DICE Integration

.circleci/config.yml

@@ -146,7 +146,7 @@ workflows:
           context : org-global
           filters:
             branches:
-              only: [dev, 'feature/jira-plat-152']
+              only: [dev, 'feature/jira-plat-152', 'auth0-kt']
       # Production build is executed on "master" branch only.
       - "build-prod":
           context : org-global

build/build-image.sh

@@ -25,7 +25,7 @@ VER=`date "+%Y%m%d%H%M"`
 # }
 
 # configure_aws_cli
-aws s3 cp "s3://appirio-platform-$CONFIG/services/common/dockercfg" ~/.dockercfg
+# aws s3 cp "s3://appirio-platform-$CONFIG/services/common/dockercfg" ~/.dockercfg
 
 # Elastic Beanstalk Application name
 # dev
@@ -97,6 +97,12 @@ cat $WORK_DIR/config/sumo-template.conf | sed -e "s/@APINAME@/${SERVICE}/g" | se
 cat $WORK_DIR/config/sumo-sources-template.json | sed -e "s/@APINAME@/${SERVICE}/g" | sed -e "s/@CONFIG@/${CONFIG}/g" > $DOCKER_DIR/sumo-sources.json
 cat $WORK_DIR/config/newrelic-template.yml | sed -e "s/@APINAME@/${SERVICE}/g" | sed -e "s/@CONFIG@/${CONFIG}/g" > $DOCKER_DIR/newrelic.yml
 
+echo "Logging into docker"
+echo "############################"
+DOCKER_USER=$(aws ssm get-parameter --name /$CONFIG/build/dockeruser --with-decryption --output text --query Parameter.Value)
+DOCKER_PASSWD=$(aws ssm get-parameter --name /$CONFIG/build/dockercfg --with-decryption --output text --query Parameter.Value)
+echo $DOCKER_PASSWD | docker login -u $DOCKER_USER --password-stdin
+
 echo "building docker image: ${IMAGE}"
 docker build -t $TAG $DOCKER_DIR
 handle_error "docker build failed."

buildtokenproperties.sh

@@ -15,6 +15,12 @@ AUTH0_NEW_ID=$(eval "echo \$${ENV}_AUTH0_NEW_ID")
 AUTH0_NEW_ID_SECRET=$(eval "echo \$${ENV}_AUTH0_NEW_ID_SECRET")
 AUTH0_NEW_NONINTERACTIVE_ID=$(eval "echo \$${ENV}_AUTH0_NEW_NONINTERACTIVE_ID")
 AUTH0_NEW_NONINTERACTIVE_ID_SECRET=$(eval "echo \$${ENV}_AUTH0_NEW_NONINTERACTIVE_ID_SECRET")
+DICEAUTH_DICE_URL=$(eval "echo \$${ENV}_DICEAUTH_DICE_URL")
+DICEAUTH_DICE_API_URL=$(eval "echo \$${ENV}_DICEAUTH_DICE_API_URL")
+DICEAUTH_DICE_VERIFIER=$(eval "echo \$${ENV}_DICEAUTH_DICE_VERIFIER")
+DICEAUTH_DICE_API_KEY=$(eval "echo \$${ENV}_DICEAUTH_DICE_API_KEY")
+DICEAUTH_CREDDEFID=$(eval "echo \$${ENV}_DICEAUTH_CREDDEFID")
+DICEAUTH_OTP_DURATION=$(eval "echo \$${ENV}_DICEAUTH_OTP_DURATION")
 ZENDESK_ID=$(eval "echo \$${ENV}_ZENDESK_ID")
 SERVICEACC02_UID=$(eval "echo \$${ENV}_SERVICEACC02_UID")
 AUTH_SECRET=$(eval "echo \$${ENV}_AUTH_SECRET")
@@ -33,6 +39,9 @@ M2MAUTHCONFIG_USERPROFILES_CREATE=$(eval "echo \$${ENV}_M2MAUTHCONFIG_USERPROFIL
 M2MAUTHCONFIG_USERPROFILES_UPDATE=$(eval "echo \$${ENV}_M2MAUTHCONFIG_USERPROFILES_UPDATE")
 M2MAUTHCONFIG_USERPROFILES_READ=$(eval "echo \$${ENV}_M2MAUTHCONFIG_USERPROFILES_READ")
 M2MAUTHCONFIG_USERPROFILES_DELETE=$(eval "echo \$${ENV}_M2MAUTHCONFIG_USERPROFILES_DELETE")
+M2MAUTHCONFIG_USER2FA_ENABLE=$(eval "echo \$${ENV}_M2MAUTHCONFIG_USER2FA_ENABLE")
+M2MAUTHCONFIG_USER2FA_VERIFY=$(eval "echo \$${ENV}_M2MAUTHCONFIG_USER2FA_VERIFY")
+M2MAUTHCONFIG_USER2FA_CREDENTIAL=$(eval "echo \$${ENV}_M2MAUTHCONFIG_USER2FA_CREDENTIAL")
 
