Authentication post process actions

This chapter will guide you through the steps required to implement authentication post process actions.

Prerequisites

To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IdP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
  • Onegini IdP must have the Username & password identity provider configured
  • Onegini IdP must have the Email verification required feature configured in Configuration->Attributes section
  • Onegini IdP must have the Base URL filled with extension base url provided in Configuration->Ui Extension section

Implementation

In your extension you must implement AuthenticationPostProcessExtension interface. This extension point will be called by core when you log in to gather what actions should be done or skipped during application flow. The response of the AuthenticationPostProcessExtension.determinePostProcessActions() method should contain a list of PostProcessAction elements describing required flow modifiers. For instance to skip email verification, the list should contain PostProcessAction.SKIP_REQUIRED_EMAIL_VERIFICATION, to perform additional actions after login: AuthenticationPostProcessAction.UI_AUTHENTICATION_POST_PROCESS_REQUIRED. For this we create such class in extension project

@Service
public class SampleAuthenticationPostProcessExtension implements AuthenticationPostProcessExtension {

  @Override
  public AuthenticationPostProcessResponseDto determinePostProcessActions(final AuthenticationPostProcessRequestDto requestData) {
    final AuthenticationPostProcessResponseDto response = new AuthenticationPostProcessResponseDto();
    final List<PostProcessAction> actions = new ArrayList<>();
    response.setActions(actions);
    if (requestData.getPersonActivityStatus().getLoginCount() <= 1) {
      actions.add(AuthenticationPostProcessAction.SKIP_REQUIRED_EMAIL_VERIFICATION);
    }
    actions.add(AuthenticationPostProcessAction.UI_AUTHENTICATION_POST_PROCESS_REQUIRED);
    return response;
  }

}

In order to use UnP identity, the list should contain REQUIRE_IDENTITY_UNP.

Example:

  @Override
  public AuthenticationPostProcessResponseDto determinePostProcessActions(final AuthenticationPostProcessRequestDto requestData) {
    final AuthenticationPostProcessResponseDto response = new AuthenticationPostProcessResponseDto();
    final List<AuthenticationPostProcessAction> actions = new ArrayList<>();
    response.setActions(actions);
    if (requireUnpIdentity) {
      actions.add(AuthenticationPostProcessAction.REQUIRE_IDENTITY_UNP);
    }
    return response;
  }

"UI Authentication post process" requires AuthenticationProcessExtension interface to be implemented in ui extension. Simple action may look like:

@Service
public class GenericAuthenticationProcessExtension implements AuthenticationProcessExtension {
  private PersistableSessionDto sessionDto;
  private static final Logger LOG = getLogger(GenericAuthenticationProcessExtension.class);

  @Override
  public String authenticationPostProcess(final PersistableSessionDto sessionDto, final Map<String, Object> requiredActionsForPerson) {
    this.sessionDto = sessionDto;
    LOG.info("Authentication Post Process Actions");
    return processActions();
  }

  private String processActions() {
    return "redirect:http://idp-core.dev.onegini.me/post-process-callback?extensionPoint=/authentication-post-process&extensionToken" 
        + getToken(sessionDto.getUiCallbackTokens());
  }
...
}

Class is provided with PersistableSessionDto and RequiredActionsForPersons objects which provides additional settings that might be required by extension. After performing all actions the ui extension should redirect user back to idp-core to "/post-process-callback" endpoint with parameters that will help core to identify the action that user was redirected from. We also provide token (received from sessionDto) not only to identify the action but also to make core mark action as "finished".

Testing

Skip email verification

Skip email verification can be tested by following below steps:

  • On the login screen click register and go through registration process. At the end you should be logged in and see the dashboard.
  • Logout of the application. Try to login in again with credentials used on the registration process. After submitting the login form you should see email not verified page.

Ui Authentication post process actions

Authentication post process action can be tested by following steps:

  • In admin configuration provide http://idp-core.dev.onegini.me:8183 as base ui extension url
  • On the login screen use credentials of existing user to log in or perform registration process.
  • Check application logs - there should be log "Authentication Post Process Actions" displayed.

Force UnP identity

Forcing required identity can be tested by following steps:

  • Log in with social IdP
  • You should be redirected to username password page. Fill the fields and submit.
  • You should see the dashboard. Log out.
  • Log in with social IdP.
  • You should be logged in.

    Block person login

    Block person login can be tested by following below steps:

  • Log in using UnP or using SAML flow
  • After submitting the login form you should see error box with information that Login was blocked
  • In case of SAML flow, you should be redirected to the SP page with error code