Customized registration form and OTP via SMS

[Matteo182]

I need to create a SSO on a tiketing portal, but this requires me to enter an OTP sent via SMS to the mobile phone of the user who is registering.

so the flow should be this:

1. the user registers on the WP via my customized form,
2. sends the data to the Tiketing portal,
3. this sends the OTP via SMS to the registered mobile phone.
4. On the customized form I wait for the portal's response and then open the form to have the user enter the OTP.
5. Then I send the OTP to the portal and if correct the user is registered on WordPress and the tiketing portal.

Are there hooks that allow me to insert this in the middle of the plugin's login procedure?

I believe that the plugin alone sends all the user data directly from the Tiketing portal, so maybe I should prevent him from making the call until I also have the OTP and make the first custom call myself? Or I make the plugin make the first call and then stop the login via a hook and wait for the OTP, what do you suggest I do?

I also have the reverse login or rather if a user clicks login from the Tiketing portal this redirects the user to WordPress where he will log in and then he will be redirected to the tiketing portal.
But I think this can already be managed without further changes given that the user is already registered and does not need an OTP, and it would be the normal login procedure.

thanks a lot to whoever will help me

[timnolte]

This plugin doesn't perform background SSO logins, or anything with registration. This plugin sends the user to the IDP for login and any OTP required by the IDP would happen on the IDP side and has nothing to do with the WordPress login.

[Matteo182]

so I could make my custom form, and upon entering the phone I would make a custom call to the IDP which returns the OTP, and then use the plugin to send all the data to the IDP, right? and how can I start the plugin after I have received the OTP confirmation?

[timnolte]

I think you are misunderstanding how this plugin works and how its intended to be used. The plugin is not an authentication library. It is designed to be used with WordPress authentication along with an OpenID Connect IDP. The IDP should be taking care of all authentication and verification.

It sounds like you are trying to setup your own embedded authentication flow that prevents sending your users to the IDP, this plugin is not designed to be used that way and you will be introducing security risks to your users if you proceed that way.

[Matteo182]

So you're telling me that the plugin requires the user to already be registered on the IDP, and this plugin helps me authenticate him on WordPress? So I can't do the opposite, i.e. register it on WordPress and authenticate it on another portal, right?

I need to create a reverse plugin of this one you created

ok if that's the case, thank you very much anyway. I'll have to do it by hand

[timnolte]

This plugin does provide auto-provisioning of new WordPress accounts through the SSO authentication process. Depending on the IDP you are using you can also have self service registration setup on the IDP. There is an OpenID Connect extension for asking the IDP to begin a user registration process, but that is still all on the IDP side to setup, not on the RP side. We don't currently support that feature though it is something that has been brought up before that we might consider supporting.

https://openid.net/specs/openid-connect-prompt-create-1_0.html

Generally, the IDP is the central location of accounts, but it seems like you are really wanting your WordPress site to be the IDP.

It really would be wise to read through the various specs so that you are clear on how OIDC is intended to work.