 DOMAIN=$(eval "echo \$${ENV}_DOMAIN")
 SMTP=$(eval "echo \$${ENV}_SMTP")
@@ -47,6 +56,8 @@ SENDGRID_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_RESE
 SENDGRID_WELCOME_EMAIL_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_WELCOME_EMAIL_TEMPLATE_ID")
 SENDGRID_SELF_SERVICE_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_SELF_SERVICE_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID")
 SENDGRID_SELF_SERVICE_WELCOME_EMAIL_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_SELF_SERVICE_WELCOME_EMAIL_TEMPLATE_ID")
+SENDGRID_2FA_INVITATION_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_2FA_INVITATION_TEMPLATE_ID")
+SENDGRID_2FA_OTP_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_2FA_OTP_TEMPLATE_ID")
 
 
 if [[ -z "$ENV" ]] ; then
@@ -79,6 +90,12 @@ perl -pi -e "s/\{\{AUTH0_NEW_ID\}\}/$AUTH0_NEW_ID/g" $CONFFILENAME
 perl -pi -e "s/\{\{AUTH0_NEW_ID_SECRET\}\}/$AUTH0_NEW_ID_SECRET/g" $CONFFILENAME 
 perl -pi -e "s/\{\{AUTH0_NEW_NONINTERACTIVE_ID\}\}/$AUTH0_NEW_NONINTERACTIVE_ID/g" $CONFFILENAME 
 perl -pi -e "s/\{\{AUTH0_NEW_NONINTERACTIVE_ID_SECRET\}\}/$AUTH0_NEW_NONINTERACTIVE_ID_SECRET/g" $CONFFILENAME 
+perl -pi -e "s|\{\{DICEAUTH_DICE_URL\}\}|$DICEAUTH_DICE_URL|g" $CONFFILENAME 
+perl -pi -e "s|\{\{DICEAUTH_DICE_API_URL\}\}|$DICEAUTH_DICE_API_URL|g" $CONFFILENAME 
+perl -pi -e "s|\{\{DICEAUTH_DICE_VERIFIER\}\}|$DICEAUTH_DICE_VERIFIER|g" $CONFFILENAME 
+perl -pi -e "s|\{\{DICEAUTH_DICE_API_KEY\}\}|$DICEAUTH_DICE_API_KEY|g" $CONFFILENAME 
+perl -pi -e "s/\{\{DICEAUTH_CREDDEFID\}\}/$DICEAUTH_CREDDEFID/g" $CONFFILENAME 
+perl -pi -e "s/\{\{DICEAUTH_OTP_DURATION\}\}/$DICEAUTH_OTP_DURATION/g" $CONFFILENAME 
 perl -pi -e "s/\{\{ZENDESK_KEY\}\}/$ZENDESK_KEY/g" $CONFFILENAME 
 perl -pi -e "s/\{\{ZENDESK_ID\}\}/$ZENDESK_ID/g" $CONFFILENAME 
 perl -pi -e "s/\{\{SERVICEACC01_CID\}\}/$SERVICEACC01_CID/g" $CONFFILENAME 
@@ -109,9 +126,14 @@ perl -pi -e "s|\{\{M2MAUTHCONFIG_USERPROFILES_CREATE\}\}|$M2MAUTHCONFIG_USERPROF
 perl -pi -e "s|\{\{M2MAUTHCONFIG_USERPROFILES_UPDATE\}\}|$M2MAUTHCONFIG_USERPROFILES_UPDATE|g" $CONFFILENAME
 perl -pi -e "s|\{\{M2MAUTHCONFIG_USERPROFILES_READ\}\}|$M2MAUTHCONFIG_USERPROFILES_READ|g" $CONFFILENAME
 perl -pi -e "s|\{\{M2MAUTHCONFIG_USERPROFILES_DELETE\}\}|$M2MAUTHCONFIG_USERPROFILES_DELETE|g" $CONFFILENAME
+perl -pi -e "s|\{\{M2MAUTHCONFIG_USER2FA_ENABLE\}\}|$M2MAUTHCONFIG_USER2FA_ENABLE|g" $CONFFILENAME
+perl -pi -e "s|\{\{M2MAUTHCONFIG_USER2FA_VERIFY\}\}|$M2MAUTHCONFIG_USER2FA_VERIFY|g" $CONFFILENAME
+perl -pi -e "s|\{\{M2MAUTHCONFIG_USER2FA_CREDENTIAL\}\}|$M2MAUTHCONFIG_USER2FA_CREDENTIAL|g" $CONFFILENAME
 perl -pi -e "s/\{\{AUTH0_NEW_DOMAIN\}\}/$AUTH0_NEW_DOMAIN/g" $CONFFILENAME
 perl -pi -e "s/\{\{AUTH0_DOMAIN\}\}/$AUTH0_DOMAIN/g" $CONFFILENAME
 perl -pi -e "s/\{\{SENDGRID_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID\}\}/$SENDGRID_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID/g" $CONFFILENAME
 perl -pi -e "s/\{\{SENDGRID_WELCOME_EMAIL_TEMPLATE_ID\}\}/$SENDGRID_WELCOME_EMAIL_TEMPLATE_ID/g" $CONFFILENAME
 perl -pi -e "s/\{\{SENDGRID_SELF_SERVICE_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID\}\}/$SENDGRID_SELF_SERVICE_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID/g" $CONFFILENAME
 perl -pi -e "s/\{\{SENDGRID_SELF_SERVICE_WELCOME_EMAIL_TEMPLATE_ID\}\}/$SENDGRID_SELF_SERVICE_WELCOME_EMAIL_TEMPLATE_ID/g" $CONFFILENAME
+perl -pi -e "s/\{\{SENDGRID_2FA_INVITATION_TEMPLATE_ID\}\}/$SENDGRID_2FA_INVITATION_TEMPLATE_ID/g" $CONFFILENAME
+perl -pi -e "s/\{\{SENDGRID_2FA_OTP_TEMPLATE_ID\}\}/$SENDGRID_2FA_OTP_TEMPLATE_ID/g" $CONFFILENAME

