Onboard User with Email and Mobile Process
Content
Overview
ULM cloud uses the user's supplied email address or mobile number as the basis for User ID creation. The email/mobile is registered as an unverified authentication identifier (or authN ID) that subsequently needs to be verified by the Activate User Process before the user can Authenticate into the service.
Note: Front-end human actors that interact with the system are noted as users with a lowercase "u." User IDs or ULM User entities are noted with an upper case "U."
Process Flow
This table describes the Onboard with Email/Mobile Process from a high-level, "happy path" flow.
| Onboarding with Email and Mobile | |||
|---|---|---|---|
| Actors | Frontend user, Client Application, ULM Cloud. | ||
| Pre-Conditions | The User ID does not yet exist in ULM (i.e., the ULM User entity does not yet exist in the cloud data store) | ||
| The prospective user is currently anonymous | |||
| Basic Flow | 1 | The user navigates to the application's "Create an ID" or "Sign Up" page, and enters their email and/or mobile number, plus any other information required by the application. | |
| User Input Fields | |||
| Email Address | User's email. Mandatory if mobile number is not provided. | ||
| Mobile Number | User's phone number. Mandatory is email is not provided. | ||
| Password | Desired password. Mandatory. | ||
| Additional Fields | Optional user input fields: First Name, Last Name, Displayname, and Language Preference. | ||
| Notes: - The Process accepts/rejects a password based on rules under the Password Complexity Rules setting. - The Process ends, without user creation, if the provided email/mobile already exists in ULM Cloud. |
|||
| 2 | The Process creates the ULM User ID, and registers the email/mobile as an authN ID on the User entity. | ||
| Notes: - Both the ULM User ID and its registered authN ID(s) are created with an activating status. |
|||
| 3 | ULM sends a verification action token to the user-supplied contact channel(s). The Process ends here. | ||
| Notes: - If the user provides an email address, ULM sends the token to the user's email as a link. The user must then click that link to trigger the Activate User Process and verify the email. - If the user provides a mobile number, ULM sends the token to the user's SMS as a custom One Time Passcode (OTP). The user must provide that OTP to the UI to trigger the Activate User Process. - If the user provides both an email and mobile number, both tokens are sent out, and both authN IDs must be verified independently. But the email address is enforced as the primary contact channel. - Any Process that results in an action token being sent to an external channel will also return a corresponding pkat to the client application. The application should retain this information for onboarding flows wherein the user needs to provide their OTP to the UI, or for a resend verification option. |
|||
| Post-Conditions | A new user exists in ULM Cloud with an unverified email and/or mobile. | ||
| The user receives a verification action token through email/SMS. | |||
| Error Messages | The provided email already exists in ULM. | ||
| The provided mobile number already exists in ULM. | |||
| The provided password does not match validation rules. | |||
| Missing expected input parameter. | |||
App Settings
Certain aspects of the Process' behaviour are controlled by configurable application settings.
| Application Settings | Default Settings | |
|---|---|---|
| Password Complexity Rules | Defines the minimum criteria for an acceptable password. Configuration points include: - Whether or not to require at least one uppercase (A-Z) character - Whether or not to require at least one lowercase (a-z) character - Whether or not to require at least one numeric (0-9) character - The minimum password length |
- A-Z: Enabled - a-z: Enabled - 0-9: Enabled - Minimum length: 8 |
| Max Failed Input Attempts | Maximum number of times the Process rejects bad input before ending. | 10 |
| tokenURL | Base for the action token URL to include in the notification message sent to the user's external channel (email). The actual token value will be appended to this String to form the complete URL. This app setting is applicable for when a user onboards with their email address. The Process sends the token out to that email for verification. |
https://idp/user_confirm?token_value= |
| Token (long-form) Expiration | Determines the number of minutes before a verification link expires. | 10080 minutes (7 days) |
| Token (short-form) Expiration | Determines the number of minutes before a short OTP expires.
