The "Two Factor" requirement is configured per user. If we have multiple applications, how do we achieve that
for application A (e.g. a webapp) 2FA is required
but for application B (e.g. a native app), for the same user, 2FA is not required (never, not even for the first time it is used)?
I'm aware of the trustComputer attribute but I don't think it helps for this problem.
Two Factor is at the User level in FusionAuth. This is by design since if the user has selected to protect their account, then they should be forced to provide their additional factor regardless of the Application they are logging into.
There isn't currently a way to change this behavior and we would need to understand the use case in detail as well as any security issues with allowing specific Applications to bypass two-factor authentication.
You can open a feature request on the FusionAuth GitHub issue tracker here: https://github.com/FusionAuth/fusionauth-issues if you want. Please provide as much detail about the use case and why some Applications allow two-factor while others don't. This will help the FusionAuth team assess the implications of adding this feature.
Related
I'm in a real build or buy struggle. GCP identity platform would serve almost all our needs.
Basically I want to build usermanagement on my own (including rbac and groups) and ONLY want to solve Login and tokens with the below requirements. I know quite a bit about jwt and authentication in general. The question I'm asking my self is just of its better to build a solution on my own or to use one existing.
Is there any alternative which supports the following:
multi tenancy (at scale >10k tenants)
MFA
social login
SSO with oidc and saml
and of course persistence (using refresh tokens)
Are there any tipps for self building? Are there any alternatives? Any direction is greatly appreciated 🙏
PS:
None of these are what I need: Ory, keycloak, okta, auth0, fusionauth, gluu
USER DATA
When you integrate OAuth there are always 2 sources of user data:
The identity data's view of users
Your own business data's view of users
I think what you are saying is that you want finer control over user data, while also externalising difficult security work.
TOKENS AND CLAIMS
The identity system should be able to include values such as Tenant ID in access tokens, regardless of which data source each value is stored in.
Similarly the User ID in your business data is also likely to be needed in tokens. This value should be provided to your APIs in a consistent way, regardless of how the user signs in, and this is managed via account linking.
DESIGNING END-TO-END FLOWS
The main thing is to think through how these will work, for both new and existing users. This detailed Curity article provides some worked examples.
CHOOSING A SOLUTION
Don't choose a third party identity system until you've designed your end to end flows and clarified your requirements. The key thing about OAuth is that it requires extensible building blocks, rather than being an out of the box solution.
Some companies start with home grown identity microservices, which can become a lot of work, but may be ok in the early days. I always recommend keeping application code portable, so that you can migrate to a better provider in future, if needed.
Are you only considering open source solutions? Azure AD ticks all of your boxes.
You should not implement security logic like authorization or authentication or encryption yourself. IMO its always better to use an existing solution - especially features like MFA are not trivial to implement.
None of these are what I need: Ory, keycloak, okta, auth0, fusionauth, gluu
Why is that? It seems to me most of those are a good option for you - especially the open source ones
I have an application where users of my organization, who are not users of this application can register themselves in the first log. When they register, they can choose one or more app's profiles, like contract manager, supervisor etc. These profiles have specific authorization schemes per page, buttons, regions in app. The user must logoff and login again at the inicial log to see these menu's references
Do you know of any way that these menu's references could be viewed/activated in the first of all logs?
The oracle apex version is 5.1.4.
Regards.
I'm answering my own question as follows:
I do a self-criticism for the question because I consider it to have failed to take into account all aspects of information security. Even though I'm always careful about security, a solution of this kind might attend me, considering a IT's well secure work's scenario, but may not be the case for all environments.
I would consider this a valid question for security experts, who could see in the scenario that I proposed, a failure in the APEX environment, in which I have not yet seen.
In a legacy Windows Forms application, users are now identified by an LDAP query. In essence, they scan their badge (barcode) and the application runs an LDAP query to get user attributes.
I know, from a security perspective, this is bad, but usability is more important than security in this case (we're talking about machine operators and they just need to sign-in / sign-off).
Now, we would like to move to a web-based architecture and the simplest thing would be to run the LDAP queries from the back-end to achieve the same.
However, I was wondering if we could switch to a more secure solution using ADFS and RFID/NFC badges, but I can't find any existing implementation. (I'm not looking for 2FA).
So, I'm trying SO, knowing this question can result in opinionated answers: if anyone has experience with a similar use-case, please stand up.
ADFS doesn't do this OOTB.
You could write a custom authentication feature or use the MFA server.
I see you don't want MFA but if you look at the screenshot, it does more than MFA.
We are developing an API Rest services layer using Zend Rest Server framework.
The thing is that we would like to implement the login system using tokens but we are not sure how should it work if user do login in from several devices or browsers at a time.
Any suggestions?
Thanks in advance
Basically these could be some basic guidelines:
Make a normal (Form) login
Implement a token based Authentication and Authorization mechanism in paralel with your normal (Form) login
Issue tokens on every unique login, have the tokens expire in say 10-15 minutes (or whatever)
Don't worry about the different devices - all separate logins will have separate PHPSession Ids. But also manage the devices - one unique login == one token. So different simultaneous logins == different tokens. It is worth it to mention that this may not be the exact case for some devices and especially if you're not handling sessions (or and cookies) properly. Apple devices had some problems with this but you should do your own research.
This could be the basis. Extend and re-evaluate this approach. Also keep in mind the difference between Authentication and Authorization - this is very well formulated here.
Also you could implement OAuth as a base for the authentication system.
How to set password (the best if it was in database, so Entity with one record) on some pages (create/edit/delete view and controllers)? It can be redirect to entrance page with form with password field.
I would also recommended you to go with 'spring security core' plugin.
By using spring security core you will be able to :
(1) secure all of your project's possible URLs
(2) provide access to required pages to particular role
(3) assign one or more then one role to particular user
(4) manage individual users with basic information as well as storing password into encrypted form etc.
(5) Its in-built reach set of tag library will help you alot to reduce the logical code.
Apart from the above, the major advantage of using spring security core would be its simplicity and extensibility. As its advance features like :
LDAP
ACL
OpenID
CAS etc
are available with different plugins.
Also there is one more plugin called 'spring security ui' is available, which will provide you all the UI pages (with gsps,controllers) just in a minute.
I have used this plugin in my project before one year, and I would strongly recommended everyone to use it...
You can have a look into its simple User guide which is available here.
Use one of the security plugins, and make the actions that you want to protect only available to users with a particular role. If an unauthenticated user tries to access one of these actions, they will be prompted to login and invocation of the action will only be allowed thereafter if they have been assigned the relevant role.
The spring security plugin is a reasonable choice as it provides the functionality you need and probably the most popular of the Grails security plugins.