On 27.2.2014 16:51, Nathaniel McCallum wrote:
On Thu, 2014-02-27 at 13:35 +0100, Petr Vobornik wrote:
On 21.2.2014 15:24, Petr Vobornik wrote:
On 10.2.2014 14:12, Petr Vobornik wrote:
On 13.1.2014 17:09, Petr Vobornik wrote:
Hi,
these patches implements the OTP Web UI.
Last 5 patches is the OTP UI.
First 6 patches is a little refactoring/bug fixes needed for them.
General password dialog is introduced to avoid another implementation.
Self-service UI is implemented to be very simple. Atm user can choose
only token name. Admin interface allows to enter all values.
It's based on the RCUE work -> we need to push RCUE first. Thanks
Nathaniel for review of the last font package. It will speed things up.
Know bugs:
- there is clash in id's of checkboxes preventing editation of
subsequently displayed ones with the same name. Will be fixed in
separate patch.
- bugs caused by bugs in API (adding/removal of own tokens in
self-service, inability to enter key on token creation -
https://fedorahosted.org/freeipa/ticket/4099)
- datetime format (widget+validator) will be implemented in separate
patch
- no support of not reviewed CLI patches (HOTP..)
Cgit:
http://fedorapeople.org/cgit/pvoborni/public_git/freeipa.git/log/?h=otp
https://fedorahosted.org/freeipa/ticket/3369
patch 540-1 has been updated
- QR code is centered
- QR code correction level was lowered from H to M
All other current patches from sub-threads are attached as well (it was
getting hard to keep track of them).
Attaching new version of patch 537: 537-4
It:
* adds HOTP support - new switch in adder dialog and ipatokenhotpcounter
field in details facet
* removes 'default' radio button in adder dialog in ipatokenotpalgorithm
and ipatokenotpdigits field
Btw I've encountered an issue on Web UI login when:
- user is created
- token is created for him
- admin resets user's password and changes auth type to 'otp'
- user tries to login with psw+otp
The initial login-password call is successful but subsequent change
password fails - it uses the old psw+otp.
I'll address this issue in https://fedorahosted.org/freeipa/ticket/3903
which is almost implemented.
I also plan to hide fields without any value in otp token details page
in self-service mode. This will be done after #3903 because some
prerequisites for #3903 add useful code for that task.
New version of 537 attached: 537-5
It removes token type switch from selfservice page. Therefore default
token type (totp) will be always created.
Originated from:
http://www.redhat.com/archives/freeipa-devel/2014-February/msg00532.html
I'm not sure I understand the rationale for this (after having read the
other email thread). But I agree we should discuss which options should
be available on the self-service page.
Just to recap the situation:
1. Only token name / description are provided in the self-service UI
2. All options are provided on the CLI
I think the main question is: who should get to choose the primary token
type in FreeIPA? There are three possibilities:
1. FreeIPA developers
2. Admins
3. Users
The case for #1 is that we can't guarantee timely replication of the
counter attribute. On this basis, we choose TOTP as default because of
structural limitations. This is currently the default.
I don't see much use for #3. But I can see an argument for #2.
Personally, I lean toward #1. Thoughts?
Nathaniel
Sorry, there is no real reason to not have HOTP there, and therefore
537-5 is wrong and 537-4 is OK.
Rationale of the mistake:
* self-service page has to be simple so it doesn't allow to add hw tokens
* My thoughts were fixed to the idea that HOTP has to be hw token -
maybe the H confused me.
--
Petr Vobornik
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
