다단계 인증(MFA) 수행

온라인에서 편집하기

IBM® Verify API 명령은 액세스 토큰을 획득하기 위해 MFA를 사용할 때 일회성 비밀번호(OTP) 프로세스에 사용됩니다.

이메일 OTP: 요인 호출

표시된 allowedFactors를 사용하여 이메일 OTP 요인 API에 대한 호출이 작성됩니다.

POST https://securitypoc.ice.ibmcloud.com/v2.0/factors/emailotp/504a8fab-95d9-44d4-b4af-6a1c143b6031/verifications
Authorization: Bearer lkXMx3tHQjWSalhNmtWIrloMHQOue1ntchRymytL
{"correlation:""}

이러한 호출은 mfa_challenge 액세스 토큰을 사용하여 작성됩니다. 이 플로우의 전제조건으로 대역 외 등록이 이루어집니다.

시작 응답은 다음과 같습니다.
{
  "id": "d6b3b425-62a3-42e8-bf09-4f15f751c232",
  "userId": "60100041I3",
  "type": "emailotp",
  "created": "2020-07-01T04:00:56.384Z",
  "updated": "2020-07-01T04:00:56.384Z",
  "expiry": "2020-07-01T04:05:56.384Z",
  "state": "PENDING",
  "correlation": "9556",
  "emailAddress": "scott@acme.org"
}

이메일 OTP: 요인 완료

POST https://securitypoc.ice.ibmcloud.com/v2.0/factors/emailotp/504a8fab-95d9-44d4-b4af-6a1c143b6031/verifications/d6b3b425-62a3-42e8-bf09-4f15f751c232?returnJwt=true
Authorization: Bearer lkXMx3tHQjWSalhNmtWIrloMHQOue1ntchRymytL

{"otp":"313375"}

검증 엔드포인트 호출에는 returnJwt 매개변수가 포함됩니다.

요인 완료 응답은 다음과 같습니다.
{
  "assertion": "eyJhbGciOiJSUzI1NiIsImtpZCI6InNlcnZlciJ9.eyJhbXIiOlsiZW1haWxvdHAiLCJwYXNzd29yZCJdLCJhdWQiOlsiMWE0MzEwZDQtMDExOC00NTExLTkwODItMzk2NjljY2RjYWQ2IiwiaHR0cHM6Ly9zZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tL3YxLjAvZW5kcG9pbnQvZGVmYXVsdC90b2tlbiJdLCJleHAiOjE1OTM4OTMyMDQsImZhY3RvciI6ImVtYWlsb3RwIiwiZ3JhbnRfaWQiOiJjMTRjNjNjMS02NDMxLTRjOGYtYThmZS1jOTM5YWZmMDE3NDQiLCJpYXQiOjE1OTM4OTI5MDQsImlzcyI6Imh0dHBzOi8vc2VjdXJpdHlwb2MuaWNlLmlibWNsb3VkLmNvbS92Mi4wL2ZhY3RvcnMiLCJqdGkiOiI2MGZhYjdkNi0zZWZhLTQ4NWUtOTQxNi0zNmM2NDgxMWFlNzYiLCJzdWIiOiI2MDQwMDAzT0g4IiwidGVuYW50SWQiOiJzZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tIn0.J9_Omrs8vlTz9bgGWVI0T4AssoMP0UFNoDZ_4d93NEELq_kE1qoXw0Ao8_1QMyyYPRhtnCxtpF5NrD7s4yIzU-WnOkV2qXHfVX5nZPJnPOdP3YOOfUiA0sBTqxlAWr_lePaZuMjseKXpB0YP9ntOqo9T0woQ9MUY6B1gPrRbnX9Zzx64RzA3GgUD3_IhgghIcwxYuSZEKzf8PejG-oh70jSE5gkPK8JiEbvc2lVP7tQgdTCdbjRFybST5B57RTdU1X85uQ7fjO4ggxLcYljHPBfOkSgwCBnq6BXwcVo8o4w6XPYQgRnjDFyJJTf7EwLMaoEwjDiGO4wHXmATgitMng"
  }

MFA: JWT를 다시 /token에 제공

POST https://securitypoc.ice.ibmcloud.com/v1.0/endpoint/default/token

client_id=1a4310d4-0118-4511-9082-39669ccdcad6&
client_secret=cmVkYWN0ZWQ&
scope=openid&
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&
context=eyJzZXNzaW9uSWQiOiAic29tZVNlc3Npb24xMjMiLCAidXNlckFnZW50OiI6ICJzb21lX3VzZXJfYWdlbnQiLCAiaXBBZGRyZXNzIjogIjE5Mi4xNjguMS4xIn0&
assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6InNlcnZlciJ9.eyJhbXIiOlsiZW1haWxvdHAiLCJwYXNzd29yZCJdLCJhdWQiOlsiMWE0MzEwZDQtMDExOC00NTExLTkwODItMzk2NjljY2RjYWQ2IiwiaHR0cHM6Ly9zZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tL3YxLjAvZW5kcG9pbnQvZGVmYXVsdC90b2tlbiJdLCJleHAiOjE1OTM4OTMyMDQsImZhY3RvciI6ImVtYWlsb3RwIiwiZ3JhbnRfaWQiOiJjMTRjNjNjMS02NDMxLTRjOGYtYThmZS1jOTM5YWZmMDE3NDQiLCJpYXQiOjE1OTM4OTI5MDQsImlzcyI6Imh0dHBzOi8vc2VjdXJpdHlwb2MuaWNlLmlibWNsb3VkLmNvbS92Mi4wL2ZhY3RvcnMiLCJqdGkiOiI2MGZhYjdkNi0zZWZhLTQ4NWUtOTQxNi0zNmM2NDgxMWFlNzYiLCJzdWIiOiI2MDQwMDAzT0g4IiwidGVuYW50SWQiOiJzZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tIn0.J9_Omrs8vlTz9bgGWVI0T4AssoMP0UFNoDZ_4d93NEELq_kE1qoXw0Ao8_1QMyyYPRhtnCxtpF5NrD7s4yIzU-WnOkV2qXHfVX5nZPJnPOdP3YOOfUiA0sBTqxlAWr_lePaZuMjseKXpB0YP9ntOqo9T0woQ9MUY6B1gPrRbnX9Zzx64RzA3GgUD3_IhgghIcwxYuSZEKzf8PejG-oh70jSE5gkPK8JiEbvc2lVP7tQgdTCdbjRFybST5B57RTdU1X85uQ7fjO4ggxLcYljHPBfOkSgwCBnq6BXwcVo8o4w6XPYQgRnjDFyJJTf7EwLMaoEwjDiGO4wHXmATgitMng

컨텍스트 매개변수는 변경되지 않습니다.

MFA가 완료되고 모든 액세스 정책 규칙이 충족되므로 /token 응답은 다음과 같습니다.
{
  "access_token": "wHl8vG85BD30PQn6xewyp63zmF8zkJFb9Z56Ma6s",
  "refresh_token": "FIsrk6n6QCNEQ2e4e6VNUFUmN9fwzwtauCcTjK26Jlt16mSqvw",
  "scope": "openid",
  "grant_id": "c14c63c1-6431-4c8f-a8fe-c939aff01744",
  "id_token": "ey...",
  "token_type": "Bearer",
  "expires_in": 7199
}