src/main/java/com/appirio/tech/core/service/identity/IdentityApplication.java

@@ -234,13 +234,16 @@ public void run(IdentityConfiguration configuration, Environment environment) th
 		        configuration.getEventBusServiceClientConfig(), configuration.getM2mAuthConfiguration());
 		// Resources::users
     	CacheService cacheService = configuration.getCache().createCacheService();
-    	UserResource userResource = new UserResource(userDao, roleDao, cacheService, eventProducer, eventBusServiceClient, configuration.getM2mAuthConfiguration().getUserProfiles());
+    	UserResource userResource = new UserResource(userDao, roleDao, cacheService, eventProducer, eventBusServiceClient, configuration.getM2mAuthConfiguration().getUserProfiles(), configuration.getM2mAuthConfiguration().getUser2fa());
     	userResource.setAuth0Client(configuration.getAuth0()); // TODO: constructor
+		userResource.setDiceAuth(configuration.getDiceAuth());
     	userResource.setDomain(configuration.getAuthDomain());
 			userResource.setSendgridTemplateId(Utils.getString("sendGridTemplateId"));
 			userResource.setSendgridWelcomeTemplateId(Utils.getString("sendGridWelcomeTemplateId"));
 			userResource.setSendgridSelfServiceTemplateId(Utils.getString("sendGridSelfServiceTemplateId"));
 			userResource.setSendgridSelfServiceWelcomeTemplateId(Utils.getString("sendGridSelfServiceWelcomeTemplateId"));
+			userResource.setSendgrid2faInvitationTemplateId(Utils.getString("sendGrid2faInvitationTemplateId"));
+			userResource.setSendgrid2faOtpTemplateId(Utils.getString("sendGrid2faOtpTemplateId"));
     	// this secret _used_ to be different from the one used in AuthorizationResource.
     	// it _was_ the secret x2. (userResource.setSecret(getSecret()+getSecret());)
 		// we assume this was done to further limit the usability of the oneTimeToken generated in userResource

