KOBIL PAM

KOBIL PAM

The main task of this execution is to authenticate the user based on two main scopes:

• kobil_password - Verifies password against IDP Server (SSMS)
• kobil_oneshot - Verifies login OTP against IDP Server (SSMS)

Type

Protocol	OAuth 2.0
HTTP method	POST
Type	Direct Grant
Endpoint	Token Endpoint
Flow Supported	Resource Owner Password Credential Grant
Scope	kobil_oneshot kobil_password
Response	Access Token, Refresh Token

Note: This is OAuth 2.0 flow, in case you want to use OIDC protocol instead of the scope:kobil_oneshot, use KOBIL Oneshot. Scope kobil_password does not exist as an OIDC protocol.

How to configure

To access the config of the execution press the Actions button and select Config. The authenticator configuration screen will appear. Then enter your config data.

Configuration

Parameters involved in KOBIL PAM execution

Parameter	Description
ID	Unique system UUID, which will be assigned automatically.
Alias	Provide an alias name for the configuration to be set.
Enable Riskbit Validation	Switch this ON to enable Riskbit validation. Applicable for kobil_oneshot scope only. Refer Riskbits for more information.
Result ACR Value	Provide the ACR value which needs to be added to the token.

Execution Flow

Scope kobil_password

This execution contains the following main steps:

1. KOBIL PAM is an independent authenticator, which does not have to be paired with any other authenticator.

2. KOBIL PAM requires a username and password for verification.

3. User needs to provide the username and password.

3a. Username will be verified against the IDP Provider, and IDP Server.

3b. Password is verified against credentials stored in the IDP Server.

Note: Credentials are verified against KOBIL Server and NOT against KOBIL IDP Provider.

4. If the authentication is successful, the user is logged in.

Use Case: This authentication is used mostly in mobile apps where the app has access to the user credentials.

Used By: Any client has access to the user credentials.

Scope kobil_oneshot

This execution contains the following main steps:

1. KOBIL PAM is an independent authenticator, which does not have to be paired with any other authenticator.

2. KOBIL PAM requires a username and login OTP for verification.

   Note: The login OTP you will receive on successful IDP SDK Login, call back on LoginEnd (login OTP, and etc...)

3. User needs to provide the username and login OTP is passed in the URL query parameter: login OTP.

3a. Username will be verified against the IDP Provider, and IDP Server.

3b. Login OTP is verified against the IDP Server.

Note: Login OTP is verified against KOBIL Server and NOT against KOBIL IDP Provider.

4. If the authentication is successful, the user is logged in.

Use Case: This execution is mainly used in mobile apps where the action is done automatically by the mobile app, without any user interaction.

This execution is mostly used in combination with other execution for example username + password.

Used By: Mobile and Desktop App that has access to the IDP SDK.

Additional Uses: Some sources recommend using this grant with your native apps (rather than the authorization code grant with the public client) since full access and control over the source code is ensured.

This grant can also be used in place of the Client Credential Grant in situations where a service account is used to represent the system or calling application.

How to verify username and password for kobil_password scope using postman collection:

• Download the postman collection here.

• Pre-requisite - IDP Server, username and password along with client, client scope and client secret.

• Open the Get Access token API and add the token endpoint URL in the request URL section.

• Go to the "Body" tab and enter the required details in the value column of the username and password along with client, client scope and client secret parameters respectively.

• Send the request.

• If the request is fetched successfully, then the credentials are verified.

How to verify username and password for kobil_oneshot scope using postman collection:

• Download the postman collection here.

• Pre-requisite - Go to the Pre-login menu of the Oneshot app and enable Use OTP.

• Open the Get Access token API and add the token endpoint URL in the request URL section.

• Login to the mobile application. The OTP will be generated and stored in the clipboard.

• Go to the "Body" tab and enter the OTP and the corresponding username in the value column of the username and password along with client, client scope and client secret parameters respectively.

• Send the request.

• If the request is fetched successfully, then the credentials are verified.

Develop

Parameter	Description
userid *required	Userid stored in IDP Provider not in IDP Server
password *required	Instead of the password, provide KOBIL Token, called login OTP. IDP SDK delivers this token on successful authentication, in SDK callback on LoginEnd (..., login OTP).

