Add/Update Email, Mobile, or Alias Process
Content
- Overview
- About AuthN IDs and Aliases
- Process Flow
- App Settings
- User Journey Flow Diagram
- API Walkthroughs
- Error Codes
- Revision History
Overview
This Process defines how an existing, authenticated either adds an additional authentication identifier (authN ID) to there ULM User ID, or updates (i.e., overwrites) an existing authN ID. Valid authN types include an email address or mobile number, and the authN must be verified before the user can use it for notification or authentication purposes.
This Process also includes support for adding non-verifiable user "aliases" that can be used for authentication with a password.
About AuthN IDs and Aliases
Authentication Identifiers (or authN IDs) are sometimes referred to as usernames. When a user onboards and authenticates into ULM, they supply an authN ID (email address or mobile number) and a password. An exception to this is when users onboard and authenticate using their social login account.
Every ULM User ID requires at least one verifiable email address or mobile number to be set as an authN ID. This includes the social onboarding scenario wherein the social provider returns an email address or mobile number.
ULM also supports the ability for users to add aliases to their User ID and to log in with them. For example, your business may wish to enable users to authenticate with a desired nickname, or short-form account number.
Note on Alias AuthN IDs: An alias is an authN ID with the following characteristics:
- It is an alphanumeric string
- It has a minimum of 6, and maximum of 16, character limit
- Its pattern must be distinct from an email address or mobile number pattern
- It has no entity status because it cannot be verified like an email address or mobile number
- It is unique across all user authN IDs in ULM (i.e., no two users can use the exact same alias)
Aliases cannot be verified like an external contact channel. Therefore, a user who adds an alias to their User ID can use it in the Authenticate User Process right away. However, in order to be able to add an alias to their User ID, the user must first have at least one registered, verified authN ID.
In order for users to be able to add aliases, valid alias pattern must be set in the ULM Admin UI web application, under the application Settings menu. This is the same location where valid email and mobile pattern rules are set as well.
Process Flow
This table describes the Process functionality at a high level.
| Add or Update AuthN ID | |||
|---|---|---|---|
| Actors | Frontend user, Client Application, ULM Cloud | ||
| Pre-Conditions | The user is currently authenticated in ULM | ||
| Basic Flow | 1 | The user selects to either add a new email, mobile, or alias, or to edit an existing one. | |
| 2 | The user enters their desired new authN ID value, then clicks Add. | ||
| Notes: - The provided authN ID value must be unique across all of ULM. - The provided authN ID must be in a valid format. - Email and mobile valid formats are defined in ULM Admin UI Settings menu. - If the user is updating an existing authN ID, the old and new must have the same format. |
|||
| 3 | ULM registers the new email/mobile as an authentication identifier (authN ID). The authN ID is stored as a new attribute on the User entity. The attribute status depends on the operation: | ||
| 3a | If the user is adding a new a new email/mobile, then ULM stores the attribute with an activating status. | ||
| 3b | If the user is updating an existing email/mobile. then ULM stores the attribute with a pending status. | ||
| Notes: - If the user is updating an email/mobile, they can still log into ULM with their original email/mobile until the new one is verified. See the Activate User and User Attribute Process, Alternate Flow 1 for more details. - The user can update the same email/mobile multiple times before verification. ULM keeps only the most recently updated value. - If the user is adding or updating an alias, they can use it immediately. |
|||
| Post-Conditions | The new or updated email, mobile, or alias is stored on the User entity as an attribute. The user receives an action token for verification: - If they added a new email, the token is sent as a clickable link - If they added a mobile numer, the token is sent as a short One-Time Passcode (OTP) |
||
| Error Messages | Authentication identifier already exists. The user-provided email or mobile already exists in ULM. | ||
| Invalid authentication identifier format. The original and updated email/mobile are not in the same format. | |||
| Empty authN ID. The new or updated email/mobile value is blank. | |||
| Invalid authN ID. The new or updated email/mobile format is invalid. | |||
App Settings
Certain aspects of the Process' behaviour are controlled by configurable application settings.
| ULM Admin Application Settings | Default Setting | |
|---|---|---|
| Max Failed Input Attempts | Maximum number of times the Process rejects bad input before ending. | 10 failed attempts |
| Max Aliases | Defines the maxiumum number of aliases as user can have. | 3 aliases |
| Valid Email Pattern | Defines the logic for an acceptable email format. | .+@.+\..+ |
| Valid Mobile Pattern | Defines the logic for an acceptable mobile number format. | ^\(?([0-9]{3})\)?
