Re: [Dev] Retry with authenticators for adaptive authentication.

Maduranga Siriwardena Sun, 13 May 2018 23:27:13 -0700

After trying several methods to implement a retry mechanism, we decided to
go for below approach.


Authentication framework will not prompt for retrying unless it is
specifically written in the script. So if we want to retry the
authentication, the conditional authentication script would be like below.

function onInitialRequest(context) {
    retryCount = 3;
    executeBasicAuth(context, retryCount);
}

function executeBasicAuth(context, retryCount) {
   Log.info('--------------- executeBasicAuth retryCount ' + retryCount);
   executeStep({
       id: '1',
       on: {
           success: function (context) {
               Log.info('--------------- authentication succcessfull ');
   var isAdmin = hasRole(context, 'admin');
               Log.info('--------------- Has Admin ' + isAdmin);
               if (isAdmin) {
                   executeStep({id: '2'});
               }
           },
           fail: function (context) {
        Log.info('--------------- fail retryCount ' + retryCount);
--retryCount;
if (retryCount > 0) {
executeBasicAuth(context, retryCount);
} else {
Log.info('--------------- login failed ');
}
           }
       }
   });
}


This script will try to authenticate the user 3 times in case credentials
are incorrect. This approach will ensure that the authentication flow is
strictly controlled by the script and there is no unnecessary/unwanted
behavior.

But with this approach we have a issue with how to get the authentication
failure reason in case of a retrying step. At the moment in the basic
authenticator, this failure message is set by checking
"context.isRetrying()" [1]. With the new implementation, authentication
framework is not aware if this is a retrying step or not. We are trying to
find a solution for this. Any suggestions are welcome.

[1]
https://github.com/wso2-extensions/identity-local-auth-basicauth/blob/v5.3.7/components/org.wso2.carbon.identity.application.authenticator.basicauth/src/main/java/org/wso2/carbon/identity/application/authenticator/basicauth/BasicAuthenticator.java#L108

Thanks,
Maduranga.



On Tue, May 8, 2018 at 12:26 PM Maduranga Siriwardena <[email protected]>
wrote:

> Hi Gayan,
>
> Thanks for the suggestion.
>
> Yes its better to provide a configuration to change the number of retry
> attempts. Apart from the above mentioned behavior, we will consider this
> also in the implementation.
>
> Thanks,
>
> On Tue, May 8, 2018 at 9:31 AM gayan gunawardana <[email protected]>
> wrote:
>
>>
>>
>> On Mon, May 7, 2018 at 7:17 PM, Maduranga Siriwardena <[email protected]
>> > wrote:
>>
>>> Hi devs,
>>>
>>> In the Identity Server at the moment "retryAuthenticationEnabled" method
>>> in the authenticators decide whether the user is allowed to retry the
>>> authentication with that particular authenticator. Based on the result from
>>> this method, authenticator itself triggers the retry flow.
>>>
>>> Because of this we have a main disadvantage for the implementation of
>>> adaptive authentication. If retry is enabled, fail call back function in
>>> JavaScript is not triggered.
>>>
>>> So we are planning to change this behavior and send the authentication
>>> retry flow through the authentication framework. Below is the planned
>>> behavior.
>>>
>>>    - Authenticator will retry to authenticate by default.
>>>    - If the fail callback function has other steps to execute,
>>>    authenticator will not retry to authenticate.
>>>    - Developers can disable retry for a authentication sequence by
>>>    setting a parameter in the context.
>>>
>>> Isn't it better to invoke fail callback function after pre-configured
>> number of retry attempts.
>>
>>> Please provide us with feedback what need to be changed from the above
>>> mentioned behavior.
>>>
>>> Thanks,
>>> --
>>> Maduranga Siriwardena
>>> Senior Software Engineer
>>> WSO2 Inc; http://wso2.com/
>>>
>>> Email: [email protected]
>>> Mobile: +94718990591
>>> Blog: *https://madurangasiriwardena.wordpress.com/
>>> <https://madurangasiriwardena.wordpress.com/>*
>>> <http://wso2.com/signature>
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> [email protected]
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Gayan
>>
>
>
> --
> Maduranga Siriwardena
> Senior Software Engineer
> WSO2 Inc; http://wso2.com/
>
> Email: [email protected]
> Mobile: +94718990591
> Blog: *https://madurangasiriwardena.wordpress.com/
> <https://madurangasiriwardena.wordpress.com/>*
> <http://wso2.com/signature>
>


-- 
Maduranga Siriwardena
Senior Software Engineer
WSO2 Inc; http://wso2.com/

Email: [email protected]
Mobile: +94718990591
Blog: *https://madurangasiriwardena.wordpress.com/
<https://madurangasiriwardena.wordpress.com/>*
<http://wso2.com/signature>

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Retry with authenticators for adaptive authentication.

Reply via email to