OTP Validation endpoint cannot be found

[jotamorais]

I saw in the C# SDK that, in order to validate an email OTP, it POST to /api/v1/validateotp, but I've also seen, in the official documentation, instructions to use /api/v1/otp/validate

Turns out that none of it really works.

What is the proper endpoint to validate the email OTP?

[jhickmansa]

Hey @jotamorais,

This endpoint is only available in SecureAuth IdP 9.1+. If you are not at that version, it will return a 404. If you wish to upgrade your SecureAuth IdP version, you can reach out to [email protected] or https://support.secureauth.com and they will get you updated.

I do believe we should add some comments to each of these end points to indicate the SecureAuth version required. I will discuss this internally and create a new issue if the consensus is to add these comments. Please feel free to voice your opinion on that here as well!

Thank you!

[jotamorais]

Thanks, @jhickmansa!

Yep, our current appliance version is 9.0.2 and our team is already working on the initial calls with SA's engineers to get it upgraded as soon as possible.

Regarding the code comments for the specific versions, I think it would help, but better yet would be to update (and have similar versioning method) in the SDKs so that they would be compatible with the API version they are targeting. For instance: you released SA (and consequently SA API) version 9.1.0 - you could release the SDK as 1.1.0 (as there are breaking changes in the new API version).

I guess what I am trying to say is to keep SDKs in sync with the API (and use a better versioning method for the SDK - I would suggest Semantic Versioning)

[jotamorais]

@jhickmansa ,
We upgraded our appliances to 9.1 and we managed to get a response from /api/v1/validateotp endpoint but the response is not what we expected. We are sending proper OTP (I confirmed with the one I received in my email and they match) but when I invoke the validateotp endpoint, I always get

Otp is invalid

requestUrl
"https://ssodev.sanmina.com/SecureAuth111/api/v1/validateotp"
rawRequest
"{\"user_id\":\"jonathas_morais\",\"otp\":\"298145\"}"
rawResult
"{\"status\":\"invalid\",\"message\":\"Otp is invalid.\"}"

Can you please help us to figure out what's wrong?

Thank you!

[fenton-nick]

Any update on this?

[ejsecrist]

We apologize for the lack of response on this issue. I hope you got the help you needed from SecureAuth Support.

In regards to the issue described above, When you requested the OTP from the Auth endpoint, was the OTP in the response? If yes, then IdP does not know about the OTP to validate it. Prior to the /validateotp endpoint existence, this was our only behavior (provider the OTP for the client to use in their own validation logic). In order to use the /validateotp endpoint properly, the IdP must be configured with an OTP mapping so that it can save to OTP to validate later on the /validateotp endpoint. more info about that in the 9.1 documentation here, https://docs.classic.secureauth.com/display/91docs/Validate+OTP+Authentication+API+Guide#expand-ConfigurationSteps.
in later versions, the setting is more easily configurable described here: https://docs.secureauth.com/1907/en/validate-otp-authentication-api-guide.html