On 12/04/2021 15:50, Rob Vesse wrote:
Han
The general approach to this kind of complex sign on scenario would be to use
an external authentication service/protocol e.g. OAuth2/Open ID Connect which
handles the multi-factor authentication and then configure your applications
authentication layer to just validate the Json Web Tokens (JWTs) that assert a
users identity.
Shrio out of the box does not have OAuth2 integration, this tutorial post -
https://dzone.com/articles/how-to-use-apache-shiro-and-oauth-20-to-build-a-se -
looks like a possible approach and refers to
https://github.com/oktadeveloper/okta-shiro-plugin as a plugin to provide this
capability.
So my recommendation would be to provide your own separate OAuth2 compliant
authentication server (try JBoss Keycloak if you're looking for an OSS
solution) and then add validation of its tokens into your Fuseki setup
Rob
1/
A way to interface to external authentication service is to use a
reverse proxy (RP) and have Fuseki only talk to the proxy. Then the RP
is the user access point and can be any webserver (Apache https, nginx,
...) which may give you a wider range of auth solutions.
2/
Fuseki accepts a Jetty XML configuration file to build the server so
that's another approach.
Andy
On 12/04/2021, 14:26, "Kruiger, J.F. (Han)" <han.krui...@tno.nl.INVALID> wrote:
Hi there,
I'm looking for a solution to have multifactor authentication (MFA) in
Fuseki.
I'm pretty sure this lies outside of the scope of Apache Jena, but perhaps
Fuseki's UI should be able to be compatible with it at some point in the future.
I have found a potential solution to get multifactor authentication to
work in Shiro:
http://shiro-user.582556.n2.nabble.com/MFA-Possible-Solution-td7581444.html
TLDR; they use 2 Shiro realms, and a login can only succeed if both realms
allow it.
However, if we were to keep using Fuseki's UI, this will break, since it
only asks for a username and password.
Is there a (not too hacky) way to customize Fuseki's UI so that it can ask
the user for more authentication details? And perhaps to add pages for user
registration with one-time passwords to set up the MFA.
What are your thoughts on this? Any suggestion is welcome.
Best,
Han
This message may contain information that is not intended for you. If you
are not the addressee or if this message was sent to you by mistake, you are
requested to inform the sender and delete the message. TNO accepts no liability
for the content of this e-mail, for the manner in which you use it and for
damage of any kind resulting from the risks inherent to the electronic
transmission of messages.
