Customizing CAS MFA with Google Authenticator to send TOTP via External API
209 views
Skip to first unread message
Irfan Kamil
Oct 3, 2024, 12:58:44 AM10/3/24
to CAS Community
Hello CAS community,
I'm new to CAS, Spring Webflow, and Spring Boot, and I'm trying to implement a custom Multi-Factor Authentication (MFA) method using Google Authenticator (gauth) with JPA. My goal is to customize the webflow so that when the verification page opens, it calls an API with the user's parameters to send the TOTP code to their WhatsApp message instead of displaying it in the Google Authenticator app.
Specifically, I need help with:
1. Automatically generate user's device secret upon login if it doesn't exist yet
2. Implementing a custom action that generates a TOTP code and sends it via WhatsApp API.
3. Customizing the webflow to include an API call before the verification page is displayed.
4. Integrating this custom action into the existing Google Authenticator flow.
Can someone provide a step-by-step guide or point me to relevant documentation on how to achieve this? Any code examples or configuration snippets would be greatly appreciated.
Thank you in advance for your help!
I'm new to CAS, Spring Webflow, and Spring Boot, and I'm trying to implement a custom Multi-Factor Authentication (MFA) method using Google Authenticator (gauth) with JPA. My goal is to customize the webflow so that when the verification page opens, it calls an API with the user's parameters to send the TOTP code to their WhatsApp message instead of displaying it in the Google Authenticator app.
Specifically, I need help with:
1. Automatically generate user's device secret upon login if it doesn't exist yet
2. Implementing a custom action that generates a TOTP code and sends it via WhatsApp API.
3. Customizing the webflow to include an API call before the verification page is displayed.
4. Integrating this custom action into the existing Google Authenticator flow.
Can someone provide a step-by-step guide or point me to relevant documentation on how to achieve this? Any code examples or configuration snippets would be greatly appreciated.
Thank you in advance for your help!
Ray Bon
Oct 3, 2024, 6:09:05 PM10/3/24
to cas-...@apereo.org
Irfan,
Check this blog, https://fawnoos.com/blog/
Also the developer section of the docs https://apereo.github.io/cas
It sounds like you are trying to turn WhatsApp into an authenticator app. Instead of co-opting Google Authenticator, you may be able to build it parallel to GA. See https://apereo.github.io/cas/7.1.x/mfa/Configuring-Multifactor-Authentication.html#supported-providers and
note the custom option in the list.
Ray
On Wed, 2024-10-02 at 21:08 -0700, Irfan Kamil wrote:
Irfan Kamil
Oct 3, 2024, 11:33:11 PM10/3/24
to CAS Community, Ray Bon
Yes, I'm trying to implement WhatsApp as an MFA method for CAS. I've reviewed the documentation on custom providers, but I find it somewhat limited and unclear for my needs.
I would greatly appreciate assistance with the following:
1. Could you provide a step-by-step guide on how to implement this custom MFA method?
2. Are there any working examples of sending OTP externally that I could use as a reference?
3. The official documentation seems limited on this topic. Are there any additional guides or resources you could recommend?
Thank you for your help!
I would greatly appreciate assistance with the following:
1. Could you provide a step-by-step guide on how to implement this custom MFA method?
2. Are there any working examples of sending OTP externally that I could use as a reference?
3. The official documentation seems limited on this topic. Are there any additional guides or resources you could recommend?
Thank you for your help!
Y G
Oct 7, 2024, 11:35:40 AM10/7/24
to CAS Community, Irfan Kamil, Ray Bon
Hello,
I did not find time for learning to code a custom MFA, but i did do a poc about integration with whasapp for otp sending, hope it helps you.
Using Simple MFA, you can customize your client communication strategy(https://apereo.github.io/cas/7.0.x/mfa/Simple-Multifactor-Authentication-Communication.html) to send the codes however you want. I did a proof-of-concept work a while ago about using wp, and the easiest solution for me was these steps:
1. On your member profile page, add a checkbox (or something) to get the permission from user to send via whatsapp(because whatsapp requires you to do this)
2. Configure and use the default authentication handler or write a custom one, but remember to get the user's choice in your credential attributes list
3. You can make a customized communication strategy, like: if user has accepted/selected, send OTP via WP else send via
SMS. according to docs(https://apereo.github.io/cas/7.0.x/mfa/Simple-Multifactor-Authentication-Communication.html) i used v6.6.x so i read this(https://yusufgunduz.tr/cas/6.6.x/notifications/Sending-Email-Configuration.html#custom)
4. Get yourself a facebook business acount, create an app(https://developers.facebook.com/apps) and add whatsapp usage, you can use demo account and add 5 phone numbers(you need to add it first) to send/test, and remember to generate an api key/client
5. Select a template from the whatsapp business api template selection(https://business.facebook.com/latest/whatsapp_manager/message_templates) and wait for it to be activated(took 24 hours for my demo account)
5. use that api to send your otp to your user(for demo accounts, you need to register your number): example otp request
POST https://graph.facebook.com/v20.0/<WP-BUSINESS-ACCOUNT-ID>/messages
Headers: Authorization: Bearer <API_KEY> //get your Access token(https://developers.facebook.com/apps under Whatsapp -> API Setup menu) and put it here
{
"messaging_product": "whatsapp",
"to": "<USER_PHONE>",
"type": "template",
"template": {
"name": "<TEMPLATE-NAME>", // use a template from the Authentication category, remember the placeholder names
"language": {
"code": "tr" // be careful and check language options of your selected templates
},
"components": [
{
"type": "body",
"parameters": [
{
"type": "text",
"text": "01234565" // message body OTP value placeholder value
}
]
},
{
"type": "button", // i chose "copy button" instead of "zero tap" on template setting so i add this for the copy button to work
"sub_type": "url",
"index": "0",
"parameters": [
{
"type": "text",
"text": "01234565" // Copy Value button's placeholder value
}
]
}
]
}
}
6. this api just returns 200 for request, so configure and use the webhooks to store and verify the wp otp message statuses (sent, read etc... updates for your OTP code message)
capabilities...
4 Ekim 2024 Cuma tarihinde saat 06:33:11 UTC+3 itibarıyla Irfan Kamil şunları yazdı:
Reply all
Reply to author
Forward
0 new messages