It is possible to verify that a user has access to read sms messages sent to a phone number.
Applications can use the Ubisecure SSO infrastructure for sending the SMS message and verifying the code entered by the user.
To do this, an Ubisecure specific OAuth grant type is used.
Step-by-step guide
To configure a system to support phone number verification:
- Configure a new method called of the type Unregistered SMS. In these screenshots, the name of the method is ubikey.sms.X
- Enable the method ubikey.sms.X on a site
- Create a group called Unregistered SMS Users, assign membership based on the ubikey.sms.X method just created.
- Create an agent of type OAuth in that site
Activate the agent using the following metadata
Metadata for phone number verification by SMS{"grant_types":["http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp"]}
- Open the Allowed To tab and Add the group Unregistered SMS Users.
- An authorization policy is not required. If used, attributes sent in the Authorization policy will appear in the id_token received in the verification response.
To send a verification code to a user:
Create a POST
Metadata for phone number verification by SMS{"grant_types":["http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp"]}
An example using the HttpRequester browser extension is shown here:
To verify a code collected from the user:
Create a POST request
Metadata for phone number verification by SMSgrant_type=http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp&scope=openid&client_id=c495bb59-f0ae-430a-9830-ca8228aa58fe&client_secret=CVgXCVQaLeRcd0AQ604sUuAL0NCBDX77&x_globalsign_iam_reference_id=.eyJzdWIiOiIzNTg0MDQxMzQyNTIiLCJpYXQiOjE0OTk0MjY3NjY3MjUsImN0bXMiOjE0Njc0MjY1MTM3ODgyMDQsIm1hYyI6IkFaUzU2ckhPQjV6d2RfVWJWenhjOUgtX2VQejJiSFJNT0dXY0hTV1hWdzhFUTRST1locWdiQVNkZ3huSGVhLWk3QnhNZmc9PSJ9.S1f4VSae-QO0jfFcekPHUGTvqBgYc2yFsHbj3UVhFpk&x_globalsign_iam_otp_code=32768341
An example using the HttpRequester browser extension is shown here:
The response will contain
Response
Related articles