Configure MFA based on advanced conditions in Asgardeo using WSO2 Choreo

Asgardeo is a SaaS-based customer identity and access management (CIAM) solution and supports MFA with conditional authentication. With conditional authentication, the login flow in an application is dependent on the risk factors associated with the user’s login request. This allows you to strengthen the authentication flow when the risk is higher.

Choreo is a digital innovation platform that allows users to develop, deploy, and manage cloud-native applications at scale. With callChoreo conditional authentication function you can secure your applications’ login flow based on data from an API hosted on WSO2 Choreo.

The Choreo integration with Asgardeo mainly focuses on two user personas as Identity Developer who are not very good at integration space and Integration Developer who are not good at Identity space. As Choreo provides the infrastructure and tools enterprises need for cloud native engineering, identity developers with poor experience on integration can immediately focus on building, testing and deploying APIs and services with less effort. And also, this focus on integration developers with less knowledge on identity stories by bringing complex authentication policies in a simpler manner through script based templates.

Consider a scenario where the login flow of the application should be stepped up after an API call to a service endpoint hosted on Choreo. The API call should be executed after the first authentication step is successfully completed. The second authentication step should be prompted based on the decision made by the service during the API call.

Let’s Consider an API hosted on Choreo with the capability to extract an IP address from the request body. This API proceeds to obtain geolocation information based on the IP address, assesses the risk associated with the login attempt, and communicates the result through the “hasRisk” parameter in the response. If the value of “hasRisk” is true, the system should prompt the second authentication step.

Desgin the REST API

You need to implement your REST API in Ballerina or any other language and containerize it. You can use the Ballerina VS code extension to develop the REST API in Ballerina. Learn more .

GitHub — ChanikaRuchini/call-choreo-example

This repository contains the API implementation for above mentioned scenario.

Integrate the REST API with Choreo

1. Create an application on WSO2 Choreo to integrate your REST API with your Asgardeo app.

To create an application in the Choreo Developer Portal, follow the steps given below:

Step 1: Create an application

1. Sign in to the Choreo Developer Portal.
2. Click Applications. and then click + Create.
3. Enter a name and description for the application.
4. Click Create.

Step 2: Generate keys

Choreo provides an OAuth 2.0 bearer token-based authentication for API access. Once you create an application in Choreo, you can generate credentials for it. When you generate credentials for the first time, Choreo provides a consumer key and consumer secret for the application. The consumer key becomes the unique identifier of the application and is used to authenticate the application. You can generate keys and tokens to invoke production and non-production endpoints separately.

1. In the Choreo Developer Portal header, click Applications.
2. On the My Applications page, click on the application for which you want to generate keys and tokens.
3. In the left navigation menu, click the required environment under Credentials. This opens the Application Keys pane of the specific environment.
4. Click to expand Advanced Configurations and review the options.

• Grant Types: Select the grant types to use when generating the access token.
• Public Client: Select Allow authentication without the client secret if your application can be considered as a public client such as an application running on a browser or mobile device.
• PKCE for enhanced security: Select Mandatory if you want the application to send a code challenge in the authorization request and the corresponding code verifier in the token request. Asgardeo supports SHA-256 and plain.
• Application access token expiry time: Specify the access token expiry time in seconds.
• Refresh token expiry time: Specify the refresh token expiry time in seconds.
• ID token expiry time: Specify the ID token expiry time in seconds.

5. Click Generate Credentials. This opens the Application Keys pane with values populated for the credentials.

2. Create a REST API component on Choreo.

Step 2.1: Create a mono repository project

1. Go to https://console.choreo.dev/ and sign in. This opens the organization home page.
2. On the organization home page, click + Create Project.
3. Enter a unique name and description for the project. You can enter the name and description given below:
4. Select Mono Repository.
5. Click Next.
6. To allow Choreo to connect to your GitHub account, click Authorize with GitHub.
7. If you have not already connected your GitHub repository to Choreo, enter your GitHub credentials, and select the repository you created by forking https://github.com/wso2/choreo-samples to install the Choreo GitHub App.
8. In the Connect Repository pane, enter the following information:

9. Click Next. This scans the repository branch you connected and displays the components that are already available in it.

Step 2.2: Configure the sample service and publish it as a REST AP

1. In the Import Component Code pane, click Configure corresponding to the component.
2. In the Component Configuration dialog, specify values as follows for each of the fields:

1. Click Save. You will see that the status of the component has changed to Configured and the checkbox to select the component is enabled.

1. Select the component and click Create. This creates a mono repository project, initializes the service with the implementation from your GitHub repository, and takes you to the project home page.

