I am trying to implement this feature for mobile update verification.
When I try to validate the code using the validate-code api as described in the documentation above I have 2 different response according to how I invoke the api .
If I use the /me endpoint :
curl -k -v -X POST -H "Authorization: Basic XXXXXX=" -H "Content-Type: application/json" -d '{ "code": "XXXX","properties": []}'
"https://localhost:9443/api/identity/user/v1.0/me/validate-code"
works like a charm, I get my 202 http response and the code is validated.
In the other hand, when I invoke the api without the /me endpoint as presented in the swagger docs on Self Registration REST APIs :
curl -k -v -X POST -H "Authorization: Basic xxxx" -H "Content-Type: application/json" -d '{ "code": "XxxxxX","verifiedChannel":{"type":"SMS", "claim":"http://wso2.org/claims/mobile"},"properties": []}' "https://localhost:9443/api/identity/user/v1.0/validate-code
I get a 400 http response with the error below :
{"code":"18001","message":"Bad Request","description":"Invalid Code '%s.'"}
Am I doing somehting wrong ? Anybody experienced the same behavior ?
Thanks in advance
I experienced the same behavior as you mentioned.
api/identity/user/v1.0/validate-code
API's intention is to confirm an OTP value belongs to any user, by a privileged user who has permission /permission/admin/manage/identity/identitymgt.
Here is a possibility of the OTP getting into the possession of an illegitimate party if the user mistakenly enters an invalid number.
Hence any logged-in user who has sufficient privilege can submit a valid OTP of another user and verify that mobile number as the correct mobile number value using /user/v1.0/validate-code
API.
The possible way to overcome this is to verify whether the logged-in user who is submitting the OTP is the same user whose mobile number is updated.
Hence self validate code is the only supported and valid option to confirm the OTP to verify the mobile number. https://api-docs.wso2.com/apidocs/is/is511/selfregister-v5.11.0/#!/operations#SelfRegister#meValidateCodePost
The document needs to be updated. The WSO2 team will track and update it. Doc issue: https://github.com/wso2/product-is/issues/16777