Authentication Transaction Model Flashcards
What does the Authentication API do?
Provide operations to authenticate users, perform MFA enrollment and verification, recover forgotten passwords and unlock accounts
What are the two ways that the OKTA Authentication API can be used?
As a standalone API to provide the identity layer on top of your existing application or integrated with the OKTA Sessions API to obtain an Okta sessions cookie and access apps with OKTA.
What is the Okta sessions API?
Provides operations to create and manage authentication sessions for users in your Okta organization
Who is the Authentication API targeting?
Developers who want to build their own end-to-end login experience to replace the built in Okta login experience.
What scenarios does the Authentication API address?
Primary authentication which lets you verify username and password credentials for a user.
MFA authentication which strengthens the security of password-based authentication by requiring additional verification of another factor.
Recovery, which lets users reset their password if they’ve forgotten it or unlock their account if it has been locked out because of too many login attempts
How can the behavior of the Okta Authentication API vary?
It can vary depending on the type of your application
Your org’s security policies such as the global session policy, the MFA enrollment policy, or the Password policy
How are policies evaluated by Okta for authentication?
Based on the client request context, such as IP address
What is the new name for the MFA Enrollment Policy name in Identity Engine?
Authenticator Enrollment Policy
What is a public application?
An application that anonymously starts a authentication or recovery transaction without an API toke, such as the OKTA sign widget.
What are some characteristics of public applications?
Aggressively rate limited to prevent abuse
Require primary authentication to be successfully completed before releasing any metadata about a user
What are trusted applications?
Backend applications that act as authentication broker or login portal for your Okta organization and may start an authentication or recovery transaction with an administrator token.
What are some characteristics of trusted applications?
They may implement their own recovery flows and primary authentication process
They may receive additional metadata about the user before primary authentication has successfully completed
May need to override the client request context to forward the originating client context for the user
How does every authentication transaction start?
With primary authentication which validates a user’s primary password credential. Password Policy, MFA Policy, and Sign On Policy are evaluated during primary authentication to determine if the user’s password is expired, a Factor should be enrolled, or additional verification is required.
The transaction state of the response depends on the user’s status, group memberships and assigned policies.
What are the request parameters for primary authentication?
audience: (deprecated) App ID of the target app the user is signing into
context: Provides context for the authentication transaction
options: Opt-in features for the authentication transaction
password: User’s password credential
token: Token received as part of the activation user request
username: User’s non qualified short-name (e.g. chad.sterling) or unique fully qualified sign-in name (e.g. chad.sterling@okta.com)
What opt-in features for the authentication transaction state machine?
multiOptionalFactorEnroll: Transitions transactions back to MFA_ENROLL state after successful Factor enrollment when additional optional factors are available for enrollment.
warnBeforePasswordExpired: Transitions transactions to PASSWORD_WARN state before SUCCESS if the user’s password is about to expire and within their password policy warn period
What is a context object?
Allows trusted web applications such as an external portal to pass additional context for the authentication or recovery transaction.
How do you override context?
Overriding context such as deviceToken is a highly privileged operation limited to trusted web applications and requires making authentication or recovery requests with a valid administrator API token. If an API token is not provided, the deviceToken will be ignored.
What is a deviceToken?
A globally unique ID identifying the user’s client device or user agent.
How is the deviceToken used?
You must pass the same deviceToken for a user’s device with every authentication request or per device or per session Sign-On Policy Factor challenges. If the deviceToken is absent or does not match the previous deviceToken, the user is challenged every-time instead of per-device or per-session.
You must always pass the same deviceToken for a user’s device with every authentication request for new device security behavior detection. If the deviceToken is absent or doesn’t match a recent deviceToken for the user, the request is considered to be from a new device.
What are some best practices for generating and storing deviceTokens for web applications?
For web apps, Okta recommends that you generate a UUID or GUID for each client and persist the deviceToken using a secure, HTTP-only cookie or HTML5 localStorage scoped to the customer’s domain as the default implementation.
What are some best practices for generating and storing deviceTokens for native apps?
For native apps, ask the device operating system for a unique device ID
What is the transaction object?
The Authentication API is a stateful API that implements a finite state machine with defined states and transitions. Each initial authentication or recovery request is issued a unique state token that must be passed with each subsequent request until the transaction is complete or cancelled.
What does the 401 unauthorized state mean for the authentication transaction object?
401 unauthorized status code is returned for requests with invalid credentials, locked out accounts or access denied by sign-on policy.
What does the 429 too many requests state mean for the authentication transaction object?
This is returned when the rate-limit is exceeded.
What is primary authentication with public application?
Authenticating a user with username/password credentials via a public application?
What happens if we the user’s password policy is configured to show lockout failures?
If the user’s password policy is configured to show lockout failures, the authentication process completes with LOCKED_OUT status
What is primary authentication with trusted application?
Authenticates a user through a trusted application or proxy that overrides the client request context.
The public IP address of your trusted application must be allowed as a gateway IP address to forward the user agent’s original IP address with the X-Forwarded-For HTTP header
The Authorization: SSWS ${api_token} header is optional, in case of a SPA (Single Page app) this header can be omitted.
What is primary authentication with activation token?
Authenticates a user through a trusted application or proxy that overrides a client request context.
What happens when authenticating with activation tokens if the user was created without credentials?
If the user was created without credentials, the response will trigger the workflow to set the user’s password. After the password is configured, depending on the MFA setting, the workflow continues with MFA enrollment or successful authentication.
How do you set up primary authentication with device fingerprinting
Include the X-Device-Fingerprint header. This header can be used in the following ways:
If the new or unknown device email notification is enabled, an email is sent to the user if the device fingerprint sent in the X-Device_fingerprint header isn’t associated with a previously successful user sign in.
If you have the security behavior detection feature enabled and you have a new device behavior configured in a policy rule, a new device is detected if he device fingerprint sent in the X-Device_Fingerprint header isn’t associated with a previously successful user sign.
This feature has been deprecated.
How do you specify your device fingerprint in the X-Device-Fingerprint header?
It is highly privileged operation that is limited to trusted web applications and requires making authentication requests with a valid API token. Only send the device fingerprint if the trusted app has a computed fingerprint for the end user’s client.
How is the X-Device-Fingerprint header different from the device token?
Device-based MFA in the Okta Sign-on policy rules depends on the device token only and not on the X-Device-Fingerprint header.
