Created
January 8, 2013 19:18
-
-
Save joesavak/4487004 to your computer and use it in GitHub Desktop.
mfa contract
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ======================================================== | |
| ======================================================== | |
| -- V2.0 OS-MF Multi Factor Extension | |
| ======================================================== | |
| XML | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <auth xmlns:os-mf="http://docs.openstack.org/identity/api/ext/OS-MF/v1.0"> | |
| <token id="abcdefghijklmnop"/> | |
| <OS-MF:multifactor factor="PASSCODE" code="124398" > | |
| </auth> | |
| JSON | |
| {"auth":{ | |
| "token":{"id":"abcdefghijklmnop"} | |
| "OS-MF:multifactor":{ | |
| "factor":"PASSCODE", | |
| "code":"124398" | |
| } | |
| } | |
| } | |
| ======================================================== | |
| ======================================================== | |
| Upon normal authentication in which a user is required to perform multi-factor authentication, the user will be presented with a 401 response code with a challenge or multiple challenges in the response headers. The WWW-Authenticate header will contian an authentication scheme of OS-MF and the available "factors" in which one could perform additional authentication. Along with the factor types and scheme definition, a token will be provided to be used in the authentication ceremony to keep track of the authentication process. | |
| ======================================================== | |
| ======================================================== | |
| Response - 401 Status Code | |
| -------------------------------------------------------- | |
| -------------------------------------------------------- | |
| Header | |
| -------------------------------------------------------- | |
| WWW-Authenticate: OS-MF token="abcdefghijklmnop", factor="SMS" | |
| WWW-Authenticate: OS-MF token="abcdefghijklmnop", factor="PHONE" | |
| WWW-Authenticate: OS-MF token="abcdefghijklmnop", factor="PUSH" | |
| WWW-Authenticate: OS-MF token="abcdefghijklmnop", factor="PASSCODE" | |
| -- or -- | |
| WWW-Authenticate: OS-MF token="abcdefghijklmnop", factor="SMS", OS-MF token="abcdefghijklmnop", factor="PASSCODE" | |
| ======================================================== | |
| ======================================================== | |
| If a user has obtained a passcode and wishes to authenticate, the below request will be available. The token will be validated as a "half" token and the passcode will be verified against the underlying multi-factor implementation or vendor. Upon successful authentication, the service should respond with the normally implemented Authentication response. | |
| ======================================================== | |
| ======================================================== | |
| Request - Authenticate w/ Passcode | |
| ------------------------------- | |
| {"auth":{ | |
| "token":{"id":"abcdefghijklmnop"} | |
| "OS-MF:multifactor":{ | |
| "factor":"PASSCODE", | |
| "code":"passcode" | |
| } | |
| } | |
| } | |
| ----------------------------------- | |
| Response - 200 Auth Response | |
| ----------------------------------- | |
| ======================================================== | |
| ======================================================== | |
| If a user does not have a current passcode, one can be requested by submitting a factor type of SMS. This should only respond as a 204 if the request is successful, and the user will receive a SMS with a passcode in which could then be used for the Authenticate w/ Passcode call request. | |
| ======================================================== | |
| ======================================================== | |
| Request - Request Passcode SMS | |
| ------------------------------- | |
| {"auth":{ | |
| "token":{"id":"abcdefghijklmnop"} | |
| "OS-MF:multifactor":{ | |
| "factor":"SMS" | |
| } | |
| } | |
| } | |
| ----------------------------------- | |
| Response - 204 | |
| ----------------------------------- | |
| ======================================================== | |
| ======================================================== | |
| If a user does not have a current passcode, and chooses a factor type of PHONE or PUSH, the user will receive either a phone call or an app request to verify a factor request. The user should not be required to perform any further actions, the user's token from the original request should now be granted full token access. | |
| If the user does not respond to the PHONE or PUSH notification in a timely manner, the token should have a short expiration period and should no longer be accepted. | |
| ======================================================== | |
| ======================================================== | |
| Request - Request Passcode PHONE | |
| ------------------------------- | |
| {"auth":{ | |
| "token":{"id":"abcdefghijklmnop"} | |
| "OS-MF:multifactor":{ | |
| "factor":"PHONE" | |
| } | |
| } | |
| } | |
| ----------------------------------- | |
| Response - 204 | |
| ----------------------------------- | |
| ======================================================== | |
| ======================================================== | |
| ======================================================== | |
| ======================================================== | |
| Request - Request Passcode PUSH | |
| ------------------------------- | |
| {"auth":{ | |
| "token":{"id":"abcdefghijklmnop"} | |
| "OS-MF:multifactor":{ | |
| "factor":"PUSH" | |
| } | |
| } | |
| } | |
| ----------------------------------- | |
| Response - 204 | |
| ----------------------------------- | |
| ======================================================== | |
| ======================================================== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment