Actually the magnificent piece of software called backpack for laravel cannot handle natively the 2fa auth, for now, at may of 2022.
We would like to add to your project this package: https://github.com/thecodework/two-factor-authentication
To be able to integrate with backpack for laravel we must override the login controller of backpack
How can we do it?
As much I would like to have everything integrated with Backpack, unfortunatelly time/money/tech does not allow us to do that. I really hope sometime I can dedicate more of my time to this "goodies" (2fa, graphQL etc etc).
For now, we've just added a simple way for people that don't want to use the default backpack auth to disable it and implemente their own auth mechanism if needed.
https://backpackforlaravel.com/docs/5.x/base-how-to#customizing-the-auth-controllers
Don't stop on this tag (customizing the auth controllers), later down on that page there is more info about auth that could help you here.
If you need my help with something you know where to find me.
Cheers
We reached our goal overriding LoginController and ResetPasswordController of bakcpack.
To be precise: after a succesfull login, we immediately logout, send OTP code via sms and redirected to form we ask for this cde.
Then, posting the code, with an hash in the db, we can check both user, hash, token and validity of token.
If all valid, we actually login the user
For password recovery, after changing password, instead of redirect to home or similar we logout and redirect to login so user can do a login without bypass otp
Related
I'm new to keycloak and I thought this would be super easy, but I can't find a solution. If a new user registrate, he should be disabled by default, till an admin enables the user manually. Is there a simple solution for that? Thank you in advance and best wishes!
Create an SPI for RegistrationUserCreation where on processResponse you disable the user.
Then use this registration in the login flow.
if you look at keycloak server page https://www.keycloak.org/docs/6.0/server_admin/
in 4.8. User Registration, if a user is registered, he would not be disabled by default and there is no option for that. The only thing you can do is to require a few actions from user, like changing password or require email verification. Or you can disable the user from admin.
Think about it, if a new user goes through all the process to register just to be disabled y default, what's the point of enabling registration?
I'm implementing the Keycloak authentication with vertx. I would like to customize login flow, instead of username/password form I want to login via mobile number and OTP.
Any one can help me if they have created any custom required action provider in keycloak.
Thanks in advance.
I think this would be doable in Keycloak now with Authenticator SPI. Please have a look on this code you will get to know you can revamp full login flow without much issue .
Same can be rewrite for login from mobile number.
Please have a look this API keycloak-sms-authenticator,it will give much flexibility to do SMS based Authentication without writing much line of code.
Here is another good official documentation Custom User Attributes available how to use mobile number .
Many mobile apps require user login. That's why Ionic launched their Auth service (https://docs.ionic.io/services/auth/). I can create users via the Auth service itself or via the Ionic API. I also can save custom data for each user. Very nice is also that I can sen targeted push notifications to my users. Seems like a nice out-of-the-box solution.
But most of the time apps have more complex logic (user can post something, user can order something, make a payment, ...). The simple user with some atributes from Ionic does not help much in those cases.
So I need to authorize the users not only inside the app but also against some custom API. And this is where my questions come up...what's the best way to do this?
Some things that came to my mind:
When creating the user in Ionic, also create the same user with the same email and password in my API. So I can make authorized requests. But this does not user any token and I would have to pass my password in every request, also I am worried about data consistency. What if the user changes its password?
Use the internal Ionic user ID, create one global token and use user ID and global token to authenticate the user in my API. But is this secure?
Another worry in my mind: If I save user name, email etc in the Ionic Auth system I would have to access it via their API every time I need it in my own system. For example: A user orders a product in the app. Then my system needs to send out a confirmation to the user. I would have to access the Ionic API to know that users email...and so own.
I think this is all confusing.
Is Ionic Auth not made for those situation? Then, I don't see what it's made for at all...
Is ionic Auth just not there yet...?
Am I just not getting it?
I have come across a number of articles that discuss a similar matter but I cannot find a definitive answer.
My company would like to begin using Identity Server 3, however one of the requirements is to be able to authenticate an external user without them having to manually enter their credentials.
This must be capable of providing single sign on capabilities also as we have 3 different systems and our users should only have to sign in once.
Essentially, the external user has their own CRM.
The CRM holds their username and password for our software.
They then click a button in their CRM to launch our application
This redirects them to our website with a payload containing their credentials
We call a web service to authenticate the user
It is fundamental that we do not change this process for our partners.
Can I implement a custom service provider to provide the authentication or is there some other way of achieving this? If so, could you point me in the right direction for how this can be done?
Many thanks
Craig
I would assume that you'd create a mechanism for their CRM to get a token at the time the client logs into their site and then have them send that token via url to your callback page. This would use the machine-to-machine type grant, or the client-credentials flow. Then that page could validate the token and log the user in. There would have to be some sort of unique identifier between the two systems like email or something. Just an idea.
I have a simple webpage deployed to tomcat which runs certain shell scripts based on user selection. The pages are written in html and cgi/perl.
We already have a working ldap server and directory. I need to be able to add security to the web page I created so a user is asked to login using their ldap account when trying to access the home page or any off the sub pages.
How do I add ldap authentication to my web page?
Please be very specific as I am new to all of this. Step by step instructions including code would be greatly appreciated. Thank You
I did a lot of research on google, but all of the solutions are generic, and I don't know where to start.
This is a good article, but I'm not sure where do I put my connection to ldap and the binding (which of my pages)? How do I make sure the authentication will apply to the sub pages as well, or any other one created in the future?
http://www.perlmonks.org/?node_id=32196
Cheers
This is a good article, but I'm not sure where do I put my connection
to ldap and the binding (which of my pages)? How do I make sure the
authentication will apply to the sub pages as well, or any other one
created in the future?
You're now adding state to your app. You might initially think about implementing your authentication (authn) and authorization (authz) in tomcat, and not in your app.
If you decide not to implement in tomcat, and choose to implement in perl, then you've just decided to add state to your application, which means you need to add some kind of session handling. Look at CGI::Session, there are many other session handling modules on CPAN. Avoid Apache::Session. Its lock handling can cause lots of pain if transactions run long. Use a session key in a cookie. Send everything over SSL. if you don't use SSL, then crackers can intercept your session keys, and then hijack the sessions.
Once you have your session infrastructure set up, you need to create a login mechanism, usually a form with username and password. when that form is submitted, the CGI behind it does its magic crypto on the password and then does the LDAP dance:
connect to the directory server is no connection already exists.
2a. bind to the server anonymously or as an application user, search for the user by CN, bind as the user using DN and password
OR
2b. compute the DN form the username, bind with the DN and the crypto's password.
Often, step 3 is to check the user's record for some authorization indicator, it could be a yes/no access indicator, or it could be a list of roles or privileges.
If the user is successfully authenticated, and authorized, then write some authorization info into the user's session.
Each subsequent page of your app will then check to see if the user is logged in and/or has the proper authz to use that page. If unauthorized, you can either send them back to the post-login landing page, or to the login page if they aren't logged in.
Basically, you just replacing the usual "query the user table of the database" with a query to an LDAP to a directory server.