Aidbox
Aidbox.DevAidbox.CloudAidbox.OneFhirbase
Search…
Getting started
Getting Started
Installation & Configuration
Features
Licensing and Support
Versioning & Release Notes
FAQ
Aidbox configuration
Aidbox project
API constructor (beta)
Setup SMTP provider
Zen Configuration
API
FHIR API
REST API
Bulk API
Batch Upsert
Batch/Transaction
Cache
ETAG support
Reactive API
Sequence API
Encryption API
Compartments API
GraphQL API
RPC API
Aidbox UI
Profiling and validation
Profiling and validation overview
Profiling with zen-lang
Asynchronous resource validation
Profiling with AidboxProfile
Terminology
Aidbox terminology module overview
Import external (not-present) terminologies
Concept
CodeSystem
ValueSet
$translate on ConceptMap
Terminology Tutorials
FHIR Implementation Guides
🎓
HL7 FHIR Da Vinci PDex Plan Net IG
App development guides
Tutorials
Administration
Receive logs from your app
$matcho
$to-format
Security & Access Control
Overview
Authentication Flows
Basic Auth
Client Credentials Grant
Resource Owner Grant
Authorization Code Grant
Implicit Grant
Validating Foreign Access Tokens
External Oauth 2.0 Providers
Two Factor Authentication
SMART on FHIR
Configuration options
Discovery API
Access Control
Multitenancy
Storage
Archiving
Database
AWS S3
GCP Cloud Storage
Azure Blob Storage
Core Modules
Entities & Attributes
$json-schema
Monitoring
Logging & Audit
Modules
HL7 v2 Integration
FHIR Resources
Custom Resources
Aidbox Search
First-Class Extensions
Multibox
Multibox box manager API
Plan API
Plan API Overview
Patient Access API
Integrations
Analytics
Audit
Authentication
Tools
Mappings
Aidbox SDK
Contact us
Powered By GitBook
Two Factor Authentication
This article explains 2FA implementation in Aidbox
This feature is in beta right now. If you have any feedback or comments, reach out to us!
Two Factor Authentication is not supported for external OAuth 2.0 providers
Aidbox supports Two Factor Authentication with TOTP (time-based one-time passwords). This article explains how to enable 2FA for a user, login with one-time password, and get an access token for your application. Familiarity with OAuth 2.0 and TOTP is suggested.

Try demo app with 2FA implementation

We've prepared the demo Python/TypeScript app with Devbox, so you can run everything in your local environment. The implemented scenario includes signup and login user flows.
Clone the open-source application repository. Follow the instructions to see how does 2FA work.
First of all, you need to define 3 resources in the manifest.py file​

1. AuthConfig

AuthConfig resource is required for 2FA process. In the demo app, we've generated the following AuthConfig with the name "app"
AuthConfig app
1
twoFactor:
2
webhook:
3
headers:
4
Authorization: Basic dHdvLWZhY3Rvci13ZWJob29rOnR3by1mYWN0b3Itd2ViaG9vaw==
5
endpoint: 'http://devbox:8080/webhook/two-factor-confirmation'
6
issuerName: Demo
7
validPastTokensCount: 5
8
id: app
9
resourceType: AuthConfig
Copied!
AuthConfig attribute
meaning
twoFactor.issuerName
Name of the TOTP token issuer that is shown in authenticator
twoFactor.validPastTokensCount
Number of previous tokens that are considered valid. Used to improve user experience if standard 30 seconds token lifetime is not enough.
twoFactor.webhook.endpoint
Endpoint to send the TOTP token to during login. Used to support scenarios when it's not possible to use the mobile authenticator. For instance, a service integrated with twilio may listen on this address.
twoFactor.webhook.timeout
Timeout for webhook in milliseconds
twoFactor.webhook.headers
Key-value headers for webhook
theme.styleUrl
URL to external stylesheet to customise how the authentication form looks like
theme.title
Title to use on the authentication form
theme.brand
Application name to display on the authentication page

2. Client

Client resource is required for 2FA process. In the demo app we've generated the following Client resource with the name "web"
1
auth:
2
implicit:
3
redirect_uri: 'http://localhost:3000/auth'
4
first_party: true
5
grant_types:
6
- implicit
7
id: web
8
resourceType: Client
Copied!
Read more about Client resource configuration here​

3. Provider

Provider resource belongs to the AidboxConfig. It defines the transport for sending email notifications, which is part of the signup flow. Since we do not want to send real emails in the demo app, we'll send notifications to the Console output stream. You can find the generated Provider resource below
1
provider:
2
console:
3
type: console
4
default: console
5
id: provider
6
resourceType: AidboxConfig
Copied!
​
2FA Form
When the user scans the QR code and enters the token, he is redirected to the 2FA settings page. Aidbox saves that 2FA is enabled for this user into the User.twoFactor attribute.
Next time when the user logs into the system, the TOTP authentication page will be shown. Using the mobile authenticator (or any other transport) the user enters the code and gets redirected to the application. You can configure which OAuth 2.0 flow by changing Client configuration and login endpoint query parameters.

Disable 2FA

To disable 2FA for a particular user, redirect the user to the following URL. When the user enters a token, they get redirected to the 2FA settings page. Aidbox sets User.twoFactor.enabled to false.
1
GET /auth/two-factor/disable
Copied!
​
Previous
Okta
Next
SMART on FHIR
Last modified 1yr ago
Copy link
Contents
Try demo app with 2FA implementation