src/main/java/com/appirio/tech/core/service/identity/IdentityConfiguration.java

@@ -11,6 +11,7 @@
 import com.appirio.clients.BaseClientConfiguration;
 import com.appirio.tech.core.api.v3.dropwizard.APIBaseConfiguration;
 import com.appirio.tech.core.service.identity.util.auth.Auth0Client;
+import com.appirio.tech.core.service.identity.util.auth.DICEAuth;
 import com.appirio.tech.core.service.identity.util.auth.ServiceAccountAuthenticatorFactory;
 import com.appirio.tech.core.service.identity.util.cache.CacheServiceFactory;
 import com.appirio.tech.core.service.identity.util.event.EventSystemFactory;
@@ -61,6 +62,10 @@ public class IdentityConfiguration extends APIBaseConfiguration {
 	@Valid
     @JsonProperty
     private Auth0Client auth0New = new Auth0Client();
+
+	@Valid
+    @JsonProperty
+    private DICEAuth diceAuth = new DICEAuth();
 
 	@Valid
 	@NotNull
@@ -135,6 +140,10 @@ public Auth0Client getAuth0() {
     public Auth0Client getAuth0New() {
         return auth0New;
     }
+
+	public DICEAuth getDiceAuth() {
+        return diceAuth;
+    }
 
 	public LDAPServiceFactory getLdap() {
 		return ldap;

src/main/java/com/appirio/tech/core/service/identity/M2mAuthConfiguration.java

@@ -1,5 +1,6 @@
 package com.appirio.tech.core.service.identity;
 
+import com.appirio.tech.core.service.identity.util.m2mscope.User2faFactory;
 import com.appirio.tech.core.service.identity.util.m2mscope.UserProfilesFactory;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import javax.validation.constraints.NotNull;
@@ -65,6 +66,9 @@ public class M2mAuthConfiguration {
     @JsonProperty
     private UserProfilesFactory userProfiles = new UserProfilesFactory();
 
+    @JsonProperty
+    private User2faFactory user2fa = new User2faFactory();
+
     public UserProfilesFactory getUserProfiles() {
         return userProfiles;
     }
@@ -73,6 +77,14 @@ public void setUserProfiles(UserProfilesFactory userProfiles) {
         this.userProfiles = userProfiles;
     }
 
+    public User2faFactory getUser2fa() {
+        return user2fa;
+    }
+
+    public void setUser2fa(User2faFactory user2fa) {
+        this.user2fa = user2fa;
+    }
+
     /**
      * Get clientId
      * 

src/main/java/com/appirio/tech/core/service/identity/clients/EventBusServiceClient.java

@@ -9,6 +9,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.ws.rs.ProcessingException;
 import javax.ws.rs.client.Client;
 import javax.ws.rs.client.Entity;
 import javax.ws.rs.client.Invocation;
@@ -81,13 +82,17 @@ public void reFireEvent(EventMessage eventMessage) {
             String authToken = Utils.generateAuthToken(m2mAuthConfiguration);
 
             eventMessage.setOriginator(this.config.getAdditionalConfiguration().get("originator"));
+            LOGGER.info("Fire event {}", new ObjectMapper().writer().writeValueAsString(eventMessage));
             Response response = request.header("Authorization", "Bearer " + authToken).post(Entity.entity(eventMessage.getData(), MediaType.APPLICATION_JSON_TYPE));
 
-            LOGGER.info("Fire event {}", new ObjectMapper().writer().writeValueAsString(eventMessage));
             if (response.getStatusInfo().getStatusCode() != HttpStatus.OK_200 &&  response.getStatusInfo().getStatusCode()!= HttpStatus.NO_CONTENT_204) {
                 LOGGER.error("Unable to fire the event: {}", response);
             }
-        }  catch (Exception e) {
+        } catch (ProcessingException e) {
+                if(!e.getMessage().equals("java.net.SocketTimeoutException: Read timed out")) {
+                    LOGGER.error("Failed to fire the event: {}", e);
+                }
+        } catch (Exception e) {
             LOGGER.error("Failed to fire the event: {}", e);
         }
     }

