Performing Multi-Factor Authentication (MFA)
IBM® Security Verify API commands are used in the one-time password (OTP) process when using MFA to acquire an access token.
Email OTP: Factor Invocation
Using the indicated allowedFactors
, a call to the email OTP factors API is
made.
POST https://securitypoc.ice.ibmcloud.com/v2.0/factors/emailotp/504a8fab-95d9-44d4-b4af-6a1c143b6031/verifications
Authorization: Bearer lkXMx3tHQjWSalhNmtWIrloMHQOue1ntchRymytL
{"correlation:""}
These calls are made by using the mfa_challenge
access token. Enrollment is made
out of band as a prerequisite of this flow.
The initiation response is
{
"id": "d6b3b425-62a3-42e8-bf09-4f15f751c232",
"userId": "60100041I3",
"type": "emailotp",
"created": "2020-07-01T04:00:56.384Z",
"updated": "2020-07-01T04:00:56.384Z",
"expiry": "2020-07-01T04:05:56.384Z",
"state": "PENDING",
"correlation": "9556",
"emailAddress": "scott@acme.org"
}
Email OTP: Factor completion
POST https://securitypoc.ice.ibmcloud.com/v2.0/factors/emailotp/504a8fab-95d9-44d4-b4af-6a1c143b6031/verifications/d6b3b425-62a3-42e8-bf09-4f15f751c232?returnJwt=true
Authorization: Bearer lkXMx3tHQjWSalhNmtWIrloMHQOue1ntchRymytL
{"otp":"313375"}
The verification endpoint invocation includes the returnJwt
parameter.
The Factor completion response is
{
"assertion": "eyJhbGciOiJSUzI1NiIsImtpZCI6InNlcnZlciJ9.eyJhbXIiOlsiZW1haWxvdHAiLCJwYXNzd29yZCJdLCJhdWQiOlsiMWE0MzEwZDQtMDExOC00NTExLTkwODItMzk2NjljY2RjYWQ2IiwiaHR0cHM6Ly9zZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tL3YxLjAvZW5kcG9pbnQvZGVmYXVsdC90b2tlbiJdLCJleHAiOjE1OTM4OTMyMDQsImZhY3RvciI6ImVtYWlsb3RwIiwiZ3JhbnRfaWQiOiJjMTRjNjNjMS02NDMxLTRjOGYtYThmZS1jOTM5YWZmMDE3NDQiLCJpYXQiOjE1OTM4OTI5MDQsImlzcyI6Imh0dHBzOi8vc2VjdXJpdHlwb2MuaWNlLmlibWNsb3VkLmNvbS92Mi4wL2ZhY3RvcnMiLCJqdGkiOiI2MGZhYjdkNi0zZWZhLTQ4NWUtOTQxNi0zNmM2NDgxMWFlNzYiLCJzdWIiOiI2MDQwMDAzT0g4IiwidGVuYW50SWQiOiJzZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tIn0.J9_Omrs8vlTz9bgGWVI0T4AssoMP0UFNoDZ_4d93NEELq_kE1qoXw0Ao8_1QMyyYPRhtnCxtpF5NrD7s4yIzU-WnOkV2qXHfVX5nZPJnPOdP3YOOfUiA0sBTqxlAWr_lePaZuMjseKXpB0YP9ntOqo9T0woQ9MUY6B1gPrRbnX9Zzx64RzA3GgUD3_IhgghIcwxYuSZEKzf8PejG-oh70jSE5gkPK8JiEbvc2lVP7tQgdTCdbjRFybST5B57RTdU1X85uQ7fjO4ggxLcYljHPBfOkSgwCBnq6BXwcVo8o4w6XPYQgRnjDFyJJTf7EwLMaoEwjDiGO4wHXmATgitMng"
}
MFA: Presenting the JWT back to /token
POST https://securitypoc.ice.ibmcloud.com/v1.0/endpoint/default/token
client_id=1a4310d4-0118-4511-9082-39669ccdcad6&
client_secret=cmVkYWN0ZWQ&
scope=openid&
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&
context=eyJzZXNzaW9uSWQiOiAic29tZVNlc3Npb24xMjMiLCAidXNlckFnZW50OiI6ICJzb21lX3VzZXJfYWdlbnQiLCAiaXBBZGRyZXNzIjogIjE5Mi4xNjguMS4xIn0&
assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6InNlcnZlciJ9.eyJhbXIiOlsiZW1haWxvdHAiLCJwYXNzd29yZCJdLCJhdWQiOlsiMWE0MzEwZDQtMDExOC00NTExLTkwODItMzk2NjljY2RjYWQ2IiwiaHR0cHM6Ly9zZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tL3YxLjAvZW5kcG9pbnQvZGVmYXVsdC90b2tlbiJdLCJleHAiOjE1OTM4OTMyMDQsImZhY3RvciI6ImVtYWlsb3RwIiwiZ3JhbnRfaWQiOiJjMTRjNjNjMS02NDMxLTRjOGYtYThmZS1jOTM5YWZmMDE3NDQiLCJpYXQiOjE1OTM4OTI5MDQsImlzcyI6Imh0dHBzOi8vc2VjdXJpdHlwb2MuaWNlLmlibWNsb3VkLmNvbS92Mi4wL2ZhY3RvcnMiLCJqdGkiOiI2MGZhYjdkNi0zZWZhLTQ4NWUtOTQxNi0zNmM2NDgxMWFlNzYiLCJzdWIiOiI2MDQwMDAzT0g4IiwidGVuYW50SWQiOiJzZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tIn0.J9_Omrs8vlTz9bgGWVI0T4AssoMP0UFNoDZ_4d93NEELq_kE1qoXw0Ao8_1QMyyYPRhtnCxtpF5NrD7s4yIzU-WnOkV2qXHfVX5nZPJnPOdP3YOOfUiA0sBTqxlAWr_lePaZuMjseKXpB0YP9ntOqo9T0woQ9MUY6B1gPrRbnX9Zzx64RzA3GgUD3_IhgghIcwxYuSZEKzf8PejG-oh70jSE5gkPK8JiEbvc2lVP7tQgdTCdbjRFybST5B57RTdU1X85uQ7fjO4ggxLcYljHPBfOkSgwCBnq6BXwcVo8o4w6XPYQgRnjDFyJJTf7EwLMaoEwjDiGO4wHXmATgitMng
The context parameter is unchanged.
Because the MFA is completed and all of the access policy rules are satisfied, the
/token
response is
{
"access_token": "wHl8vG85BD30PQn6xewyp63zmF8zkJFb9Z56Ma6s",
"refresh_token": "FIsrk6n6QCNEQ2e4e6VNUFUmN9fwzwtauCcTjK26Jlt16mSqvw",
"scope": "openid",
"grant_id": "c14c63c1-6431-4c8f-a8fe-c939aff01744",
"id_token": "ey...",
"token_type": "Bearer",
"expires_in": 7199
}