WSO2 Identity Server 5.10.0 - Unable to achieve EmailOTP based MFA

Question

I have enabled EmailOTP Identity Provider, using WSO2 Identity Server as Email Provider.

In my Service PRovider, I have enabled EmailOTP as the second step of Authentication.

Angular UI application is my front end, when I provide username/password on the login page (user OpenId Connect), the authorization code is getting generated, but the second step is not being invoked, i.e., OTP page is not being displayed and Email is not being sent to the recipient with OTP.

I have followed the steps mentioned here, except making Gmail as Identity Provider.

OpenIdConnect Configuration:

Local and Outbound Authentication Configuration:

EmailOTP IDP Configuration (did not use Gmail or SendGrid):

EMail Adapter and Authenticator Configuration:

[output_adapter.email]
from_address= "sender@domain.com"
username= "username@domain.com"
password= "password"
hostname= "smpt.hostname"
port= 25
enable_start_tls= false
enable_authentication= true

[authentication.authenticator.basic.parameters]
showAuthFailureReason = true

[authentication.authenticator.email_otp]
name ="EmailOTP"
enable=true

[authentication.authenticator.email_otp.parameters]
EMAILOTPAuthenticationEndpointURL = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotp.jsp"
EmailOTPAuthenticationEndpointErrorPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotpError.jsp"
EmailAddressRequestPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailAddress.jsp"
usecase = "local"
secondaryUserstore = "primary"
EMAILOTPMandatory = false
sendOTPToFederatedEmailAttribute = false
federatedEmailAttributeKey = "email"
EmailOTPEnableByUserClaim = true
CaptureAndUpdateEmailAddress = true
showEmailAddressInUI = true
useEventHandlerBasedEmailSender = true

Script based authentication Configuration:

var onLoginRequest = function(context) {
    executeStep(1);
    executeStep(2);
};

OpenId Connect Configuration.

https://is.docs.wso2.com/en/5.10.0/learn/configuring-email-otp/#configuring-email-otp

Endpoint details:

https://localhost:5004/oauth2/authorize?response_type=code&scope=openid&redirect_uri=http://localhost&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256&sectoken=<sec_token>

Tenant Domain Error:

The tenant domain user is being treated as a user of carbon.super domain.

TID: [-1234] [] [2021-02-01 17:13:47,683] [85d31877-3090-4139-9efb-d40f85c2e2eb] DEBUG {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator}
    - OTP Expiration Time not specified default value will be used
 TID: [-1234] [] [2021-02-01 17:13:47,684] [85d31877-3090-4139-9efb-d40f85c2e2eb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
    - Exception in Authentication Framework java.lang.NullPointerException
                at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.publishAuthenticationStepAttempt(AbstractApplicationAuthenticator.java:170)
                at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:94)
                at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.process(EmailOTPAuthenticator.java:139)
                at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:506)
                at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:480)
                at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:179)
                at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) er} - 
Error occurred while getting claims for user: tanoj123@carbon.super from userstore. org.wso2.carbon.user.core.UserStoreException: 30007 - UserNotFound: 
User tanoj123 does not exist in: PRIMARY
            at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
            at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValues(AbstractUserStoreManager.java:1758)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInLocalDialect(DefaultOIDCClaimsCallbackHandler.java:466)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:420)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.retrieveClaimsForLocalUser(DefaultOIDCClaimsCallbackHandler.java:296)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:146)
            at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.handleCustomClaims(DefaultOIDCClaimsCallbackHandler.java:85)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims_aroundBody4(APIMJWTGenerator.java:166)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims(APIMJWTGenerator.java:156)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody_aroundBody2(APIMJWTGenerator.java:95)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody(APIMJWTGenerator.java:92)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT_aroundBody0(APIMJWTGenerator.java:69)
            at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT(APIMJWTGenerator.java:60)
            at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken_aroundBody4(APIMTokenIssuerUtil.java:210)
            at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken(APIMTokenIssuerUtil.java:173)
            at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken_aroundBody0(APIMTokenIssuer.java:102)
            at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken(APIMTokenIssuer.java:51)
            at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.getNewAccessToken(AbstractAuthorizationGrantHandler.java:491)
            at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.createNewTokenBean(AbstractAuthorizationGrantHandler.java:390)
            at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.generateNewAccessToken(AbstractAuthorizationGrantHandler.java:344)

Answer 1

In the shared logs, the following line can be observed.

BasicAuthRequestPathAuthenticator can handle the request

It means canHandle() method of the BasicAuthRequestPathAuthenticator has returned true since sectoken query parameter is defined. Then, the request path authentication has taken place.

BasicAuth RequestPathAuthentication does not support MFA and it is like the password grant. The user gets authenticated by just validating the passed credentials.

If your goal is to have the login page on your client application (Angular SPA), you can pass the username and password as two different parameters (POST OR GET; POST is recommended since the password will not be passed in the URL) in the oauth2/authorize request and get into the default basic authenticator instead of the RequestPathAuthenticator. Then MFA will work as expected.