src/main/java/com/appirio/tech/core/service/identity/dao/UserDAO.java

@@ -36,6 +36,7 @@
 import com.appirio.tech.core.service.identity.representation.Achievement;
 import com.appirio.tech.core.service.identity.representation.Country;
 import com.appirio.tech.core.service.identity.representation.Credential;
+import com.appirio.tech.core.service.identity.representation.User2fa;
 import com.appirio.tech.core.service.identity.representation.Email;
 import com.appirio.tech.core.service.identity.representation.GroupMembership;
 import com.appirio.tech.core.service.identity.representation.ProviderType;
@@ -96,47 +97,109 @@ public abstract class UserDAO implements DaoBase<User>, Transactional<UserDAO> {
     @RegisterMapperFactory(TCBeanMapperFactory.class)
     @SqlQuery(
             "SELECT " + USER_COLUMNS + ", " +
-            "s.password AS credential$encodedPassword, e.address AS email, e.status_id AS emailStatus " +
+            "s.password AS credential$encodedPassword, e.address AS email, e.status_id AS emailStatus, " +
+            "mfa.enabled AS mfaEnabled, mfa.verified AS mfaVerified " +
             "FROM common_oltp.user AS u " +
             "LEFT OUTER JOIN common_oltp.email AS e ON u.user_id = e.user_id AND e.email_type_id = 1 AND e.primary_ind = 1 " +
             "LEFT OUTER JOIN common_oltp.security_user AS s ON u.user_id = s.login_id " +
+            "LEFT JOIN common_oltp.user_2fa mfa ON mfa.user_id = u.user_id " +
             "WHERE u.user_id = :id"
     )
     public abstract User findUserById(@Bind("id") long id);
 
     @RegisterMapperFactory(TCBeanMapperFactory.class)
     @SqlQuery(
             "SELECT " + USER_COLUMNS + ", " +
-            "e.address AS email, e.status_id AS emailStatus " +
+            "e.address AS email, e.status_id AS emailStatus, " +
+            "mfa.enabled AS mfaEnabled, mfa.verified AS mfaVerified " +
             "FROM common_oltp.user AS u " +
             "LEFT OUTER JOIN common_oltp.email AS e ON u.user_id = e.user_id AND e.email_type_id = 1 " +
+            "LEFT JOIN common_oltp.user_2fa mfa ON mfa.user_id = u.user_id " +
             "WHERE u.handle_lower = LOWER(:handle)"
     )
     public abstract User findUserByHandle(@Bind("handle") String handle);
 
     @RegisterMapperFactory(TCBeanMapperFactory.class)
     @SqlQuery(
             "SELECT " + USER_COLUMNS + ", " +
-            "e.address AS email, e.status_id AS emailStatus " +
+            "e.address AS email, e.status_id AS emailStatus, " +
+            "mfa.enabled AS mfaEnabled, mfa.verified AS mfaVerified " +
             "FROM common_oltp.user AS u JOIN common_oltp.email AS e ON e.user_id = u.user_id " +
+            "LEFT JOIN common_oltp.user_2fa mfa ON mfa.user_id = u.user_id " +
             "WHERE LOWER(e.address) = LOWER(:email)"
     )
     public abstract List<User> findUsersByEmail(@Bind("email") String email);
 