This setting is not configurable; it is noted here for context. |
5 minutes |
| Valid Email Pattern | Defines the logic for an acceptable email format. | .+@.+\..+ |
| Valid Mobile Pattern | Defines the logic for an acceptable mobile number format. | ^\(?([0-9]{3})\)?[-.\s]?([0-9]{3})[-.\s]?([0-9]{4})$ |
Note: All app settings are set in the MarketONE ULM Admin web application. System managers and administrators can consult the MarketONE User Admin UI User Guide.
User Journey Flow Diagram
This flow diagram illustrates the standard user journey using the Onboarding w/Email or Mobile Process.
Note: This diagram also incorporates best practice routes to the Resend Verification and Activate User Processes.
API Walkthroughs
The following section provides guided walkthroughs of the Onboard User with Email/Mobile Process.
Onboard User with Email Scenario
This is the most conventional user onboarding flow. The Process consumes the user's email address and password, creates a new unique ULM User entity, and then registers the submitted email as an attribute and authentication identifier (authN ID) on that entity. Both the ULM User and the authN ID attribute are created with an activating status, pending verification.
Initial Request
The Process Start API initializes the Process:
| POST /process/start/onboard.OnboardUserWithEmailMobile.v1.0 |
|---|
<no body>
|
Response
The Process responds with a request for user information:
| Response Body |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"processName:" "onboard.OnboardUserWithEmailMobile.v1.0"
"displayMessage": "Please Enter User details for self onboarding",
"parameters": {
"email": "String",
"phone": "String",
"credential": "String",
"firstName": "String",
"lastName": "String",
"displayName": "String",
"lang": "String"
},
"stepName": "UserDetailsPrompt",
"lastStep": false
}
|
The application can leverage this information to render the actual sign-up form on the UI.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| parameters | Object that specifies the info this Process requires to continue its task. | |
| (Conditional) The user's email address. Mandatory if phone is not provided. | ||
| phone | (Conditional) The user's mobile phone number. Mandatory if email is not provided. | |
| credential | (Mandatory) The user's desired password. | |
| firstName | (Optional) The user's first name. | |
| lastName | (Optional) The user's last name. | |
| displayName | (Optional) A display name for the user. This could be just a combination of the user's first and last name or a nickname. | |
| lang | (Optional) The user's preferred language. | |
Next Request: Provide User Details
Using the Process Step API, the client passes the user-supplied info to the Process.
| PUT /process/step |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"parameters": {
"credential": "GoodPas$word123",
"email": "bob@example.com"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Data object that contains the data requested in the previous Process response. | |
| The user's email address. | ||
| credential | The user's desired password. | |
Response: Success and User Creation
If the email and password pass validation, the Process completes its task and returns a 200 HTTP status code. The Process also sends an action token out to the user's email address in the form of a clickable verification link.
| Response Body |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"processName": "onboard.OnboardUserWithEmailMobile.v1.0",
"output": {
"pkat": "sdfsd-gfsdfgsd-sdgsdg-sfddsf-dsfsdf",
},
"lastStep": true
}
|
OTP Verification and Resend Verification
Any Process step that sends a ULM action token also returns a corresponding pkat to the client application. In order to enable OTP verification on the UI, the client must retain the pkat returned by the final Process step. The pkat, along with the user supplied OTP, is required for the GET /session/token?customToken={OTP}&pkat={pkat} API to invoke the Activate User Process.
In cases where the user is anonymous, the pkat is required if the application wants to provide a quick token resend option on the UI, using the PUT /session/token?pkat={pkat} API. This method applies to cases where the user is anonymous (i.e., they are not authenticated in ULM). However, if the user is currently authenticated in ULM, the client application can instead invoke the Resend Verification Process for this purpose.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| pkat | Unique Proof Key for Action Token that corresponds to an existing action token. See Action Tokens for more details. | |
The user has successfully onboarded with their email address.
Onboard User with Mobile Scenario
The flow is similar to the Email Onboarding flow above, except the verification action token is sent to the user over SMS, and it is sent as a short-form OTP. The user needs to manually supply that OTP to the UI for verification.
