Search code examples
wso2wso2-api-managerwso2-identity-server

Wso2 Identity Server 5.11: validate-code api not working as expected

I am trying to implement this feature for mobile update verification.

When I try to validate the code using the validate-code api as described in the documentation above I have 2 different response according to how I invoke the api .

If I use the /me endpoint :

curl -k -v -X POST -H "Authorization: Basic XXXXXX=" -H "Content-Type: application/json" -d '{ "code": "XXXX","properties": []}'
 "https://localhost:9443/api/identity/user/v1.0/me/validate-code"

works like a charm, I get my 202 http response and the code is validated.

In the other hand, when I invoke the api without the /me endpoint as presented in the swagger docs on Self Registration REST APIs :

curl -k -v -X POST -H "Authorization: Basic xxxx" -H "Content-Type: application/json" -d '{ "code": "XxxxxX","verifiedChannel":{"type":"SMS", "claim":"http://wso2.org/claims/mobile"},"properties": []}' "https://localhost:9443/api/identity/user/v1.0/validate-code

I get a 400 http response with the error below :

{"code":"18001","message":"Bad Request","description":"Invalid Code '%s.'"}

Am I doing somehting wrong ? Anybody experienced the same behavior ?

Thanks in advance

Solution

  • I experienced the same behavior as you mentioned.

    api/identity/user/v1.0/validate-code API's intention is to confirm an OTP value belongs to any user, by a privileged user who has permission /permission/admin/manage/identity/identitymgt.

    Here is a possibility of the OTP getting into the possession of an illegitimate party if the user mistakenly enters an invalid number. Hence any logged-in user who has sufficient privilege can submit a valid OTP of another user and verify that mobile number as the correct mobile number value using /user/v1.0/validate-code API.

    The possible way to overcome this is to verify whether the logged-in user who is submitting the OTP is the same user whose mobile number is updated.

    Hence self validate code is the only supported and valid option to confirm the OTP to verify the mobile number. https://api-docs.wso2.com/apidocs/is/is511/selfregister-v5.11.0/#!/operations#SelfRegister#meValidateCodePost

    The document needs to be updated. The WSO2 team will track and update it. Doc issue: https://github.com/wso2/product-is/issues/16777