Comments (6)
james-d-elliott
commented on June 5, 2024
How would Authelia communicate with the Smart Cards?
from authelia.
lyzstrik
commented on June 5, 2024
@james-d-elliott smart card contains the certificate along with the private key. The user should install an OpenSC module on their PC to ensure proper recognition of the smart card. After that, during authentication, Authelia prompts the client for the certificate. The client selects the certificate from the card, enters their PIN code, and is then authenticated.
from authelia.
james-d-elliott
commented on June 5, 2024
I think this could do with some links to documentation on the relevant libs and/or APIs that could be leveraged to prove it's possible in this scenario. In particular we'd need a javascript or web request based go library that retrieves the proof of possession so that we could use the go backend to verify it.
I'd also be interested in the proof method used with smart cards as I am not entirely familiar, assuming it's similar to WebAuthn where the smart cards private key is used to sign an opaque challenge. For this to be secure the how the proof is determined is really important, and we'd need to be able to supply this challenge from the backend.
from authelia.
lyzstrik
commented on June 5, 2024
Okay, I will work on the possibility of integrating this with a Go module. If I succeed, I will get back to you to discuss how we could incorporate it into the Authelia project.
from authelia.
BryanJacobs
commented on June 5, 2024
The easiest way to use a smart card for web authentication today is to put https://github.com/BryanJacobs/FIDO2Applet/ on the card and use it as a passkey.
The second-easiest way is to put a PIV applet on it and have it do TLS client authentication (mTLS) with a web server. If Authelia is acting as the web server it could capture the client certificate; if not, the web server itself could pass down a header.
Personally, I think FIDO2 is a better overall user experience than PIV, but PIV is more powerful in terms of centralized features (such as key revocation and delegated CAs).
I'm not sure what the compelling advantage for the user is here though, to be honest.
from authelia.
james-d-elliott
commented on June 5, 2024
Yeah I think I agree with that. Rather than reinventing the wheel I think these options are very standard. If someone wants to implement a mTLS solution like this then we'd welcome it. An existing FR exists for Passkeys and they're likely to be added soon.
We do however appreciate the time invested in the suggestion. It's not easy when an idea is rejected, but I don't think this has a compelling reason to be implemented. This is however open for discussion.
from authelia.
Related Issues (20)
- Allow specifying cookies config with environment variables HOT 4
- Connection impossible HOT 5
- wrong error message for old config of "host" value HOT 2
- Authelia should fail to start with a clear error message when it encounters invalid YAML configuration HOT 2
- MFA not loaded, if oidc has authorization_policy with two_factor HOT 3
- Not every error needs a stacktrace HOT 2
- Missing trailing slash can lead to Authelia showing empty window HOT 15
- Server Authz Endpoints invalid configuration example HOT 2
- Using AWS' SES for password reset emails errors on latest version HOT 3
- authelia-v4.38.7-public_html.tar.gz has changed, was this intentional? HOT 4
- HA-Proxy Ingress: *.cluster.local is not under the protected domain HOT 4
- settings: identity verification hangs indefinitely instead of showing error HOT 4
- legacy totp authenticators on an account will still be considered and will block / fail for users when totp is globally disabled HOT 2
- Gmail OAuth client as notifier HOT 4
- Upgrading from 4.37.7 to 4.38.8 got the following error while trying to compose up HOT 3
- "authelia config validate" should return 1 in case of invalid config HOT 1
- Password reset fails with PUID set HOT 2
- Troubles connecting to redis with secret HOT 4
- Authelia tries to get a non-existing 'memberof' attribute from groups in LLDAP backend HOT 1
- 3rd party authentication_backend HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authelia.