-
Notifications
You must be signed in to change notification settings - Fork 349
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement password based authentication #176
Comments
Although I would love to see passwords die, I also am not delusional and realise they will be around for a long time to come. However this proposal should at minimum mention to also include 2-factor as part of the proposal (google generator would be the probably the most used, maybe ubikey, maybe sms gateway, maybe even email) There are also other ways to authenticate that do not require passwords, GRC's SQRL for example. So maybe this would be better as 'local authentication' rather than password based (althought thats nitpicking now) I would love to see some kind of token based authentication, i.e. exchanging username/password/two factor with a token (read JWT) signed with a public/private keypair. Although that would required the private key to be distributed between all the auth servers wanting to do the auth. Pushing the private key to the database would be the logical way to go, but that would require some significant thought on how to handle that correctly in the light that you NEVER want that private key to get out. Even better again would be to have a CA which would provide certs based on a CSR that each server could generate on boot... i.e... Not sure how feasible all this is, just trying to think of the most secure way to provide this functionality without compromise. |
Right now we have 3 kinds of authentication: unauthenticated (everyone gets the same jwt), anonymous (you get a jwt, and can save it, but if you lose it there's no way to recover), and OAuth. This would basically be similar to anonymous in that you would just get a token, but if you go to a new browser etc you can put in your password and have the server regenerate your token. I like the suggestion for 2-factor, we should look into that as well |
Also, another reason to add this is that people expect it. As a framework, we have some leeway to "encourage good patterns" but if we completely disallow something, people have the freedom to go elsewhere, or worse, implement a home-grown insecure login method on top |
For reference, the algorithm used in "Google Authenticator" is TOTP, as specified in RFC-6238; it's almost exactly All the "enhanced" two-factor apps I know of (including notably Authy) also support TOTP tokens (and the QR code format); it's a simple, well-supported protocol, and there are plenty of small libraries for it. |
I have a service running meteor, and I'm investigating horizon. A couple of things to consider:
|
My business sells to many older, rural buyers. While everyone in Silicon Valley may have a Twitter account, please consider the large swath of America that lives on the farm and not online. Many of my customers don't subscribe to social media (or GitHub!). I cannot deploy Horizon without some kind of password authentication. I hope this issue gets escalated. |
@LawJolla that's a very good point from you and the reason why we're still holding on to use horizon.io. We develop internal backend applications (ERP, CRM, user management, etc) and we can't force the user to have a social account. Also looking forward to this. |
For FWIW -- we are in the same position. We offer enterprise s/w that sits behind dozens of firewalls etc. (think SAP, PeopleSoft, etc) and obviously having to use a social OAuth mechanism is a total non-starter. We need both the option to use the end customer's LDAP/AD system and/or self-contained user/pw management (and roles too of course) . |
In response to @mattsoftware :
Here's a proposal that doesn't require private key to be shared:
|
Another vote here. |
Here is what the meteor guys have done: |
An optional 2FA would be great, there are some very good yet small JS libraries for generating the codes. Would would be a lovely alternative to 2FA is support for passwordless login approvals (e.g. mobile push "accept button"). |
I don't think its a good idea to implement authentication mechanisms as a part of horizon framework itself. This should be a part of plugins. While its fine to have basic user information and logged-in status specified in the framework, how a person can authenticate should be extendible. I am working on system where authentication can happen with passwords but also with SMS, RFID and nfc(MiFare) cards etc. Its better to have plugins for managing authentications and authentication states as there are usecases for that. To be honest meteor has a good grip on this, it wouldn't hurt to borrow from there. |
I also develop internal systems that can't use social accounts. Having this as part of a plugin/package would good. I am looking to migrate off Meteor, but can't use Horizon without this. So I will have to explore other options, which is unfortunate because I like the simplicity that Horizon offers. |
Perhaps it might be simpler just to use something like passport integrated into horizon? MEAN uses passport as well and passport supports over 300 pluggable authentication strategies including username/password and all others like github, facebook etc. that horizon currently supports. |
Yeah this is our current plan. We'll replace our current homespun auth On Mon, Aug 29, 2016, 22:03 Shantanu Bhadoria [email protected]
|
@deontologician Awesome! +1 to that! |
Oh that sounds like a good idea but a change in direction. What led to that? And of course, the $10k question, when might that hit the shelves? |
May want to consider grant. Much smaller and cleaner |
Well, the Horizon client can already use JWT's that have been generated by other means with the I snatched the code that generates the JWT from the source code of the
The end result is that an authenticated client hitting The I think that is actually all that's necessary to have 3rd-party authentication in Horizon. You can even throw away the current OAuth authentication and rely on a recipe for connecting an authenticated user with a RethinkDB user. Thoughts? |
@tailsu good idea. Have you actually built this pattern and if so do you have a repo? |
Thanks @Stefan. You should post it in the #horizon slack channel. On 14 Nov. 2016 20:50, "Stefan Dragnev" [email protected] wrote:
|
Please post that for me, thanks! Am 14.11.2016 10:56 schrieb "Mike Seddon" [email protected]:
|
If Horizon's goal is to take the pain out of the initial scaffolding, this basic password authentication feature has to be built-in. There is no reason why we should be customizing this. Firebase, Loopback, FeathersJS, MeteorJS, ServerlessJS etc... They all offer this as an option. If you guys don't want to have the burden of taking on this basic authentication system, the community would at least very much appreciate a so called "official" recipe for putting this together with PassportJS. |
Any update on this ? |
Right now we just have OAuth. This would be nice, but it requires a bit of care to implement because we're taking the full security burden on ourselves.
The text was updated successfully, but these errors were encountered: