This is kind of dynamic sequence bases on different factors like per user , per group , right ? Do you guys have concrete plan for this ? Then shall we discuss this design before jump to the code ?
*Harsha Thirimanna* Associate Tech Lead | WSO2 Email: [email protected] Mob: +94715186770 Blog: http://harshathirimanna.blogspot.com/ Twitter: http://twitter.com/harshathirimann Linked-In: linked-in: http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://wso2.com/signature> On Fri, Oct 7, 2016 at 12:10 PM, Kathees Rajendram <[email protected]> wrote: > Thanks for the comments and suggestions. > > The subject may be mislead. We need to create a utility component with > common use cases. Basically we are providing generalized component and the > common use cases are applicable for most of authenticators. > > As you said, alternative authentication flow is not in authenticator level > and a use case for IS framework is, if we configure a authenticator flow > for particular SP, that will be applicable for all users. Based on the user > role or the policy, we need to have the a authentication access model. For > example:- For particular user group, we need to enable two factor > authenticator (Basic + SMS OTP), for other user group, we need to have > Basic + other factor (Basic + RSA or Token2) and for some other user > group, we need basic or social login. This should be configurable. > > We are building common use cases for the authenticators [1]. Please add if > anything, we can include in authentication level. > > [1] - https://store.wso2.com/store/assets/isconnector/list > > Thanks, > Kathees > > On Thu, Oct 6, 2016 at 2:43 PM, Ishara Karunarathna <[email protected]> > wrote: > >> Hi Malaka. >> >> On Thu, Oct 6, 2016 at 12:25 PM, Malaka Silva <[email protected]> wrote: >> >>> >>> >>> On Thu, Oct 6, 2016 at 10:31 AM, Ishara Karunarathna <[email protected]> >>> wrote: >>> >>>> Hi Malaka. >>>> >>>> On Thu, Oct 6, 2016 at 9:42 AM, Malaka Silva <[email protected]> wrote: >>>> >>>>> Hi Ishara, >>>>> >>>>> I guess the subject is bit misleading. What we are trying to achieve >>>>> here is to put common functionalities used by all / most of the IS >>>>> extensions. >>>>> >>>>> For example we have done a improvement to totp to support multi >>>>> tenancy. These logic's are built into totp and that is wrong. So we are >>>>> planning to have these in this module. >>>>> >>>> I think here you are trying to implement utility component to be used >>>> in authenticates. >>>> >>> yes >>> >>> >> Then +1 for have utility component with common usecases. >> >>> >>>>> On Thu, Oct 6, 2016 at 9:29 AM, Ishara Karunarathna <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi kathees, >>>>>> >>>>>> On Wed, Oct 5, 2016 at 2:12 PM, Kathees Rajendram <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I am working on creating common extension framework for IS >>>>>>> authenticators. >>>>>>> >>>>>> Can you explain more on this. What is the existing problem and how >>>>>> its going to fix this framework. >>>>>> >>>>>> At the moment we have authentication framework where we mainly handle >>>>>> the authentication related operations and Authenticators >>>>>> are one of the connectors that can be plugged in to authentication >>>>>> framework. >>>>>> So why do we need another framework for authenticates. >>>>>> >>>>>> And I think following items also more specific to authenticates and I >>>>>> don't think we can use them in all authenticates. >>>>>> >>>>>> Thanks, >>>>>> Ishara >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> In extension common framework, I am planing to add the following >>>>>>> features which can be reused in authenticators. >>>>>>> >>>>>>> - Federated authenticator support - Currently, two-factor >>>>>>> authenticator supports basic authenticator in the first step and >>>>>>> federated >>>>>>> authentication in first factor supports only in TOTP authenticator. >>>>>>> I am >>>>>>> planing to add this federated authenticator support in common >>>>>>> framework so >>>>>>> we can reuse in all two factor authenticators. >>>>>>> >>>>>>> >>>>>>> - Account Lock/Unlock - Currently, we don't have any limit for >>>>>>> applying the code in two factor authenticator