Push Notification
TMS TRANSACTION
Transaction Management Service which is designed efficiently to manage and streamline various types of transactions which includes device login, financial transactions, and beyond, with a focus on efficiency and security.
Configuration required for TMS
- Configure the following JSON in a file.
{
"clients": [
{
"id": "2c8486bb-b8ef-4918-ad93-83fa184c643d",
"clientId": "TMSClient",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"*"
],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": true,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.multivalued.roles": "false",
"saml.force.post.binding": "false",
"frontchannel.logout.session.required": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature.keyinfo.ext": "false",
"use.refresh.tokens": "true",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml.client.signature": "false",
"require.pushed.authorization.requests": "false",
"saml.allow.ecp.flow": "false",
"saml.assertion.signature": "false",
"id.token.as.detached.signature": "false",
"client.secret.creation.time": "1695302414",
"saml.encrypt": "false",
"login_theme": "kobilv2",
"saml.server.signature": "false",
"exclude.session.state.from.auth.response": "false",
"saml.artifact.binding": "false",
"saml_force_name_id_format": "false",
"tls.client.certificate.bound.access.tokens": "false",
"acr.loa.map": "{}",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"token.response.type.bearer.lower-case": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {
"browser": "e4d6f5c3-a5cb-4afd-b1a8-7405d172a03e"
},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
],
"authenticationFlows": [
{
"id": "e4d6f5c3-a5cb-4afd-b1a8-7405d172a03e",
"alias": "TMSAuthFlow",
"description": "",
"providerId": "basic-flow",
"topLevel": true,
"builtIn": false,
"authenticationExecutions": [
{
"authenticator": "kobil-1fa-authenticator",
"authenticatorFlow": false,
"requirement": "REQUIRED",
"priority": 3,
"autheticatorFlow": false,
"userSetupAllowed": false
},
{
"authenticatorConfig": "config",
"authenticator": "kobil-ast-tms-auth",
"authenticatorFlow": false,
"requirement": "REQUIRED",
"priority": 4,
"autheticatorFlow": false,
"userSetupAllowed": false
}
]
}
],
"authenticatorConfig": [
{
"id": "3a1b2409-437c-4f58-82f1-a1c716a5aee9",
"alias": "config",
"config": {
"CONFIG_TMS_REQUEST_DATA": "{\"origin\":\"KSA\",\"introduction1_en\":\"Please check your transaction details\",\"authorizationHeader_en\":\"LOGIN VERIFICATION\",\"authorizationData_en\":[{\"key\":\"Username\",\"valueText\":\"{username}\"}],\"dataSummary_en\":[{\"key\":\"BrowserAgent\",\"valueText\":\"{browser}\"},{\"key\":\"IP\",\"valueText\":\"{ipAddress}\"},{\"key\":\"Time\",\"valueText\":\"{timestamp}\"},{\"key\":\"Token\",\"valueText\":\"{token}\"},{\"key\":\"Website\",\"valueText\":\"{website}\"}],\"introduction1_tr\":\"Lütfen işlem detaylarınızı kontrol edin\",\"authorizationHeader_tr\":\"GİRİŞ DOĞRULAMA\",\"authorizationData_tr\":[{\"key\":\"KullanıcıAdı\",\"valueText\":\"{username}\"}],\"dataSummary_tr\":[{\"key\":\"Tarayıcı\",\"valueText\":\"{browser}\"},{\"key\":\"IP\",\"valueText\":\"{ipAddress}\"},{\"key\":\"Tarih\",\"valueText\":\"{timestamp}\"},{\"key\":\"Token\",\"valueText\":\"{token}\"},{\"key\":\"WebSitesi\",\"valueText\":\"{website}\"}]}",
"tms-time-out": "120s",
"json-error-script": "{\n \"kobil-tms-rejected\": {\n \"title\": {\n \"en\": \"You have declined transaction sent to a device.\"\n },\n \"errorMessage\": {\n \"en\": \"Do you want to try again to sent transaction to the device?\"\n },\n \"buttons\": [\n {\n \"action\": \"restartFlow\",\n \"text\": {\n \"en\": \"Try Again\"\n },\n \"isClicked\": \"false\",\n \"key\": \"restartFlow\",\n \"includeInFormElement\": false\n }\n ]\n },\n \"kobil-lock-instruction\": {\n \"title\": {\n \"en\": \"We're sorry...\"\n },\n \"errorMessage\": {\n \"en\": \"The login process was declined or not accepted within the specified time.\"\n },\n \"buttons\": [\n {\n \"action\": \"restartFlow\",\n \"text\": {\n \"en\": \"Try Again\"\n },\n \"isClicked\": \"false\",\n \"key\": \"restartFlow\",\n \"includeInFormElement\": false\n }\n ]\n },\n \"kobil-timeout\": {\n \"title\": { \"en\": \"Unfortunately Request Timed out\" },\n \"errorMessage\": {\n \"en\": \"The transaction duration has been expired. To restart the transaction, click 'Try again'.