Comments (8)
Do the admin UI and the API share the same firewall? If not, would it be possible to give each one its own firewall? Would make things much easier. Ideally, please share your security.yaml
so I get a better idea how your application works.
A question that I can already anwer.
How can I config the same provider twice (I want to use a different server_name and issuer for each interface)
You can't. You could try to do some dependency-injection magic and inject different values into scheb_two_factor.security.google_totp_factory
depending on the context. Or duplicate all the code for the Google Authenticator provider as a custom provider. But then it would be not the same Google Authenticator provider, you'd need to have it configured twice for each user, one for the UI, another one for the API.
from two-factor-bundle.
Thanks for the quick reply, I use two firewalls:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: ^/admin
anonymous: ~
form_login:
login_path: /admin/inloggen
check_path: /admin/login_check
default_target_path: /admin
logout:
path: /admin/logout
target: easyadmin
two_factor:
auth_form_path: 2fa_login
check_path: 2fa_login_check
guard:
authenticators:
- ConnectHolland\UserBundle\Security\UserBundleAuthenticator
api_login:
pattern: ^/api/users/authenticate
stateless: true
anonymous: true
provider: app_user_provider
json_login:
check_path: /api/users/authenticate
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api:
pattern: ^/api
stateless: true
anonymous: true
provider: app_user_provider
json_login:
check_path: /api/users/authenticate
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
from two-factor-bundle.
I see a problem there: your API has stateless security. To do two-factor authentication you have to keep some state between requests, because you have to know if the user has already passed 2fa or not. Normally, this is done through security token/session management.
There is no easy way to do this. I had a discussion a while ago on the same issue: #141
As an outcome of this discussion, some new configuration options for custom handlers have been added to the bundle. They allow you to customize the handlers so that they return an API response instead of doing the default behavior (redirecting).
# config/packages/security.yaml
security:
firewalls:
yourFirewallName:
two_factor:
success_handler: acme.custom_success_handler # Use a custom success handler instead of the default one
failure_handler: acme.custom_failure_handler # Use a custom failure handler instead of the default one
# Use a custom authentication required handler instead of the default one
# This can be used to modify the default behavior of the bundle, which is always redirecting to the
# two-factor authentication form, when two-factor authentication is required.
authentication_required_handler: acme.custom_auth_reqired_handler
And you should also replace lexik_jwt_authentication.handler.authentication_success
with a custom implementation that checks if a TwoFactorToken
is present. In that case return the "you have to do 2fa" API response, otherwise fall-back to the behavior of lexik_jwt_authentication.handler.authentication_success
.
The tricky part is in fact how to restore TwoFactorToken
in suceeding requests as long as the 2fa hasn't been completed yet. That's the thing you'd need to find out, maybe this post no 2) works for you?
Would be curious to learn if that approach works. I'd like to write a little "how-to" for stateless firewalls, because that question is coming up every once in a while.
from two-factor-bundle.
Thanks for the solution direction, I'll let you know if I can get things to work.
from two-factor-bundle.
I got 2FA on JWT working, but took a different approach.
I create a security provider (as described in https://symfony.com/doc/current/security/custom_authentication_provider.html) that:
- Creates a token with a username, password and challenge
- Do default auth on the username password
- Will return a QR code if challenge is empty and google auth is not yet setup
- Will return a message: please provide a 2FA challenge if the challenge is empty
- Will set the JWT token if username, password and challenge are all presented and correct
from two-factor-bundle.
@RonRademaker Could you please share your solution?
from two-factor-bundle.
Hello @tumbochka, I plan to open source our solution next week
from two-factor-bundle.
@RonRademaker Could you please share your solution?
I've made an open source bundle that has several options to make JWT more secure, including a 2FA implementation, at https://github.com/ConnectHolland/secure-jwt-bundle
from two-factor-bundle.
Related Issues (20)
- Resent email authentication code HOT 8
- Type error: Too few arguments to function Scheb\TwoFactorBundle\Controller\FormController::__construct(), 0 passed HOT 2
- Two-factor authentication form is not shown after login HOT 16
- LogoutHandlerInterface is deprecated since Symfony 5.1 HOT 6
- No Two factor form after logging in (no redirect) HOT 7
- User Deprecated HOT 1
- Authenticate two factor in one request (with json_login) HOT 4
- Called providers session value is never unset HOT 4
- How to use the two factor auth in combination with manual authentication HOT 3
- Doesn't work in PROD works in DEV HOT 2
- 2FA by api + jwt HOT 8
- FatalThrowableError in RememberMeServicesDecoratorCompilerPass HOT 4
- impossible to go through page 2fa during login HOT 8
- How to change default path 2fa HOT 1
- Infinite login loop when updating user credentials HOT 2
- Login via email failed HOT 7
- Not prompted for Google Authenticator code on login HOT 14
- 2fa form is not being shown HOT 16
- Session id changes after 2fa succeed. And UsernamePasswordToken cannot be loaded from Redis. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from two-factor-bundle.