Notification Channel Selection at WSO2 Identity Server

WSO2 Identity Server 5.10.0 introduced new feature support to notifications sending to the user via a user-preferred channel. In other words, the user can decide whether to receive notifications to his email or to the mobile. According to this feature, a notification channel has three attributes.

1. Channel Type
2. Channel Value
3. Channel Verified status

For example, the EMAIL channel has the following attributes

Type: EMAIL
Value Claim: http://wso2.org/claims/emailaddress
Verified Claim: http://wso2.org/claims/identity/emailVerified

Therefore the notification channel selection will happen according to the values of the above claims. Let me tell you how this happens in different flows. The following flows support this feature.

• User Self-Registration
• Username and Password Recovery (user-initiated user account recovery)

User Account Recovery

In username and password recovery, the user has the capability to select the notification channel based on the available notification channels for the user. In other words, the user can determine whether to get recovery information via an SMS or Email. The channels for recovery will be displayed to the user based on the following criteria.

• If the user has configured either a mobile number (as the SMS channel) or an email address (as the EMAIL channel) in the user’s profile, that channel will be selected as the available notification channel for the user.
• If the user has configured both mobile number and email address in the user’s profile, both channels will be displayed as the available recovery channels. Then the user can determine whether to get recovered via an SMS or Email.

If the user has the role self-register, then the channel selection will be different. Let me explain you this a bit more. WSO2 Identity Server allows integrating an existing user store. In this case, the server assumes that all the channels (email and mobile) of users are verified. A user with the role self-register implies at least one channel is verified by the identity server. In that case, even though the user has multiple channels only the verified channels will be displayed as available recovery channels.

Refer to the following documentation for more details on this feature.

• Username Recovery via a user-preferred channel.
• Password Recovery via a user-preferred channel.

User Self Registration

With User Self Registration this is different. In this scenario, the Server decides the channel(SMS or EMAIL) to send account confirmation notification to the user.

Notification channel selection criteria

1. Get the user’s notification channel claims.
2. If notification channel resolving is not enabled, set the notification channel to the server default channel and send notifications.

NOTE: To enable channel resolving and to set a default notification channel to the server, add the following config to the deployment.toml.

[identity_mgt.notification] 
default_notification_channel = "EMAIL"
resolve_notification_channel = true

3. If the user has specified a preferred notification channel (EMAIL or SMS) notify the user via that channel if that channel has a value.

Eg: If users want the notification as an SMS, the user should have provided a mobile number. If the user has not provided a mobile number then an error will be thrown.

4. If the user has not specified a preferred notification channel and has an email address and a mobile number, send the notification to the default channel specified in the server.

5. If the user has not specified a preferred notification channel and either an email address or a mobile number, then the notification will be sent to that channel.

The governance component of the WSO2 identity server introduces notification channel selection as service and it can be found at the Identity-Governance Repository.