\"\n },\n \"buttons\": [\n {\n \"action\": \"restartFlow\",\n \"text\": {\n \"en\": \"Try Again\"\n },\n \"isClicked\": \"false\",\n \"key\": \"restartFlow\",\n \"includeInFormElement\": false\n }\n ]\n },\n \"kobil-error\": {\n \"title\": { \"en\": \"We're sorry...\" },\n \"errorMessage\": {\n \"en\": \"some thing went wrong.\"\n },\n \"buttons\": [\n {\n \"action\": \"restartFlow\",\n \"text\": {\n \"en\": \"Try Again\"\n },\n \"isClicked\": \"false\",\n \"key\": \"restartFlow\",\n \"includeInFormElement\": false\n }\n ]\n },\n \"kobil-no-device-found\": {\n \"title\": { \"en\": \"We're sorry...\" },\n \"errorMessage\": {\n \"en\": \"No linked device found.\"\n },\n \"buttons\": [\n {\n \"action\": \"restartFlow\",\n \"text\": {\n \"en\": \"Try Again\"\n },\n \"isClicked\": \"false\",\n \"key\": \"restartFlow\",\n \"includeInFormElement\": false\n }\n ]\n }\n",
"CONFIG_BROADCAST_TMS": "true",
"config-update-mloa": "false",
"json-script": "{\n \"kobil-tms-init\": {\n \"formId\": \"kobil-tms-init\",\n \"formDisplayTitle\": {\n \"en\": \"To Start transaction.\"\n },\n \"formDescription\": {\n \"en\": \"If you have available devices, to proceed click 'Continue'. If no devices present, click 'Back'.\"\n },\n \"formDisplayButtons\": [\n {\n \"action\": \"skipTransaction\",\n \"text\": {\n \"en\": \"Back\"\n },\n \"isClicked\": false,\n \"key\": \"skipTransaction\",\n \"includeInFormElement\": false\n },\n {\n \"action\": \"unlockDevice\",\n \"text\": {\n \"en\": \"Continue\"\n },\n \"isClicked\": false,\n \"key\": \"unlockDevice\",\n \"includeInFormElement\": false\n }\n ],\n \"backButtonAction\": \"skipTransaction\"\n },\n \"kobil-device-list\": {\n \"formDisplayTitle\": {\n \"en\": \"Device List\"\n },\n \"formId\": \"kobil-tms-select-device\",\n \"formDescription\": {\n \"en\": \"Transaction will be triggered to the given device. Keep the device handy as you only have %timer% minutes to confirm.\"\n },\n \"formDisplayButtons\": [\n {\n \"action\": \"abort\",\n \"text\": {\n \"en\": \"cancel\"\n },\n \"isClicked\": \"false\",\n \"key\": \"abort\",\n \"includeInFormElement\": false\n },\n {\n \"action\": \"requestTransaction\",\n \"text\": {\n \"en\": \"Start Transaction\"\n },\n \"isClicked\": \"false\",\n \"key\": \"requestTransaction\",\n \"includeInFormElement\": false\n }\n ],\n \"backButtonAction\": \"abort\"\n },\n \"kobil-tms-waiting\": {\n \"formId\": \"kobil-tms-waiting\",\n \"formDisplayTitle\": {\n \"en\": \"Confirm the transaction on your device.\"\n },\n \"formDescription\": {\n \"en\": \"Transaction will be triggered to the device %device%, please confirm the login within/n %timer% duration./n clientBackend/n Unlock code: %secure_otp%\"\n },\n \"formDisplayButtons\": [\n {\n \"action\": \"abort\",\n \"text\": {\n \"en\": \"cancel\"\n },\n \"isClicked\": \"false\",\n \"key\": \"abort\",\n \"includeInFormElement\": false\n },\n {\n \"action\": \"reload\",\n \"text\": {\n \"en\": \"To Update\"\n },\n \"isClicked\": \"false\",\n \"key\": \"reload\",\n \"includeInFormElement\": false\n }\n ],\n \"backButtonAction\": \"abort\"\n },\n \"kobil-tms-accepted\": {\n \"formId\": \"kobil-tms-accepted\",\n \"formDisplayTitle\": {\n \"en\": \"Thank you for identifying\"\n },\n \"formDescription\": {\n \"en\": \"You can now access all previously used services\"\n },\n \"formDisplayButtons\": [\n {\n \"action\": \"tmsComplete\",\n \"text\": {\n \"en\": \"Getting Started\"\n },\n \"isClicked\": \"false\",\n \"key\": \"tmsComplete\",\n \"includeInFormElement\": false\n }\n ]\n }\n}",
"retrieval-time-out": "120s",
"is-zombie-device-popup-required": "false",
"POLL_FOR_TMS_RESULT": "true"
}
}
],
"users": [
{
"username": "tmsadmin",
"enabled": true,
"totp": false,
"emailVerified": false,
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"default-roles-admin"
],
"credentials": [{
"type": "password",
"value": "Admin@123",
"temporary": false
}],
"clientRoles": {
"ks-management": [
"Admin"
],
"ks-users": [
"ast-client"
],
"ast-services": [
"ast-client",
"jwt-admin"
]
},
"notBefore": 0,
"groups": []
}
],
"settings": {
"AST_ADMIN_USER": "tmsadmin",
"AST_ADMIN_PASSWORD": "Admin@123",
"AST_ADMIN_CLIENT": "TMSClient"
}
}
note
This JSON is to setup the TMS in the IDP, to execute the flow Register the user in the app. For instance: KOBIL Super App.
