Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2-Factor authentication #1342

Closed
3 tasks
Tracked by #1339
TheSlimvReal opened this issue Jul 5, 2022 · 5 comments · Fixed by #1990
Closed
3 tasks
Tracked by #1339

2-Factor authentication #1342

TheSlimvReal opened this issue Jul 5, 2022 · 5 comments · Fixed by #1990
Assignees
@TheSlimvReal
Labels
released on @master managed by CI (semantic-release) released managed by CI (semantic-release)

Comments

@TheSlimvReal
Copy link
Collaborator

TheSlimvReal commented Jul 5, 2022
edited by sleidig
Loading

2-Faktor authentication (2FA) should be available in the application

  • Organizations can decide whether they want to use 2FA
  • 2FA with email and/or app works
  • Configurable time period after which the second factor is required

overview of login user stories / test cases (GoogleDoc)
@TheSlimvReal TheSlimvReal mentioned this issue Jul 5, 2022
Closed
10 tasks
@TheSlimvReal TheSlimvReal changed the title 2-Faktor authentication through email or a separate app 2-Faktor authentication Jul 5, 2022
@TheSlimvReal TheSlimvReal changed the title 2-Faktor authentication 2-Factor authentication Jul 5, 2022
@sleidig sleidig added this to the User Management milestone Jul 11, 2022
@TheSlimvReal
Copy link
Collaborator Author

Possible approach:

  1. Instance is marked with OTP required (potentially through config.json).
  2. When creating a user, CONFIGURE_OTP is put into the requiredActions of the user.
  3. When a user clicks on the registration mail, OTP setup will also be part of the registration process in Keycloak.
  4. Aam Digital is extended with a login step for entering the OTP, potentially in same form as username and password.
  5. By sending username, password and OTP to keycloak, a token can be requested (example).
  6. If everything is correct the user is logged in.

Open questions/issues:

  • How is the offline login affected? OTP check does not work offline.
  • It is not possible to find out whether the username and password OR the OTP were incorrect. All three things have to be valid in order to get a successful response.

@sleidig sleidig removed this from the User Management milestone Jun 5, 2023
@sleidig sleidig moved this to Idea in Feature Roadmap Jun 5, 2023
@sleidig sleidig moved this from Idea to Planned in Feature Roadmap Jun 5, 2023
@sleidig sleidig moved this from Triage to Priority (Core Team) in All Tasks & Issues Jun 26, 2023
@sleidig
Copy link
Member

sleidig commented Jul 26, 2023

We have discussed the technical approach for 2FA again and came to the conclusion to re-work the login logic in the client/app in order to use Keycloak "natively", i.e. forward users to the Keycloak login page and on the app only use the token issued. This requires re-thinking how we handle offline authentication, however.

@sleidig
Copy link
Member

sleidig commented Aug 7, 2023
edited
Loading

Updated summary of all login scenarios / test cases: https://docs.google.com/document/d/1VBx_Zsk0d7KdfcXyUhf77a-nWHArHvsKmST3Ss0jr_k/edit

redesigning the overall login process will also probably resolve #935

@TheSlimvReal TheSlimvReal mentioned this issue Aug 30, 2023
Merged
5 tasks
@sleidig sleidig moved this from Planned to In Progress in Feature Roadmap Sep 5, 2023
@sleidig sleidig moved this from Priority (Core Team) to In Progress in All Tasks & Issues Sep 5, 2023
@sleidig sleidig moved this from In Progress to In Review in All Tasks & Issues Oct 5, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in Feature Roadmap Nov 29, 2023
@github-project-automation github-project-automation bot moved this from In Review to Done in All Tasks & Issues Nov 29, 2023
@aam-digital-ci
Copy link
Collaborator

🎉 This issue has been resolved in version 3.27.0-master.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@aam-digital-ci aam-digital-ci added the released on @master managed by CI (semantic-release) label Nov 29, 2023
@aam-digital-ci
Copy link
Collaborator

🎉 This issue has been resolved in version 3.27.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@aam-digital-ci aam-digital-ci added the released managed by CI (semantic-release) label Nov 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheSlimvReal TheSlimvReal

Labels
released on @master managed by CI (semantic-release) released managed by CI (semantic-release)
Projects
All Tasks & Issues
Archived in project
Feature Roadmap
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Login with Keycloak UI Aam-Digital/ndb-core
3 participants
@sleidig @TheSlimvReal @aam-digital-ci