[-.\s]?([0-9]{3}) [-.\s]?([0-9]{4})$ |
| Token URL | Base for the action token URL to include in the notification message sent to the user's external channel (email). The actual Token value will be appended to this string to form the complete URL.
This app setting is applicable for when a user adds a new email authN ID. The Process sends the token out to that email for verification. |
https://idp/user_confirm?token_value= |
| Token (Long-Form) Expiration | Determines the number of days before a verification link expires. | 7 days |
| Token (Short-Form) Expiration | Determines the number of minutes before a short OTP expires.
This setting is not configurable; it is noted here for context. Because OTPs are shorter, they can be possibly brute forced by malicious actors. Therefore, the expiration period for an OTP is significantly shorter than a long-form verification link. |
5 minutes |
User Journey Flow Diagram
This flow diagram illustrates the standard user journey using the Add or Update User Email/Mobile Process.
Note: This diagram also incorporates user authentication, and the Resend Verification and Activate User Processes.
API Walkthroughs
This section provides guided walkthroughs of the Add/Update Email, Mobile, or Alias Process process, including demonstrations of the various branching paths the Process can take during its execution.
Add New AuthN ID Scenario (Email or Mobile)
In this flow, an authenticated user adds a new email or mobile to their User ID, independent of any existing authN IDs on the User ID.
Initial Request
The POST /process/start/{processName} API initializes the Process:
| POST /process/start/userManagement.AddOrUpdateAuthnIdentifier.v1.0 |
|---|
| <no body> |
Response
The Process responds with a request for information:
| Response Body |
|---|
{
"processId": "4e8c8ac0-c4f0-40cc-9dd5-08dd2e48510d",
"processName": "userManagement.AddOrUpdateAuthnIdentifier.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"newAuthnIdentifier": "String",
"oldAuthnIdentifier": "String"
},
"stepName": "AddOrUpdateAuthnIdentifierPrompt",
"lastStep": false
}
|
Response Parameters
| Parameter | Description |
|---|---|
| processId | Unique identifier for the current instance of this Process. |
| processName | Full name of the Process, including the category and version number. |
| stepName | The internal name of the step that the Process is currently on / just executed. |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. |
| displayMessage | Optional message that the UI can display to the end user. |
| parameters | Object that specifies the info this Process requires to continue its task. |
| newAuthnIdentifier: The user's desired new authN ID. | |
| oldAuthnIdentifier: An existing authN ID that the user wants to replace. This field is required only in the "Update" scenario. |
Next Request: Provide New authN ID
The user enters their desired authN ID and the client passes that info to the Process with the Process Step API.
| PUT /process/step |
|---|
{
"processId": "4e8c8ac0-c4f0-40cc-9dd5-08dd2e48510d",
"parameters": {
"newAuthnIdentifier": "john@example.com"
}
}
|
Request Parameters
| Parameter | Description |
|---|---|
| processId | Unique identifier for the current instance of this Process. |
| parameters | Object that contains the data that was requested in the previous Process response. |
| newAuthnIdentifier: The user's new authN ID (email, mobile, or alias). |
Response: Success
If the new authN ID does not match an existing authN ID already assigned to the user (or any other ULM User ID), the Process completes its task and returns a 200 HTTP status code. The Process also sends an action token to the user through email or SMS.
| Response Body |
|---|
{
"processId": "4e8c8ac0-c4f0-40cc-9dd5-08dd2e48510d",
"processName": "userManagement.AddOrUpdateAuthnIdentifier.v1.0",
"lastStep": true,
"output": {
"newAuthnIdentifier": {
"id": 3,
"status": "activating",
"value": "john@example.com"
},
"attributeName": "emails",
"pkat": "4c6fd6cd-78a7-487d-b746-2628a77a0131"
}
}
|
OTP Verification & Resend Verification
Any Process step that sends a ULM action token also returns a corresponding pkat to the client application. In order to enable OTP verification on the UI, the client must retain the pkat returned by the final Process step. The pkat, along with the user supplied OTP, is required for the GET /session/token?customToken={OTP}&pkat={pkat} API to invoke the Activate User Process.