+    @RegisterMapperFactory(TCBeanMapperFactory.class)
+    @SqlQuery(
+            "SELECT mfa.id AS id, u.user_id AS userId, u.handle AS handle, u.first_name AS firstName, e.address AS email, mfa.enabled AS enabled, mfa.verified AS verified " +
+            "FROM common_oltp.user AS u JOIN common_oltp.email AS e ON e.user_id = u.user_id " +
+            "LEFT JOIN common_oltp.user_2fa AS mfa ON mfa.user_id = u.user_id " +
+            "WHERE LOWER(e.address) = LOWER(:email)"
+    )
+    public abstract List<User2fa> findUser2faByEmail(@Bind("email") String email);
+
+    @RegisterMapperFactory(TCBeanMapperFactory.class)
+    @SqlQuery(
+            "SELECT mfa.id AS id, u.user_id AS userId, u.handle AS handle, u.first_name AS firstName, e.address AS email, mfa.enabled AS enabled, mfa.verified AS verified " +
+            "FROM common_oltp.user AS u LEFT JOIN common_oltp.email AS e ON e.user_id = u.user_id " +
+            "LEFT JOIN common_oltp.user_2fa AS mfa ON mfa.user_id = u.user_id " +
+            "WHERE u.user_id = :userId"
+    )
+    public abstract User2fa findUser2faById(@Bind("userId") long userId);
+
+    @SqlUpdate(
+            "INSERT INTO common_oltp.user_2fa " +
+            "(user_id, enabled) VALUES " +
+            "(:userId, :enabled)")
+    public abstract int insertUser2fa(@Bind("userId") long userId, @Bind("enabled") boolean enabled);
+
+    @SqlUpdate(
+            "UPDATE common_oltp.user_2fa SET " +
+            "enabled=:enabled, " +
+            "verified=:verified " +
+            "WHERE id=:id")
+    public abstract int update2fa(@Bind("id") long id, @Bind("enabled") boolean enabled, @Bind("verified") boolean verified);
+
+    @SqlUpdate(
+            "UPDATE common_oltp.user_2fa SET " +
+            "enabled=:enabled, " +
+            "verified=:verified " +
+            "WHERE user_id=:userId")
+    public abstract int update2faByUserId(@Bind("userId") long userId, @Bind("enabled") boolean enabled, @Bind("verified") boolean verified);
+
+    @SqlUpdate(
+            "UPDATE common_oltp.user_2fa SET " +
+            "otp=:otp, " +
+            "otp_expire=current_timestamp + (:duration ||' minutes')::interval " +
+            "WHERE id=:id")
+    public abstract int update2faOtp(@Bind("id") long id, @Bind("otp") String otp, @Bind("duration") int duration);
+
+    @SqlQuery(
+            "UPDATE common_oltp.user_2fa x SET otp=null, otp_expire=null " +
+            "FROM (SELECT id, otp, otp_expire FROM common_oltp.user_2fa WHERE user_id=:userId FOR UPDATE)y " +
+            "WHERE x.id=y.id " +
+            "RETURNING CASE WHEN y.otp=:otp and y.otp_expire > current_timestamp THEN 1 ELSE 0 END")
+    public abstract int verify2faOtp(@Bind("userId") long userId, @Bind("otp") String otp);
+
     @RegisterMapperFactory(TCBeanMapperFactory.class)
     @SqlQuery(
             "SELECT " + USER_COLUMNS + ", " +
-            "e.address AS email, e.status_id AS emailStatus " +
+            "e.address AS email, e.status_id AS emailStatus, " +
+            "mfa.enabled AS mfaEnabled, mfa.verified AS mfaVerified " +
             "FROM common_oltp.user AS u JOIN common_oltp.email AS e ON e.user_id = u.user_id " +
+            "LEFT JOIN common_oltp.user_2fa AS mfa ON mfa.user_id = u.user_id " +
             "WHERE e.address = :email"
     )
     public abstract List<User> findUsersByEmailCS(@Bind("email") String email);
 
     @RegisterMapperFactory(TCBeanMapperFactory.class)
     @SqlQuery(
             "SELECT " + USER_COLUMNS + ", " +
-            "e.address AS email, e.status_id AS emailStatus " +
+            "e.address AS email, e.status_id AS emailStatus, " +
+            "mfa.enabled AS mfaEnabled, mfa.verified AS mfaVerified " +
             "FROM common_oltp.user AS u " +
+            "LEFT JOIN common_oltp.user_2fa AS mfa ON mfa.user_id = u.user_id " +
             "<joinOnEmail> common_oltp.email AS e ON u.user_id = e.user_id AND e.primary_ind = 1 " +
             "<condition> " +
             "<order> " +
@@ -364,6 +427,22 @@ public User findUserByEmail(String email) {
         // nothing matched with email parameter in the result, returns the first one.
         return users.get(0);
     }
+
+    public User2fa findUserCredentialByEmail(String email) {
+        List<User2fa> users = findUser2faByEmail(email);
+        if(users==null || users.size()==0)
+            return null;
+
+        if(users.size()==1)
+            return users.get(0);
+
+        for (User2fa user : users) {
+            if(user.getEmail().equals(email))
+                return user;
+        }
+
+        return users.get(0);
+    }
 
     /**
      *

src/main/java/com/appirio/tech/core/service/identity/representation/CredentialRequest.java

@@ -0,0 +1,23 @@
+package com.appirio.tech.core.service.identity.representation;
+
+public class CredentialRequest {
+
+	private String email;
+	private String connectionId;
+
+	public String getEmail() {
+		return email;
+	}
+
+	public void setEmail(String email) {
+		this.email = email;
+	}
+
+	public String getConnectionId() {
+		return connectionId;
+	}
+
+	public void setConnectionId(String connectionId) {
+		this.connectionId = connectionId;
+	}
+}