We are at the end of our integration and we are trying to test the MFA workflow with yodlee.
How can we simulate that some accounts need to be refreshed and that these refresh required an MFA of type Captcha, Token and Q&A ?
I am using the Dummy account generator https://dag2.yodlee.com/dag/lndhaction.do but I don't have the answers for Q&A and Token MFA account.
Moreover, the captcha MFA account, how can I simulate the MFA is required on every refresh ?
You can use the Dummy Account Generator and the answers for Q/A & Token MFA are present in the XMLs.
For e.g., if you are using Site based DAG then you can click on download link present next to the password value for that DAG, in case of DAG Site- Security Q/A then next to "site16486.2". Similarly for Token as well.
While for CAPTCHA, there is a CAPTCHA image attached to the CAPTCHA DAG which will be returned as a string(image converted into base64). You need to convert that base64 string into image and enter the CAPTCHA in the response.
So, Yodlee don't refresh as a daily refresh process the sites which has CAPTCHA/Token MFA. You need to call startSiteRefresh or startRefresh7(if using container based).
Related
I'd like to set my Google pay to accept both authentication modes: "PAN_ONLY" and "CRYPTOGRAM_3DS".
Then, during transaction flow, when I get the token, before I process the transaction - how can I check which authentication mode was applied by google out of the 2 without decrypting the token?
Why I want to do that:
if it's was tokenized in a 'PAN_ONLY' mode, I need to run 3DSecure myself, before processing the transaction
if it's 'CRYPTOGRAM_3DS' it means that the token is in DPAN mode and then I'd like to decrypt it (as a merchant)
how can I check which authentication mode was applied by google out of the 2 without decrypting the token?
You can request this information in the request with the CardParameters. assuranceDetailsRequired parameter. It will be returned as part of the CardInfo.assuranceDetails response.
if it's was tokenized in a 'PAN_ONLY' mode, I need to run 3DSecure myself, before processing the transaction
From https://developers.google.com/pay/api/web/reference/response-objects#assurance-details-specifications
Note: If both cardHolderAuthenticated and accountVerified are true, you don’t need to step up the returned credentials. If both aren’t, we recommend you to run the same risk checks and , authentication including 3D Secure flow if applicable.
I'm setting up an authentication where MFA is not optional, which means from the very first login attempt after registration, the user will be asked to set up MFA (in this case I will be using Time Based One Time Passcode, or TOPT). For this, I can see that following steps would be reasonable:
1)Get user information via the login form - Auth.signUp()
2)Determine from the user data retrieved in step 1) whether TOPT-based MFA is set for the user already. If not, go to step 3) or else step 4)
3)If TOPT is not set, redirect to a form where a QRCode will be generated in order to set up this MFA feature. After verifying the code, log the user in.
4)If TOPT is set, ask for the passcode. After verifying, log the user in.
My dilemma: It seems I cannot get the information in Step 2), i.e, whether TOPT-based MFA is set for the user already without the user already being authenticated. The flag challengeName retrieved in the payload via Auth.signUp() in step 1) only gives me info on whether MFA is enabled or not ('MFA_SETUP'), and not whether TOTP-based MFA has been set up already. For that, the method Auth.getPreferredMFA() is what would do the trick, but it only works if the user object being passed to it represents an authenticated (or already logged in) user. Is there a way to determine if TOTP MFA is set up for a user trying to log in (but not logged in yet)?
Also, any other solutions to tackle this problem would be welcome. There must be somebody out there who has run into the same scenario I have, where MFA is mandatory from the first log in itself.
I am facing the same issue. If the MFA is required, I open up a modal to get QR code displayed and setup the mfa for the user.
code: "NotAuthorizedException"
message: "Invalid session for the user."
name: "NotAuthorizedException"
But getting this error because the user hasn't logged in and created any access token yet.
My idea of solving this is actually logging in the user but making their permissions to not go beyond the SetupMFA screen so they only gain some permissions when they have completed the setup.
Have you made any progress yourself? I'd like to hear any solutions.
I'm working on an internal website for the company I work for. The website will be only available to company staff. We use Google Apps for Business, so we would like authentication to be done using our google accounts.
I've gone through 'google sign in' samples from here: https://developers.google.com/+/
It works, but the problem we run into is that it requires the user to sign up to Google+. This is a speed bump we would prefer not to have.
Are there any ways around this? Thanks.
