Add support for U2F fido standard
Add support for U2F fido standard
Descriptive title for this enhancement
Add support for U2F fido standard
Actual behavior
no U2F support
Expected behavior
support U2F standard to allow two factor authentification on fusiondirectory with yubikey or otp
Step by step description of new behaviour
- Add U2F support to fusiondirectory
- Test code with yubikey
https://developers.yubico.com/U2F/
Benefits
Allow user to set up his ubikey or otp to connect to fusiondirectory
Possible Drawbacks
none
Applicable Issues
login
Activity
linked to https://gitlab.fusiondirectory.org/fusiondirectory/fd/issues/5778
By bmortier on 2018-03-14T08:40:59 (imported from GitLab)
added PJ1802-0188 label
By bmortier on 2018-03-17T21:21:01 (imported from GitLab)
changed milestone to %FusionDirectory 1.4
By bmortier on 2018-03-26T09:11:02 (imported from GitLab)
mentioned in issue #5262 (closed)
By bmortier on 2019-07-24T07:52:36 (imported from GitLab)
PHP server library: https://developers.yubico.com/php-u2flib-server/ To support this we would need to store keys somewhere (LDAP I guess) and provide a way to add them. (We should also look at how LLNG does it, if they store the keys in-ldap.)
By Côme Chilliet on 2019-08-06T12:50:56 (imported from GitLab)
- It appears U2F is superseeded by WebAuthn: https://en.wikipedia.org/wiki/WebAuthn https://webauthn.guide/
- WebAuthn cannot work without javascript: https://github.com/w3c/webauthn/issues/1255
- It seems that U2F cannot either, but the documentation is really not clear about that
- LLNG is not storing U2F info in the LDAP but in its session system
- Gluu appears to store U2F information in the LDAP and have a schema for this: https://gluu.org/docs/ce/reference/schema/#oxdeviceregistration
By Côme Chilliet on 2019-08-14T12:35:49 (imported from GitLab)
We're in the process of building a lightweight SSO server (SAML and OIDC) with 2FA support (TOTP and WebAuthn) and a token self-registration portal. (LLNG and the other available SSO solutions don't meet our needs.)
We're storing all token and session data in LDAP, and would very much like to coordinate with you on this (we use FusionDirectory for general LDAP editing). We're also happy to piggyback on existing schemas.
(FWIW, I also am co-chair of W3C's Technical Architecture Group and agree that WebAuthn is the way to go here, don't bother with U2F directly.)
By Peter Linss on 2019-10-30T14:16:00 (imported from GitLab)
hello @plinss,
we are starting to look at how to code this we wioll be happy to collaborate with you on this, we can discuss here but maybe its better to discuss this on the developper mailing list so more people can contribute
https://lists.fusiondirectory.org/wws/subscribe/developpers?previous_action=info
Cheers
By bmortier on 2019-10-30T14:15:59 (imported from GitLab)
The PHP library fit for this seems to be https://packagist.org/packages/web-auth/webauthn-lib but it requires PHP>=7.2.
I guess the login workflow would be something like: In the login process, after successfully logged in the user against LDAP, if the user have 2nd factor enabled, show him an intermediate page for this (like gitlab does). On this page, have the necessary javascript code to require the 2nd factor and validate it. When validated, redirect to main.php.
In the user edition, we’ll need a plugin (user tab) allowing to store and manage devices, which will have to use javascript as well. It may use https://gluu.org/docs/ce/reference/schema/#oxdeviceregistration schema if it fits, I’m not sure yet.
By Côme Chilliet on 2019-10-23T12:41:15 (imported from GitLab)
Other PHP libraries for WebAuthn:
They have less dependencies but their demos are not working on my machine :-/
By Côme Chilliet on 2019-10-23T12:48:24 (imported from GitLab)
Edited by bmortierI tested https://github.com/davidearl/webauthn and https://github.com/lbuchs/WebAuthn the two are working for me but I'm using FF70.
By Jonathan Swaelens on 2019-10-23T13:16:49 (imported from GitLab)
