a difficult task. With ConstraintLayout, you can achieve this relatively easy. In a ConstraintLayout, you can use below configuration to center the button in the window.

<Button
        android:id="@+id/testbutton"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:layout_gravity="center"
        android:text="Test"
        app:layout_constraintBottom_toBottomOf="parent"
        app:layout_constraintLeft_toLeftOf="parent"
        app:layout_constraintRight_toRightOf="parent"
        app:layout_constraintTop_toTopOf="parent" />

Interestingly this will add the button in the center of the window like below.

If we consider horizontal positioning, we have configured to place the left of the button to the left of the parent, (which refers to the parent container, i.e. the ConstraintLayout) and place the right of the button to the right of the parent. This is an impossible layout unless the width of the button is equal to the width of the parent. ConstraintLayout handles this by placing the button in the center of the parent, like pulling the button by the two constraints resulting to make the button keep in the middle. Same goes with the vertical positioning.






But if you add a bias to position the widget in favor of one side. For example, if we add below bias to the above positioning, the result will be as below image.

<Button
        ...
        app:layout_constraintVertical_bias="0.8" />

If we add the bias as 0.8, the widget will be placed after 80% of the container.