Writing a Post Authentication Handler for WSO2 Identity Server

This blog will describe how to write a custom post authenticator for WSO2 Identity Server 5.5.0 and newer.

First, let’s find out what is WSO2 identity server and the functionality of a post-authentication handler.

• WSO2 Identity Server is an identity and access management server that facilitates security while connecting and managing multiple identities across different applications. It enables enterprise architects and developers to improve customer experience through a secure single sign-on environment.
• Post Authentication Handler is also an extension point which is available from 5.5.0 onwards. As the name implies, this extension point allows you to do a task upon successful authentication. The term “upon successful authentication” indicates that though you have finished with the authentication steps, you still haven’t successfully authenticated to the system. You can successfully authenticate to the system only after completing the execution of post-authentication handlers.

Implementation of Post Authentication Handler

This blog will describe how to implement a post-authentication handler to check whether users have already provided the challenge questions and redirect them to get the challenge questions if they have not set the challenge questions.

You can find the complete implementation of the missing challenge question post-authentication handler here.

The following method handles the main logic of a post authenticator.

The Post Authentication Handlers will invoke upon a successful login attempt of a user. The post-authentication handlers will call handle method inside the post-authentication handler class.

The handle method will get the Context, HTTPServletRequest and the HTTPServletResponse. The post-authentication handler will first check whether the user has already provided challenge questions using the isChallengeQuestionsProvided method.
If the user has not provided the challenge questions, we’ll check for the CHALLENGE_QUESTIONS_REQUESTED property in the message context. This property in the message context indicates whether we have requested to add challenge questions from the user or not.
Also, we have to set the CHALLENGE_QUESTIONS_REQUESTED property when we request for the challenge question from the user.We will redirect the user to a separate web page to get the challenge questions and answers from them. We can trigger the redirection if the user already has not given the challenge questions and the CHALLENGE_QUESTIONS_REQUESTED property is false.

We have used httpServletResponse.sendRedirect(String URL) method to redirect the user to a separate web page. It’s important to send the sessionDataKey as a query parameter.

It’s possible to have a custom web page to get the challenge questions from the users. We have included the add-security-questions.jsp page to get the challenge questions from the user. Once we received the challenge questions from the user, we need submit the data to ../commonauth URL. We also need to send the sessionDataKey with the form submission.After submitting the answers to the challenge questions, the users will direct back to the post-authentication handler. Now we should see the CHALLENGE_QUESTIONS_REQUESTED property as true.

Now the post-authentication handler can add the users challenge questions to the identity server and successfully end the post-authentication handler flow. Finally, the user will be able to log in to the service providers service.