Generating and validating a VOTP using the OAS SDK

OAS supports sending OTPs via SMS, email and voice; these are called virtual one-time-passwords (VOTP). Before we get started, we have to make sure that we have configured MDC for SMS delivery and have set up our development environment for the SOAP wrappers.

We will require a Virtual DIGIPASS in order to generate VOTPs. You can find a demo virtual DIGIPASS on the installation iso under the folder Demo DPX files\Demo_VDP.dpx.

To import this file we will go to the DIGIPASS tab in the Web Administration Service and click on the import menu option:

Click choose file and select Demo_VDP.dpx. The transport key for all demo tokens is 32 1s (11111111111111111111111111111111). Click next on all of the remaining options through out the wizard to import the token.

Once uploaded and imported, we can search for the token on the DIGIPASS list. Upon opening up the imported device we will be able to see the option to assign it to a user:

Click on the assign button to start the assignment process.
We will be able to filter for a particular user, in this case I am using the user created in the OAS SOAP Wrappers getting started tutorial.
Depending on how many users we have in our system, multiple users may be returned by the search. Here we select the particular user we assign the DIGIPASS to. On the up and coming pages we will click next to accept the defaults and finish to complete the assignment process.
When we look at the user list, we will see user has a DIGIPASS assigned.

Now we can start programming a little by defining the configuration bean with our server settings:

ConfigurationBean configurationBean = new ConfigurationBean();
configurationBean.setPrimarySoapURL("https://10.10.200.75:8888");
AdministrationBean administrationBean = new AdministrationBean(configurationBean);
Remember you need to pass the configuration bean to the constructor of your other beans in order to use your configured settings!

Since the command we wish to run (generate VOTP) is in the administration scenario, we will need to perform an administrative logon with a user who has the Generate Virtual DIGIPASS OTP permission if you are using a version prior to 3.18. Otherwise you can pass the service account key in the header.

AdministrationCommandResponse administrationCommandResponse = administrationBean.logon("master", "admin", null, null, "Test1234", Credentials.RequestHostCode.No);
System.out.println("admin logon Response\nReturn Code: " + administrationCommandResponse.getReturnCode() + "\nStatus Code: " + administrationCommandResponse.getStatusCode());

// TODO: generate VOTP

administrationCommandResponse = administrationBean.logoff();
System.out.println("admin logoff Response\nReturn Code: " + administrationCommandResponse.getReturnCode() + "\nStatus Code: " + administrationCommandResponse.getStatusCode());
If you are using the administrative logon, remember to call logoff once you are done, otherwise you risk consuming all administrative sessions and you'll may get locked out!

Remember to always check the responses from OAS to ensure that the calls succeeded. Let's replace our TODO with the call and some basic logging:

// serial number, application, delivery method, mobile number, email address
DigipassApplicationCommandResponse digipassApplicationCommandResponse = administrationBean.getDigipassApplicationHandler().genVirtualOTP("0034599648", "RESP", "SMS", "+12345678", null);

System.out.println("genVirtualOTP Response\nReturn Code: " + digipassApplicationCommandResponse.getReturnCode() + "\nStatus Code: " + digipassApplicationCommandResponse.getStatusCode());
If we wanted to send an email we would change the delivery method to Email and pass the email address as the last parameter.

When we run this in the generate VOTP sample program, we should receive the following output in our console:

admin logon Response
Return Code: 0
Status Code: 0
genVirtualOTP Response
Return Code: 0
Status Code: 0
admin logoff Response
Return Code: 0
Status Code: 0

The return code 0 and status code 0 indicate success. Any other value should be treated as an error (if the admin logon fails, the rest will fail as well).

In the meanwhile, our server/mobile device should have received the VOTP. If you have followed along with our previous tutorial of configuring MDC, we will see the following output on our python server:

>python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.200.75 - - [12/Mar/2020 15:32:27] "GET /?destination=%2B12345678&message=Your%20one-time%20password%20is%2042415872. HTTP/1.1" 200 -
Watch out for the url encoding of the space character %20, the OTP is 42415872.

Now we can submit this OTP similar to how we did in our previous tutorial. Again we have to define an authentication bean using our configuration bean, set the client component and the password format to clear text separate:

ConfigurationBean configurationBean = new ConfigurationBean();
configurationBean.setPrimarySoapURL("https://10.10.200.75:8888");
configurationBean.setAuthenticationComponent("SOAP-Auth");
configurationBean.setPasswordFormat(ConfigurationBean.Password_Format.CLEARTEXT_SEPARATE);

AuthenticationBean authenticationBean = new AuthenticationBean(configurationBean);
If you forget to set the password format to clear text separate you will receive an error stating that the static password could not be validated.

Now we can send the OTP as the DP Response parameter:

AuthenticationCommandResponse authenticationCommandResponse = authenticationBean.authUser("master", "user", null, "42415872", null, Credentials.RequestHostCode.No);

System.out.println("Return Code: " + authenticationCommandResponse.getReturnCode() + "\nStatus Code: " + authenticationCommandResponse.getStatusCode());

When we run the authenticate VOTP sample program we should receive the following output on our console indicating that the OTP was accepted:

Return Code: 0
Status Code: 0

Conclusion

Building upon the previous tutorials we managed to generate a VOTP and submit it to the server for authentication. The same method of generating the VOTP and authenticating the user can be used as well for email and voice.

Show Comments