Example

curl --location --request POST 'https://midprovider.kobil.com/digitanium/v3/login' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=test_user' \
--data-urlencode 'password=1096D3GFDD89732A2DE1161BA1DC739671233058BAF3B70D7B0CA999D3387BC5F573736D73312E65636F2D64656D6F31' \
--data-urlencode 'scope=kobil_oneshot' \
--data-urlencode 'client_id=test_client'

var settings = {
  "url": "https://midprovider.kobil.com/digitanium/v3/login?grant_type=password&username=test_user&password=1096D3GFDD89732A2DE1161BA1DC739671233058BAF3B70D7B0CA999D3387BC5F573736D73312E65636F2D64656D6F31&scope=kobil_oneshot&client_id=test_client",
  "method": "POST",
  "timeout": 0,
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
};

$.ajax(settings).done(function (response) {
  console.log(response);
});

var settings = {
  "url": "https://midprovider.kobil.com/digitanium/v3/login?grant_type=password&username=test_user&password=1096D3GFDD89732A2DE1161BA1DC739671233058BAF3B70D7B0CA999D3387BC5F573736D73312E65636F2D64656D6F31&scope=kobil_oneshot&client_id=test_client",
  "method": "POST",
  "timeout": 0,
  "headers": {
    "Content-Type": "application/x-www-form-urlencoded"
  },
};

$.ajax(settings).done(function (response) {
  console.log(response);
});

import http.client
import mimetypes
conn = http.client.HTTPSConnection("midprovider.kobil.com")
payload = ''
headers = {
  'Content-Type': 'application/x-www-form-urlencoded'
}
conn.request("POST", "/digitanium/v3/login?grant_type=password&username=test_user&password=1096D3GFDD89732A2DE1161BA1DC739671233058BAF3B70D7B0CA999D3387BC5F573736D73312E65636F2D64656D6F31&scope=kobil_oneshot&client_id=test_client", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))

Use Case: KOBIL PAM combined with Condition - ACR KOBIL Cookie

Configuration

The authentication flow would look like configuration would be

• Condition - ACR KOBIL Cookie (acr=1, header/cookie name=1fa-token)
• KOBIL PAM execution

Exection Flow

Let say more complex authentication contains the following steps.

• username + password (1FA - First Factor)

• IDP SDK login with result loginOTP (2FA - Second Factor)

• They say the last step you would like exchange both factors 1FA + 2FA for ID Token, Access Token.

Authentication request contains

Example

Note: In our example, we are using the Condition - ACR KOBIL Cookie as additional security. To fulfill the additional security requirements extra header parameter is required to be added.

In our example we are adding the first factor ID Token. We defined the name "1fa-token". This name can be defined in the configuration of Condition - ACR KOBIL Cookie.

This was added to the original request.

--header '1fa-token: 1fa-token-value' \

curl --location --request POST 'https://midprovider.kobil.com/digitanium/v3/login' \
--header '1fa-token: 1fa-token-value' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=test_user' \
--data-urlencode 'password=1096D3GHDD89732A2DE1161BA1DC739671233058BAF3B70D7B0CA999D3387BC5F573736D73312E65636F2D64656D6F31' \
--data-urlencode 'scope=kobil_oneshot' \
--data-urlencode 'client_id=test_client'

var settings = {
  "url": "https://midprovider.kobil.com/digitanium/v3/login?grant_type=password&username=test_user&password=1096D3GHDD89732A2DE1161BA1DC739671233058BAF3B70D7B0CA999D3387BC5F573736D73312E65636F2D64656D6F31&scope=kobil_oneshot&client_id=test_client",
  "method": "POST",
  "timeout": 0,
  "headers": {
    "1fa-token": "1fa-token-value",
    "Content-Type": "application/x-www-form-urlencoded"
  },
};

$.ajax(settings).done(function (response) {
  console.log(response);
});

OkHttpClient client = new OkHttpClient().newBuilder()
  .build();
MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded");
RequestBody body = RequestBody.create(mediaType, "");
Request request = new Request.Builder()
  .url("https://midprovider.kobil.com/digitanium/v3/login?grant_type=password&username=test_user&password=1096D3GHDD89732A2DE1161BA1DC739671233058BAF3B70D7B0CA999D3387BC5F573736D73312E65636F2D64656D6F31&scope=kobil_oneshot&client_id=test_client")
  .method("POST", body)
  .addHeader("1fa-token", "1fa-token-value")
  .addHeader("Content-Type", "application/x-www-form-urlencoded")
  .build();
Response response = client.newCall(request).execute();

import http.client
import mimetypes
conn = http.client.HTTPSConnection("midprovider.kobil.com")
payload = ''
headers = {
  '1fa-token': '1fa-token-value',
  'Content-Type': 'application/x-www-form-urlencoded'
}
conn.request("POST", "/digitanium/v3/login?grant_type=password&username=test_user&password=1096D3GHDD89732A2DE1161BA1DC739671233058BAF3B70D7B0CA999D3387BC5F573736D73312E65636F2D64656D6F31&scope=kobil_oneshot&client_id=test_client", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))