1. You can see the your component listed under Component Listing on the project home page.

3. Deploy the service

For the REST endpoint of the service to be invokable, you need to deploy it. To deploy the service, follow the steps given below:

1. In the left navigation menu, click Build and then build the project.

1. Then go to Deploy section.
2. In the Endpoint Details pane that opens, you can see the Readinglist endpoint ready to be deployed. Click the edit icon next to the endpoint.
3. Change the Network Visibility to Public. This setting securely exposes the endpoint for consumption.

1. click update

4. Publish the service

In the left navigation menu, click Manage and then click Settings.

1. Under API Settings, click Edit.
2. Click the CORS Configuration toggle to enable the setting.
3. To allow cross-origin calls to send credentials, select the Access Control Allow Credentials checkbox.
4. To allow passing the JWT to the backend service, enable the Pass Security Context To Backend toggle.
5. Under API Settings, click Save.
6. In the Apply to Development pane that opens, enter a meaningful message and click Apply.

5. Publish the service endpoint as a REST API

To publish the REST endpoint and make it available for web applications to consume, follow the steps given below:

1. In the left navigation menu, click Manage and then click Lifecycle.
2. In the Lifecycle Management pane, click Publish. This publishes the REST API to the Developer Portal so that external applications can subscribe to the API.

3. To open the REST API in the Developer Portal via the Lifecycle Management pane, click Go to Devportal.

4. Then your created REST API opens in the Developer Portal.

6. Subscribe the application you created on Choreo to the REST API.

You must subscribe to a published API to use it in your application

The Choreo application exposes the REST API to external clients. Therefore, you can connect to this application from Asgardeo and invoke the REST API.

To subscribe to an API via an application, follow the steps given below:

1. Sign in to the Choreo Developer Portal.
2. In the Developer Portal header, click Applications.
3. On the My Applications page, click on the application with which you want to subscribe to an API.
4. In the left navigation menu, click Subscriptions.
5. In the Subscription Management pane that opens, click + Add APIs.
6. Click Add to subscribe to an API. Depending on your requirement, you can subscribe to one or more APIs.

Configure the login flow in Asgardeo

Follow the steps given below.

1. On the Asgardeo Console, click Applications.
2. Select the relevant application and go to its Sign-in Method tab.
3. Add MFA based on advanced conditions using your preferred editor:

Using the Classic Editor

To add MFA based on advanced conditions using the classic editor:

• Click Add TOTP as a second factor to define the login flow, starting with username and password and stepping up with TOTP.
• Turn on Conditional Authentication by switching the toggle.

To add MFA based on advanced conditions using the visual editor:

• Switch to the Visual Editor tab and go to Predefined Flows > Basic Flows > Add Multi-factor login.
• Select Username + Password -> TOTP and click Confirm.
• Expand the Script Editor to add the script for MFA based on advanced conditions using Choreo.

4. Add the following authentication script.

var connectionMetadata = {
"url": "<Choreo API URL>",
"consumerKey": "<Consumer key of the Choreo application>",
"consumerSecret": "<Consumer secret of the Choreo application>",
"asgardeoTokenEndpoint": "<Token endpoint of the tenant in Asgardeo>"
};

var onLoginRequest = function(context) {
executeStep(1, {
     onSuccess: function(context) {
          // Set the IP address of the authentication request as the body of the API call.
          var requestPayload = {
               "ip": context.request.ip
          };
          Log.info("Calling the API hosted in Choreo!");
          callChoreo(connectionMetadata, requestPayload, {
               onSuccess: function(context, data) {
                    Log.info('Received risk:' + data.hasRisk);
                    if (data.hasRisk === true) {
                    // Prompt the second authentication factor if the hasRisk is true.
                    executeStep(2);
                    }
               },
               onFail: function(context, data) {
                    Log.info('Failed to call Choreo API. Stepping up authentication by default.');
                    executeStep(2);
               },
               onTimeout: function(context, data) {
                    Log.info('Call to Choreo API timed out. Stepping up authentication by default.');
                    executeStep(2);
               }
          });
     }
});
};

5. Update the following parameters in the script.

urlThe URL of the Choreo API.

consumerKey The consumer key of the Choreo application.

consumerSecretThe consumer secret of the Choreo application.

asgardeoTokenEndpointToken endpoint of the organization in Asgardeo. For example: https://api.asgardeo.io/t/{org_name}/oauth2/token

6. Click Update to save the configurations.

Try it out

Follow the steps given below.

1. Access the application URL.
2. Try to log in from an IP address within the allowed geolocation. You will successfully log in to the application.
3. Log out of the application.
4. Login from an IP address outside the allowed geolocation. TOTP authentication is prompted.

Thank you for reading!

References

1. https://wso2.com/asgardeo/docs/guides/authentication/conditional-auth/add-authentications-based-on-api-calls/

2. https://wso2.com/choreo/docs/quick-start-guides/build-your-first-cloud-native-application-with-choreo/#step-1-create