The Process consumes the user's mobile number and password, creates a new unique ULM User entity, and then registers the submitted mobile as an attribute and authentication identifier (authN ID) on that entity. Both the ULM User and the authN ID attribute are created with an activating status, pending verification.
Initial Request
The Process Start API initializes the Process:
| POST /process/start/onboard.OnboardUserWithEmailMobile.v1.0 |
|---|
<no body>
|
Response
The Process responds with a request for user information:
| Response Body |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"processName:" "onboard.OnboardUserWithEmailMobile.v1.0"
"displayMessage": "Please Enter User details for self onboarding",
"parameters": {
"email": "String",
"phone": "String",
"credential": "String",
"firstName": "String",
"lastName": "String",
"displayName": "String",
"lang": "String"
},
"stepName": "UserDetailsPrompt",
"lastStep": false
}
|
Note: The application can leverage this information to render the actual sign-up form on the UI.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| parameters | Object that specifies the info this Process requires to continue its task. | |
| (Conditional) The user's email address. Mandatory if phone is not provided. | ||
| phone | (Conditional) The user's mobile phone number. Mandatory if email is not provided. | |
| credential | (Mandatory) The user's desired password. | |
| firstName | (Optional) The user's first name. | |
| lastName | (Optional) The user's last name. | |
| displayName | (Optional) A display name for the user. This could be just a combination of the user's first and last name or a nickname. | |
| lang | (Optional) The user's preferred language. | |
Next Request: Provide User Details
Using the Process Step API, the client passes the user-supplied info to the Process.
| PUT /process/step |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"parameters": {
"credential": "GoodPas$word123",
"phone": "4161234567"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Object that contains the data requested in the previous Process response. | |
| phone | The user's mobile number. | |
| credential | The user's desired password. | |
Response: Success & User Creation
If the mobile and password pass validation, the Process completes its task and returns a 200 HTTP status code. The Process also sends an action token out to the user's mobile number.
| Response Body |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"processName": "onboard.OnboardUserWithEmailMobile.v1.0",
"output": {
"pkat": "sdfsd-gfsdfgsd-sdgsdg-sfddsf-dsfsdf",
},
"lastStep": true
}
|
OTP Verification and Resend Verification
Any Process step that sends a ULM action token also returns a corresponding pkat to the client application. In order to enable OTP verification on the UI, the client must retain the pkat returned by the final Process step. The pkat, along with the user supplied OTP, is required for the GET /session/token?customToken={OTP}&pkat={pkat} API to invoke the Activate User Process.
In cases where the user is anonymous, the pkat is required if the application wants to provide a quick token resend option on the UI, using the PUT /session/token?pkat={pkat} API. This method applies to cases where the user is anonymous (i.e., they are not authenticated in ULM). However, if the user is currently authenticated in ULM, the client application can instead invoke the Resend Verification Process for this purpose.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| pkat | Unique Proof Key for Action Token that corresponds to an existing action token. See Action Tokens for more details. | |
Error Scenario: Invalid Credentials
If the user provides an invalid password, the Process responds with a HTTP 400 status code.
The body includes a fieldErrors array with the reason(s) as to what went wrong:
| Response Body |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"stepName": "UserDetailsPrompt"
"fieldErrors": [
{
"field": "credential",
"code": "NotWeakPassword",
"rejectedValue": "test",
"message": "password-regex-rule-violation-.*[0-9].*"
},
{
"field": "credential",
"code": "NotWeakPassword",
"rejectedValue": "test",
"message": "blacklisted-password"
},
{
"field": "credential",
"code": "NotWeakPassword",
"rejectedValue": "test",
"message": "password-regex-rule-violation-.{8,}"
},
{
"field": "credential",
"code": "NotWeakPassword",
"rejectedValue": "test",
"message": "password-regex-rule-violation-.*[A-Z].*"
}
],
"lastStep": false,
"lastFailedStepAction": {
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"displayMessage": "Please Enter User details for self onboarding",
"parameters": {
"email": "String",
"phone": "String",
"credential": "String"
},
"stepName": "UserDetailsPrompt"
}
}
|
In the above example, the fieldErrors array indicates the following:
- The password fails to include at least one number (0-9)
- The password is on an internal list of commonly banned passwords
- The password fails to meet the minimum length of (8 characters)
- The password fails to include at least one capital (A-Z)
Note: Rules are configured under the Password Complexity Rules setting in the MarketONE ULM Admin UI.
