[jira] [Created] (GUACAMOLE-136) Add support for TFA - initially Duo

Mon, 05 Dec 2016 20:12:03 -0800 

Michael Jumper created GUACAMOLE-136:
----------------------------------------

             Summary: Add support for TFA - initially Duo
                 Key: GUACAMOLE-136
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-136
             Project: Guacamole
          Issue Type: Improvement
          Components: guacamole-client
            Reporter: Michael Jumper
            Assignee: Michael Jumper
             Fix For: 0.9.11-incubating


Copied from downstream [GUAC-1574|https://glyptodon.org/jira/browse/GUAC-1574]:

{quote}
Add support for two-factor authentication to Guacamole, initially providing an 
implementation supporting [Duo|https://duo.com/], but keeping in mind that 
future implementations will likely be made for other TFA providers (similar to 
the MySQL and PostgreSQL authentication backends sharing a common core).


The Duo API makes things considerably simple, and is nicely in line with the 
authentication system already present in Guacamole. The auth process would be 
as follows:

# The user attempts to sign into Guacamole as usual.
# The authentication attempt succeeds.
# The Duo authentication extension vetoes the authentication attempt, 
requesting additional information. This request is part of the Guacamole 
extension API, and in this case would trigger the Duo prompt to appear.
# The user submits the additional information. This data is forwarded by the 
Duo API to Guacamole's authentication system, which then issues a new 
authentication request on behalf of the user with the additional data.
# The Duo authentication extension validates the additional data, allows the 
authentication attempt to succeed, and the user is in.

The specifics of this would require defining a new field type which contains 
the Duo <iframe>, and properly calling Duo's Java equivalent to their 
verify_response() function when the TFA response is received. Though their API 
is aimed at performing a POST to some arbitrary URL on the user's behalf, they 
also provide a JavaScript callback which will be invoked instead, allowing us 
to assign the field value and invoke form submit.
{quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to