Make sure you specify `acr_values` in your OpenID authetication request (i.e. redirect to the authz endpoint). Create a Person Authentiation Interception script with Name "email". Copy the twilio_sms script where it displays a form to enter your OTP value: * [SMS script](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/twilio_sms) * [Page 2](https://github.com/GluuFederation/oxAuth/tree/master/Server/src/main/webapp/auth/otp) You may need a custom page 1 that just displays the username field... (see `getPageForStep` method). For an example of sending an email, look at the `processAuditGroup` method of the Duo Script: * [Duo Script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/duo/DuoExternalAuthenticator.py) Note: you should not write the OTP value sent via email to disk. You should be able to store it in the session context. Don't forget to read the [docs on writing an authentication script](https://gluu.org/docs/ce/4.0/authn-guide/customauthn/). Also, if you can use a remote debugger, like Eclipse, that helps a lot.

Thank you very much for responding, is it possible that way not to use the login page and send user credentials in json?

Hello Michael, Thanks for your prompt response. Before moving forward with the custom authentication flow as described by Hector above first we would like to authenticate natively using username and password. By natively we mean within a native mobile app without having to go through the browser. Where can we find documentation to perform this authentication through an API endpoint? Thanks, Mau

There is a flow in OAuth called the "Resource Owner Password Credential Grant" One workaround is to use this flow to send the credentials, and return a session cookie. You will need the latest oxAuth build to do this, because we just added some small things to enable this. This oxAuth should be available in 4.0.1. See this document for a guide on how to do it: [https://github.com/GluuFederation/docs-ce-prod/blob/4.1/docs/source/tutorials/session-in-password-grant-flow.md](https://github.com/GluuFederation/docs-ce-prod/blob/4.1/docs/source/tutorials/session-in-password-grant-flow.md) But.... with that said... let me add that sending the credentials from your web application is **terrrible** for security. The reason the IDP wants to render the login page is so the application never sees the password. Actualy, this ROPW flow is the **anti-pattern** of federated identity. Also, if you are trying to implement an email token flow, this would be handled much better by customizing the IDP login pages. My sincere advice is that you avoid this flow where you send the password!

If you want to try the ROPW script referenced above, you can use this war file: [https://ox.gluu.org/maven/org/gluu/oxauth-server/4.0.1.Final/oxauth-server-4.0.1.Final.war](https://ox.gluu.org/maven/org/gluu/oxauth-server/4.0.1.Final/oxauth-server-4.0.1.Final.war) Login to the chroot (`service gluu-server login`), Stop oxauth (`service oxauth stop`) and replace war file in `/opt/dist/gluu` When 4.0.1 is released, better to use that and re-run setup, because we applied few configuration changes to tune cleaner job on high load.

we try to use this tutorial [https://github.com/GluuFederation/docs-ce-prod/blob/4.1/docs/source/tutorials/session-in-password-grant-flow.md](), but have a question, I need to have installed 4.0.1 or this script can run in gluu 4.0.0? how can I get gluu 4.0.1?

Install 4.0, and see my comment above about replacing the war file.

Hello Hector, How is it going for you?

Hello Hector, I am closing this ticket. Please feel free to re-open or open a new ticket for further assistance. Regards, Madhumita