The Process also includes a lastStepFailedAction object that repeats the previous Process step's request. The user can re-attempt their request with a different (ideally stronger) password, and complete their onboarding as normal.
Error Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | The unique identifier for this instance of the Process. | |
| stepName | The internal name of the step that the Process is currently on / just executed. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| fieldError | Array of possible error objects. Each object describes a separate error condition. | |
| field | The name of the specific field where the error occurred. | |
| code | The name of the specific field where the error occurred. | |
| rejectedValue | The actual value that caused the error. | |
| message | Optional message that describes the error. | |
| lastFailedStepAction | Object that repeats the previous Process step's details and required input. This allows the client to retry the failed request. | |
Error Scenario: AuthN ID is Already in Use
If the user provides an authN ID that already exists in ULM, the Process responds with an HTTP 401 status code. The response body includes an operationError array with the reason(s) as to what went wrong:
| Response Body |
|---|
{
"processId": "8bca30ca-dd44-4050-aece-53b0dbed1922",
"stepName": "UserDetailsPrompt"
"lastStep": false,
"operationError": [
{
"code": "already-exist-phone",
"type": "com.uxpsystems.mint.framework.ulm.process.service.ServiceStep.GeneralFailure",
"message": "Failed to create a user with duplicated phone number",
"authorities": [
{
"authority": "ROLE_ANONYMOUS"
}
]
}
],
"lastFailedStepAction": {
"processId": "b02ad80c-6116-408c-b03b-e4a32852dd41",
"processName": "onboard.OnboardUserWithEmailMobile.v1.0",
"displayMessage": "Please Enter User details for self onboarding",
"parameters": {
"credential": "String",
"phone": "String",
"displayName": "String",
"lang": "String",
"email": "String"
},
"stepName": "UserDetailsPrompt"
}
}
|
Additionally, the Process includes a lastStepFailedAction object that repeats the previous Process step's request. The user can make sure they entered the correct authN ID, retry their request, and complete the Process as normal.
Error Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | The unique identifier for this instance of the Process. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| stepName | The internal name of the step that the Process is currently on / just executed. | |
| lastFailedStepAction | Object that repeats the previous Process step's details and required input. This allows the client to essentially retry the failed request. | |
| operationError | Array of possible error objects. Each object describes a separate error condition. | |
| code | An error object's internal code name. | |
| type | Internal reference of the operation error type. | |
| message | Optional message that describes the error in a human readable format. | |
| authorities | The list of authority roles currently granted to the user. Can be used to help supply context to authorization errors (i.e. a process requires a user to be authenticated to ULM Cloud, however they are currently anonymous). | |
Error Codes
Below is a comprehensive list of potential error codes that may be returned during the execution of this Process.
Common Error Codes
| HTTP Status | ULM Error Code | Description |
|---|---|---|
| 400 | process-terminated-with-too-many-retries | Process terminated with too many user input attempts. |
Process-Specific Error Codes
| HTTP Status | Format | ULM Error Code | FieldError | Description |
|---|---|---|---|---|
| 400 | validation error | NotWeakPassword | newPassword | The password provided did not meet the minimum criteria for a sufficiently complex password. |
| 400 | validation error | NotEmpty | newPassword | No password was supplied. |
| 400 | operation error | user-without-authnid | N/A | An attempt was made to update the user's password, but they do not have a corresponding authentication identifier (thus rendering a password useless). |
| 400 | operation error | user-without-authnid | N/A | The user provided an incorrect value as their current password. |
Revision History
| Version | Description |
|---|---|
| 2020.09 | Added this topic. |