4.4.4. Time-based One Time Password Credential Handler
This credential handler supports a username/password in conjunction with a time-based token, which is generated from time to time. This credential type allows you to enable Two-Factor authentication to your application.
Credentials can be updated as follows:
User user = BasicModel.getUser(identityManager, "jsmith"); TOTPCredential credential = new TOTPCredential("abcd1234", "my_totp_secret"); identityManager.updateCredential(user, credential);
Users can have multiple TOTP tokens, one for each device. You can provide configure tokens for a specific user device as follows:
User user = BasicModel.getUser(identityManager, "jsmith"); TOTPCredential credential = new TOTPCredential("abcd1234", "my_totp_secret"); credential.setDevice("My Cool Android Phone"); identityManager.updateCredential(user, credential);
In order to validate a credential you need to the following code:
User user = BasicModel.getUser(identityManager, "jsmith"); TOTPCredentials credential = new TOTPCredentials(); credential.setUsername(user.getLoginName()); credential.setPassword(new Password("abcd1234")); TimeBasedOTP totp = new TimeBasedOTP(); // let's manually generate a token based on the user secret String token = totp.generate("my_totp_secret"); credential.setToken(token); // if you want to validate the token for a specific device // credential.setDevice("My Cool Android Phone"); identityManager.validateCredentials(credential); if (Status.VALID.equals(credential.getStatus()) { // successful validation } else { // invalid credential }
4.4.4.1. Configuration Parameters
The following table describes all configuration parameters supported by this credential handler:
Table 4.3. Configuration Parameters
Parameter | Description |
---|---|
TOTPCredentialHandler.ALGORITHM | The encryption algorithm. Defaults to HmacSHA1. |
TOTPCredentialHandler.INTERVAL_SECONDS | The number of seconds a token is valid. Defaults to 30 seconds. |
TOTPCredentialHandler.NUMBER_DIGITS | The number of digits for a token. Defaults to 6 digits. |
TOTPCredentialHandler.DELAY_WINDOW | the number of previous intervals that should be used to validate tokens. Defaults to 1 interval of 30 seconds. |