authentication. I am >>>>>>> planing >>>>>>> to add Lock a user account functionality [1] when configurable >>>>>>> number of >>>>>>> applying code attempts are exceeded in second step of authentication. >>>>>>> >>>>>>> >>>>>>> - Alternative authentication steps >>>>>>> >>>>>>> Backup Phone no - Add backup phone so user can still >>>>>>> sign in if user lose phone and add alternative step as backup phone no. >>>>>>> Backup codes - These printable one-off pass codes >>>>>>> allow you to sign in when away from your phone, like when you’re >>>>>>> traveling. >>>>>>> Currently We have similar >>>>>>> functionality in SMS OTP authenticator,We will move to IS authenticator >>>>>>> common framework which can be used in other authenticators. >>>>>>> >>>>>> Is this specific to a authinticator? >>>>> >>>>> >>>>> >>>> Yes I think above listed stuff are specific to each authenticators. >>>> For example if you think of Alternative authentication step, That >>>> alternative mechanism should have some relation with the >>>> the configured authenticators. >>>> Actually if should not be a functionality of the authenticator this is >>>> something we should implement introducing policy base >>>> dynamic authentication flows. Then we should be able to configures >>>> authenticates, alternative authenticates, Security levels etc. >>>> with a policy. >>>> >>>>> >>>>>>> - HOTP and TOTP algorithm based code generation - We can reuse >>>>>>> OTP code generation in SMS [2] and Email OTP [3], TOTP [4] >>>>>>> authenticators. >>>>>>> >>>>>>> >>>>>>> Supporting muti tenancy should be added. >>>>> >>>>> >>>> Normally we associate an authenticator to a SP in a given tenant so do >>>> we need to handle tenancy in a authenticator level ? >>>> >>> No issues is how can we keep configuration bound to a tenant in local >>> authinticators. >>> >>> Eg:- Keep configs for the super teanant in local file and per tenant in >>> registry. >>> >> Yes this is some thing you can put in to your component. And better to >> put general requirements only to that. >> >> -Ishara >> >>> >>>> Thanks, >>>> Ishara >>>> >>>> >>>>> Please let me know if you have any concerns. >>>>>>> >>>>>>> [1] - https://docs.wso2.com/display/IS520/User+Account+Locking+and >>>>>>> +Account+Disabling >>>>>>> >>>>>>> [2] - https://docs.wso2.com/display/ISCONNECTORS/Configuring+SMSOT >>>>>>> P+Authenticator >>>>>>> >>>>>>> [3] - https://docs.wso2.com/display/ISCONNECTORS/Configuring+Email >>>>>>> OTP+Authenticator >>>>>>> >>>>>>> [4] - https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOT >>>>>>> P+Authenticator >>>>>>> >>>>>>> Thanks, >>>>>>> Kathees >>>>>>> >>>>>>> -- >>>>>>> Kathees >>>>>>> Software Engineer, >>>>>>> email: [email protected] >>>>>>> mobile: +94772596173 >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Associate Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Best Regards, >>>>> >>>>> Malaka Silva >>>>> Senior Technical Lead >>>>> M: +94 777 219 791 >>>>> Tel : 94 11 214 5345 >>>>> Fax :94 11 2145300 >>>>> Skype : malaka.sampath.silva >>>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77 >>>>> Blog : http://mrmalakasilva.blogspot.com/ >>>>> >>>>> WSO2, Inc. >>>>> lean . enterprise . middleware >>>>> https://wso2.com/signature >>>>> http://www.wso2.com/about/team/malaka-silva/ >>>>> <http://wso2.com/about/team/malaka-silva/> >>>>> https://store.wso2.com/store/ >>>>> >>>>> Don't make Trees rare, we should keep them with care >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> >>> Best Regards, >>> >>> Malaka Silva >>> Senior Technical Lead >>> M: +94 777 219 791 >>> Tel : 94 11 214 5345 >>> Fax :94 11 2145300 >>> Skype : malaka.sampath.silva >>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77 >>> Blog : http://mrmalakasilva.blogspot.com/ >>> >>> WSO2, Inc. >>> lean . enterprise . middleware >>> https://wso2.com/signature >>> http://www.wso2.com/about/team/malaka-silva/ >>> <http://wso2.com/about/team/malaka-silva/> >>> https://store.wso2.com/store/ >>> >>> Don't make Trees rare, we should keep them with care >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Kathees > Software Engineer, > email: [email protected] > mobile: +94772596173 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
