This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

One Time Passwords

The one time password feature is used to facilitate the users who wish to have a new password each time they login. This increases the security to prevent password theft, since at each login, the user gets a new password. Also, this helps users who do not like to remember passwords all the time.

In WSO2 Identity Server when users enable OTP using their profile configuration, each time when the user logs in, a new password is sent to the user’s email. This password can be used next time when the user needs to login.

This topic provides the set of instructions required to configure the one time feature and to also see it in action.

Configuring the one time password

You need to create the following claim and map it with a valid attribute with the underlying datastore. This is used to store the OTP feature status for the user. This topic provides the instructions necessary to do this as well.

  • http://wso2.org/claims/identity/otp

Tip: Do not confuse this with the claim "http://wso2.org/claims/oneTimePassword", which is available under the claim dialect "http://wso2.org/claims".

In order to display this in the user profile you need to select the Supported by Default attribute found when creating the claim.

  1. Open the <IS_HOME>/repository/conf/carbon.xml file and make the following change. This is done so that the WSDL file can be accessed to perform this functionality.

    <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
  2. Enable the Identity Listener by setting the following property to true in the <IS_HOME>/repository/conf/identity/identity.xml file.
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>
  3. Set the following configuration in the <PRODUCT_HOME>/repository/conf/identity/identity-­mgt.properties file.

    Notification.Sending.Enable=true
    Notification.Sending.Internally.Managed=true
    Authentication.Policy.Enable=true
    Authentication.Policy.Check.OneTime.Password=true
  4. In order to send an email from the Identity Server, you must define your mail transport configurations. To do this, set the transportSender details in the <IS_HOME>/repository/conf/axis2/axis2.xml file as shown below. This example uses a sample email address. You can set the configuration according to your email server settings.

    <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
           <parameter name="mail.smtp.from">testemail@gmail.com</parameter>
           <parameter name="mail.smtp.user">testemail@gmail.com</parameter>
           <parameter name="mail.smtp.password">mypassword</parameter>
           <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
    
           <parameter name="mail.smtp.port">587</parameter>
           <parameter name="mail.smtp.starttls.enable">true</parameter>
           <parameter name="mail.smtp.auth">true</parameter>
    </transportSender> 
  5. Start/Restart the Identity Server.

Configuring the claim

  1. Sign in. Enter your username and password to log on to the Management Console.
  2. From the Main menu, click Add under Claims.
  3. Click Add New ClaimEnter all of the required information in the form that appears.
  4. Add the http://wso2.org/claims/identity/otp claim.

    You must add the following for this to work.

    Claim detailsValue
    Claim Dialecthttp://wso2.org/claims
    Claim URIhttp://wso2.org/claims/identity/otp
    Mapped AttributeoneTimePassword
    Supported by DefaultSelected

    Note: For the mapped attribute, you can specify any attribute name that is supported by the underlying user store. In this example, this claim is selected as ‘Supported by Default’ so that this claim appears when you view the profile of users. You can also set the value for the attribute from the user profile.

  5. Click Add.

Configuring a user for OTP

  1. On the Main tab in the Management Console, click Add under Users and Roles.
  2. Click Users. This link is only visible to users with the Admin role. 
  3. Click Add New User.
  4. Enter a username and password and click Next.
  5. Assign a role to the user that has the login permission.
  6. Click User Profile when the added user is listed.
  7. When you view the profile of the user for the first time without updating the profile, the OTP attribute appears as a text box. You can enter true or false as the value in the textbox. If not you can just enter the values for required fields and click Update.
     
  8.  
    Upon updating the profile, if you did not give any value for the OTP attribute, it is considered as false by default. The next time you view the profile, the OTP attribute appears as a checkbox as it now contains a boolean value (true or false). The logic in the UI to display a checkbox instead of a textbox depends on whether it is true or false.
  9. To enable OTP for this user account, select the OTP claim checkbox and click Update.
     

Testing OTP

Login as a user to check the one time password feature. Also ensure that you have filled the necessary profile details including email.

Now when the user logs out and logs in again, a new password is generated and emailed to the user’s email.