Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SMSOTP expiry time format issue #22231

Open
DInuwan97 opened this issue Jan 10, 2025 · 0 comments
Open

SMSOTP expiry time format issue #22231

DInuwan97 opened this issue Jan 10, 2025 · 0 comments

Comments

@DInuwan97
Copy link

Description

Hi All

It has been observed that some release tags of the SMS-OTP connector (specifically for WSO2 IS 5.10.0 releases) have modified the source code by removing the 1000x multiplication. [1]

When the SMS-OTP is configured via the event publisher flow, and if the following TOML configuration is applied, the Identity Server (IS) displays an error message indicating that the token has expired upon OTP submission. if the TokenExpiryTime config is not there IS will keep the default value as 300000 and there will not be any issues.[2]

This issue occurs because the source code retrieves the token expiry time as 900 from the configuration. When the 1000x multiplication is removed from the conditional statement, the logic defaults to the else block, leading to this behavior.

[authentication.authenticator.sms_otp] 
name ="SMSOTP"
enable=true
[authentication.authenticator.sms_otp.parameters]
SMSOTPAuthenticationEndpointURL= "/smsotpauthenticationendpoint/smsotp.jsp"
SMSOTPAuthenticationEndpointErrorPage= "/smsotpauthenticationendpoint/smsotpError.jsp"
MobileNumberRegPage = "/smsotpauthenticationendpoint/mobile.jsp"
RetryEnable = true
ResendEnable = true
BackupCode = true
SMSOTPEnableByUserClaim = true
usecase = "local"
secondaryUserstore = "primary"
SMSOTPMandatory = false
SendOtpToFederatedMobile = false
federatedMobileAttributeKey = "mobile"
CaptureAndUpdateMobileNumber = true
SendOTPDirectlyToMobile = false
TokenExpiryTime = 900
EnableAccountLockingForFailedAttempts=true
showAuthFailureReason=true
screenUserAttribute="http://wso2.org/claims/mobile"
enableRetryFromAuthenticator= true
redirectToMultiOptionPageOnFailure = false

[1] - https://github.com/wso2-extensions/identity-outbound-auth-sms-otp/blob/master/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/smsotp/SMSOTPAuthenticator.java#L1264
[2] - https://github.com/wso2-extensions/identity-outbound-auth-sms-otp/blob/master/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/smsotp/SMSOTPAuthenticator.java#L954

Thanks,
Dinuwan

Steps to Reproduce

Step the SMSOTP Authenticator with above configs and try to submit the OTP in 5.10.0 latest. Upon the OTP submission there will be a token expiry message.

Version

5.10.0

Environment Details (with versions)

MacOS/Linux/Windows

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: In Progress
Development

No branches or pull requests

4 participants