It shouldn't be too hard to roll your own sign in using the lower levels of Oauth, eg 'email' scope. It's hard to give a more specific answer because it depends on your architecture (eg. are you predominantly server-side or client-side) and what kind of session do you want to create by the sign in process. For example, if you are client/REST based, you probably don't want any session at all as REST encourages statelessness. On the other hand, if you are more web based, serving static pages, you will want a session.
In simple terms, you will be doing something that generates an access token, and then processing that access token to determine the email address (or Google ID) of the person who created it. You will then establish some sort of session (eg. using session cookies) that identifies future requests from that user.
Feel free to add some more detail to your architecture and I'll try to finesse the answer.
For simple http servlet sessions, it will be something like.
User requests a protected page
servlet detects that there is no session and/or session has no authenticated user
servlet redirects to an Oauth page to request an access code. something like
https://accounts.google.com/o/oauth2/auth?redirect_uri=xxx&response_type=code&client_id=zz&approval_prompt=auto&scope=email
NB research the exact URL, don't rely on this to be exact
If the user isn't logged on, he'll be prompted; if he has multiple logins, he'll be prompted; if he hasn't yet granted email access, he'll be prompted. If none of these conditions are met (the normal case) he won't see anything.
Browser will redirect to the redirect_uri, carrying an access token (or an auth code if this is the first time the user has used the app)
Post the token to the Google userinfo endpoint, and you will receive a decode containing the email address
Store the email into a session object (or retrieve your own user object and store that)
redirect back to the originally requested page. You can use the OAuth state parameter to pass that around
et voila. all future page requests from that user will be within a session containing some user identification.
NB This is just an outline and I may even have missed a step. You will still need to do your own OAuth research.
Apparently not:
(..) if a Google user who has not upgraded to a Google+ account clicks
on the Sign in with Google+ button, the same consent dialog that opens
will take the user into an account upgrade flow.
Weirdly the docs for OAuth2 states:
Google+ Sign-In works for all users with a Google account, whether or
not they have upgraded to Google+.
Using the Yodlee API, if I have a successfully connected site_account, and then something changes (say the user updates the answers to their MFA questions) causing refresh to give Yodlee an error, how do I force it to refresh so that I can retry entering MFA information? Using startSiteRefresh I can't get it to force refresh, even with forceRefresh on RefreshParameters set to True. All I get back is SiteRefreshStatus=None with the previous error code, and it doesn't let me ask for new mfa questions at all.
To update the credentials you should use updateSiteAccountCredentials.
But to refresh you should be using startSiteRefresh and check for refresh mode
(siteRefreshInfo.getSiteRefreshMode()) if the refresh mode is MFA_REFRESH_MODE then you should start the MFA flow.
Based on the error, if you want to change the values like username, password, Q&A for MFA, you can use the updateCredentialsForItem call to edit the item. You can then refresh the account.
More details on this page.
You are correct, for site the API is different.
First you would need to call getSiteAccountCredentials or getSiteAccountMfaQuestionsAndAnswers to get login form or MFA QnA as needed, and then updateSiteAccountCredentials.
If the changes worked, refresh would be triggered.
I'm trying to get access to the Google's todo feed with this url:
https://www.google.com/calendar/tdl?secid=<SECID>&tdl={%22action_list%22%3A[{%22action_type%22%3A%22get_all%22%2C%22action_id%22%3A%221%22%2C%22list_id%22%3A%2215052708471047222911%3A0%3A0%22%2C%22get_deleted%22%3Afalse}]%2C%22client_version%22%3A-1}
If I open this in my browser with a correct secid, it shows me right what I want.
Now, the question is: how do I get secid programmatically (specifically, in a java program)? I have access to the authToken (from CalendarService), but I have no clue how to use it to authorize my access to the URL above.
I tried to use the url http://google.com/accounts/ServiceLogin, but I didn't find any examples.
Any help, please?
From what I read secid is a session ID obtained from browser's cookies. Whereas your case uses Java which implies a server app. If that is the case, you want to drop the idea of using secid entirely.
Instead, you want to check out Google's OAuth2 documentation. If you are using Java, most likely you would be interested in the web-server OAuth flow. Pay special attention to the sequence diagrams.
The key steps include:
1) Obtain an authorization code from Google OAuth with the user's consent. For that, you redirect the user to Google with the appropriate scope. Check the list of calendar scopes for your case. Once the user consents, Google redirects back to you with an authorization code.
2) Call Google OAuth with the authorization code and your app's credentials to exchange for an access token.
3) Call Google's Calendar API using the access token.
And if you use Google's Java client as suggested by #ChaosPredictor, chances are some of the steps are already wrapped into the Java client (and your code will be much simpler).