In cases where the user is anonymous, the pkat is required if the application wants to provide a quick token resend option on the UI, using the PUT /session/token?pkat={pkat} API. This method applies to cases where the user is anonymous (i.e., they are not authenticated in ULM). However, if the user is currently authenticated in ULM, the client application can instead invoke the Resend Verification Process for this purpose.
| Parameter | Description | ||
|---|---|---|---|
| processId | The unique identifier for this instance of the Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| newAuthnIdentifier | Object that contains details of the newly provisioned authN ID. | ||
| id | Unique identifier for the authN ID. | ||
| status | The authN ID's current status. | ||
| value | The actual authN ID value. | ||
| attributeName | The authN ID grouping type (emails, mobiles, or aliases). | ||
| pkat | Unique Proof Key for Action Token that corresponds to an existing action token. See Action Tokens for more details. | ||
If the new authN ID is an email or mobile, the user cannot use it for authentication purposes until they activate (verify) it. If the new authN ID is an alias, the user can user it right away.
Update Existing AuthN ID Scenario
In this flow, an authenticated user overwrites an authN ID that already exists on their User ID.
Initial Request
The Process Start API initializes the Process:
| POST /process/start/userManagement.AddOrUpdateAuthnIdentifier.v1.0 |
|---|
| <no body> |
Response
The Process responds with a request for the authN ID(s):
| Response Body |
|---|
{
"processId": "4e8c8ac0-c4f0-40cc-9dd5-08dd2e48510d",
"processName": "userManagement.AddOrUpdateAuthnIdentifier.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"newAuthnIdentifier": "String",
"oldAuthnIdentifier": "String"
},
"stepName": "AddOrUpdateAuthnIdentifierPrompt",
"lastStep": false
}
|
Response Parameters
| Parameter | Description |
|---|---|
| processId | Unique identifier for the current instance of this Process. |
| processName | Full name of the Process, including the category and version number. |
| stepName | The internal name of the step that the Process is currently on. |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. |
| displayMessage | Optional message that the UI can display to the end user. |
| parameters | Object that specifies the info this Process requires to continue its task. |
| newAuthnIdentifier: The user's desired new authN ID. | |
| oldAuthnIdentifier: An existing authN ID that the user wants to replace. This field is required only in the "Update" scenario. |
Next Request: Provide Replacement AuthN ID
A response is crafted with input from the user:
| PUT /process/step |
|---|
{
"processId": "4e8c8ac0-c4f0-40cc-9dd5-08dd2e48510d",
"parameters": {
"oldAuthnIdentifier": "john@contoso.com",
"newAuthnIdentifier": "john@example.com"
}
}
|
Request Parameters
| Parameter | Description |
|---|---|
| processId | Unique identifier for the current instance of this Process. |
| parameters | Object that contains the data that was requested in the previous Process response. |
| newAuthnIdentifier: The user's new authN ID (email, mobile, or alias). | |
| oldAuthnIdentifier: The existing authN ID (email, mobile, or alias) that is being replaced. |
Note: The new and old authN IDs must have the same format (i.e., the user cannot update an existing email address with a mobile number, or vice versa).
Response: Success
If the new authN ID does not match an existing authN ID already assigned to the user (or any other ULM User ID), the Process completes its task and returns a 200 HTTP status code. The Process also sends an action token to the user through email or SMS.
| Response Body |
|---|
{
"processId": "4e8c8ac0-c4f0-40cc-9dd5-08dd2e48510d",
"processName": "userManagement.AddOrUpdateAuthnIdentifier.v1.0",
"lastStep": true,
"output": {
"newAuthnIdentifier": {
"id": 3,
"status": "activating",
"value": "john@example.com"
},
"oldAuthnIdentifier": {
"value": "john@contoso.com"
},
"attributeName":"emails",
"pkat": "4c6fd6cd-78a7-487d-b746-2628a77a0131"
}
}
|
OTP Verification & Resend Verification
Any Process step that sends a ULM action token also returns a corresponding pkat to the client application. In order to enable OTP verification on the UI, the client must retain the pkat returned by the final Process step. The pkat, along with the user supplied OTP, is required for the GET /session/token?customToken={OTP}&pkat={pkat} API to invoke the Activate User Process.
In cases where the user is anonymous, the pkat is required if the application wants to provide a quick token resend option on the UI, using the PUT /session/token?pkat={pkat} API. This method applies to cases where the user is anonymous (i.e., they are not authenticated in ULM). However, if the user is currently authenticated in ULM, the client application can instead invoke the Resend Verification Process for this purpose.
