nginx-sso
nginx-sso copied to clipboard
Luzifer
Add MFA support for LDAP auth provider
As a system administrator using LDAP as an auth backend for nginx-sso I want to be able to configure MFA inside the LDAP backend.
Acceptance criteria:
- It should be possible to have users with and without MFA configured
- Configuration must be fully done (except field name being specified in config) in the backend
Currently kind of a blocker: I've no idea how to properly store the MFA configuration into LDAP. The configuration I need is in the following format:
provider: google
attributes:
secret: MZXW6YTBOIFA
The attributes are flexible and are changing from provider to provider. They also might get more than one. (For example in the future 8-digit codes could be supported for Google Authenticator)
One possibility I can see is to store a JSON object into one key of the LDAP which is kind of ugly:
mfa: {"provider":"google","attributes":{"secret":"MZXW6YTBOIFA"}}
Ideally the solution would also work out for #23 which has the limitation Crowd only supports a string:string mapping in its user-bound attributes. So for this the JSON solution is the only thing I currently can imagine.
Another solution (also quite ugly but maybe better than JSON) could be a URI-kind notation:
google?secret=MZXW6YTBOIFA / yubikey?device=ccccccfcvuul
Maybe @Xaroth or @joltcan have any suggestion how to store this kind of information?
I would vote for JSON given the options for readability. Is modifying LDAP schema something you want to avoid as thats one cleaner one i could think of?
Would it be possible to store this data within nginx-sso?
Modifying LDAP schema should be avoided if possible. If it is unavoidable the field must be secured to be only readable by the user and admins otherwise any authenticated user could read the data.
