0

We have a screen in our app that gathers the username and password.

Using that username and password, how do we authenticate with IBM AppID and support multi-factor authentication?

What IBM App ID API calls are needed and what parameters should be used?

We have the MFA working in the login widget, but we have custom screens that we need to support. The MFA is not working in the custom screens.

Carla Huff
  • 1
  • 1
    What have you tested, what is your current code, what language? I assume that you are aware of the AppID API and its SDKs. – data_henrik Feb 16 '21 at 06:45
  • Our code is Java, and there is no SDK for Java, so we're using the API's. We get the verification email on signup. but not for the next session after signup where they are just signing in with Un/Pw. The only API's I saw that take a password are "signup" and "token", so for the signin proess I've tried the /token API. I would think there would be a way to submit the Un/Pw to an API and get a grant code back, but can't find one. – Carla Huff Feb 16 '21 at 18:16
  • I'm assuming that these API calls need to come from the user's browser so that the callback gets associated with the user's session. I am reluctant to send down headers with secrets to the browser, or for the browser to get back the actual access token. Would seem like a security problem. I am currently having the server make these calls and not using the callback. – Carla Huff Feb 16 '21 at 18:22
  • I think there is a misconception. Take a look at the overall flow: https://cloud.ibm.com/docs/appid?topic=appid-app Your app redirects the user to AppID to enter the credentials. Depending on the Identity Provider this might not even be a password. I have used AppID with FIDO2 passwordless login using security keys – data_henrik Feb 16 '21 at 19:15
  • Ok, we were able to leverage all the APIs for sign up, reset password, etc using custom screens. We're not able to implement the multi-factor authentication. If we use through the widget everything works fine, but we don't have any APIs to call when leveraging our custom screens for MFA – Carla Huff Feb 16 '21 at 20:49
  • MFA is part of Identity Providers. Have you in-app post-processing (your extra MFA)? Why don't you extract the identity from the token and work with that? – data_henrik Feb 17 '21 at 07:04
  • We have no problem getting the identity. The problem is being able to generate the MFA Email challenge on subsequent logins after signup. Seems there is no App ID API that will generate that Email and then do the callback to our app. – Carla Huff Feb 17 '21 at 16:04
  • AppID is a wrapper around Identity Providers, including its own Cloud Directory (with several MFA config options). If you want to add additional authentication on top of AppID, you would need to handle it as part of the handover / redirect, maybe with an addition required token – data_henrik Feb 17 '21 at 16:33

0 Answers0