- Navigate to
Import.
-
Click on the
Select file. -
Import the JSON file.
-
In the
If a resource existsconfiguration select theskip. -
Click on the
Importbutton.
- AST configuration will be imported into the IDP.
Configure and execute the KOBIL AST TMS authenticator.
KOBIL AST TMS
The main task of this execution is to authenticate the user based on accepting or declining a confirmation message called a transaction.
Type
| Protocol | OpenID Connect 1.0 |
|---|---|
| HTTP method | GET |
| Type | Browser Flow |
| Endpoint | Authorization Endpoint |
| Flow Supported | Authorization code flow Implicit flow Hybrid flow |
| Response | ID Token, Access Token, Refresh Token |
| Response Mode | query, form_post, fragment |
How to configure
To access the config of the execution press the Actions button and select Config. The authenticator configuration screen will appear. Then enter your config data.
Configuration
Parameters involved in KOBIL AST TMS
| Parameter | Description |
|---|---|
| Alias | Display name of configuration, which occurs in authentication flow. (Example: User Group) |
| Enable Update MLoA | Enable to update device authentication levels or not configuration. |
| Display Stale Device Cleaner Popup | Enable to notify the device name which has been already registered in the AST. |
| Execute based on ACR flow type | If enabled, execution will be based on the session data. |
| TMS Timeout | TMS timeout for transaction process. |
| Retrieval Timeout | Duration of the transaction. |
| Require Explicit Authentication | Whether the TMS result must be submitted with an specifically authenticated token. |
| Require Freshness of Authentication | The maximum age in seconds the access token may have when submitting the TMS result. Default value is -1 to omit this requirement. |
| Audit Message | An optional message that is written to auditing. |
| Enable auto polling for tms result | Enable polling for tms result to get accept/decline response, else user has to manually click on validate button to get the tms result. |
| Enable TMS result validation with Kafka response | Check TMS result retrieved in kafka topic before taking response from ast result endpoint, Config applies only if Poll for tms result is disabled. |
| Skip TMS | Skip triggering TMS, when it is not a transaction flow and new device registration. |
| Enable broadcasting TMS | Enable to initiate transactions for the latest logged-in/activated devices. |
| Authentication Flow Type | Type of the Authentication Flow. |
| ACR level to list devices | Devices to list for sending tms request with greater than or equal to specified ACR (Note: Not applicable for flow type Step-Up). |
| Skip If No Target ACR Devices | If enabled the transaction will be skipped. Else, authenticator will be executed. |
| Web portal device name | Configure the device name to be displayed in the web portal. |
| Enable TMS Push Notification | Enable to send contents present in the Push notification title and Push notification body. |
| Push notification title | Configure the specific push notification title's message key to fetch value from Realm localization with locale support or message bundles will send actual title text to the Master device. |
| Push notification body | Configure the specific push notification text's message key to fetch value from Realm localization with locale support or message bundles will send actual title text to the Master device. |
| Show success page | Enabled to show the success page after completing the TMS flow. |
| Transaction Message | Message to be sent as a part of TMS. Use placeholders {userid} and {token} to send login. |
| Skip JSON Script | If enabled JSON script will not be displayed. |
| Skip Device Selection | Enabled and device ID should present in the header so that device selection option can be skipped. |
| Reset flow if user aborts | Enable to redirect Username Password request page. |
| JSON Script | JSON to display inputs in Headless V2 theme. |
| JSON Error Script | JSON to display the error messages in Headless V2 theme. |
User Flow
Execution Flow
This execution contains the following main steps:
- KOBIL AST TMS must be preceded by 1FA since it procures a user's identity validation from this precedent Authenticator. For instance: KOBIL Login.
- When an user executes the flow, the user will be authenticated and the transaction will be initiated.
Note: The TMS Transaction Keys are required to trigger the transaction.