Response Parameters
| Parameter | Description | ||
|---|---|---|---|
| processId | The unique identifier for this instance of the Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| newAuthnIdentifier | Object that contains details of the newly provisioned authN ID. | ||
| id | Unique identifier for the authN ID. | ||
| status | The authN ID's current status. | ||
| value | The actual authN ID value. | ||
| oldAuthnIdentifier | Object that contains details of the of the authN ID to be replaced. | ||
| attributeName | The authN ID grouping type (emails, mobiles, or aliases). | ||
| pkat | Unique Proof Key for Action Token that corresponds to an existing action token. See Action Tokens for more details. | ||
Note: The old authN ID remains fully activated until the user verifies the new authN ID.
Error Scenario: Desired AuthN ID is Already in Use
This step may return errors if the Authentication Identifier provided already exists within ULM, either assigned to the current user or to any user. Below is an example of the response received when the Authentication Identifier already exists:
| Response Body |
|---|
{
"processId": "56a248cd-a14f-421d-a9c1-1220de53848f",
"lastStep": false,
"processName": "userManagement.AddOrUpdateAuthnIdentifier.v1.0",
"operationError": [
{
"code": "already-exist-authn-identifier",
"type": "com.uxpsystems.mint.framework.ulm.process.service.ServiceStep.GeneralFailure",
"message": "newAuthnIdentifier already exists",
"authorities": [
{
"authority": "ROLE_USER"
}
]
}
],
"stepName": "AddOrUpdateAuthnIdentifierPrompt",
"lastFailedStepAction": {
"processId": "56a248cd-a14f-421d-a9c1-1220de53848f",
"processName": "userManagement.AddOrUpdateAuthnIdentifier.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"newAuthnIdentifier": "String",
"oldAuthnIdentifier": "String"
},
"stepName": "AddOrUpdateAuthnIdentifierPrompt"
}
}
|
Error Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | The unique identifier for this instance of the Process. | |
| processName | Full name of the Process, including the category and version number. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| stepName | The internal name of the step that the Process is currently on / just executed. | |
| operationError | Array of possible error objects. Each object describes a specific error condition. | |
| code | An error object's internal code name. | |
| type | Internal reference of the operation error type. | |
| message | Optional message that describes the error in a human readable format. | |
| authorities | The list of authority roles currently granted to the user. Can be used to help supply context to authorization errors (e.g, a Process requires a user to be authenticated, but they are currently anonymous). | |
| lastFailedStepAction | Object that repeats the previous Process step's details and required input. This allows the client / user to retry the request. | |
Note: The user is free to retry after checking their spelling, or changing the desired authN ID value.
Error Codes
Error Codes
Below is a comprehensive list of potential error codes that may be returned during the execution of this Process.
Common Error Codes
Process-Specific Error Codes
| HTTP Status | Format | ULM Error Code | FieldError | Description |
|---|---|---|---|---|
| 400 | operation error | invalid-authn-identifier-format | n/a | oldAuthnIdentifier and newAuthnIdentifier do not match the same valid format Note: This error is an operation error because it compares both fields to ensure they are the same format, i.e. both are mobile or both are email. |
| 400 | operation error | non-existent-authn-identifier | n/a | oldAuthnIdentifier is not found |
| 409 | operation error | already-exist-authn-identifier | n/a | Duplicated authentication identifier |
| 400 | operation error | max-alias-exceeded | n/a | The alias requested to add will cause us to exceed the maximum allowed number of aliases |
| 400 | operation error | no-verified-authn-identifier | n/a | The current user has no verified emails or mobiles, so we cannot allow them to add an alias |
| 400 | validation error | ValidAuthnIdentifier | newAuthnIdentifier, oldAuthnIdentifier | Checks each individual field to ensure they are both valid formats, but cannot cross check that the formats match each other until we get to the operational error checking phase. |
| 400 | validation error | NotEmpty | newAuthnIdentifier | The newAuthnIdentifier was not supplied |
| 400 | validation error | NotWeakPassword | credential | The credential entered does not satisfy the password complexity requirements |
| 400 | validation error | NotEmpty | credential | The credential entered must not be empty |
Revision History
| Version | Description |
|---|---|
| 2020.09 | Added this topic. |