fusio icon indicating copy to clipboard operation
fusio copied to clipboard
verified publisher icon apioo

OTP solution

Open jimmy2cv opened this issue 6 years ago • 3 comments

Hi all, I want to use the OTP (One Time Password) solution to securize my API. Is it possible to add this solution in api connection by my mobile app ? If I understand well, it's needed to add an adpater. After Adapter creation, can you explain me how it works and how we config it ? Thanks for you help Jimmy JAUMOTTE

jimmy2cv avatar Jan 11 '20 17:01 jimmy2cv

Hi, ok so if we create a connection we usually wrap a library and the user can then configure the connection. In this case we could use a library like https://github.com/Spomky-Labs/otphp But if I think about it Iam not really sure whether a connection is needed you can also simply require the library with composer require spomky-labs/otphp in your project. Then you could create an endpoint which returns the QR-Code uri and another endpoint to verify the OTP.

chriskapp avatar Jan 12 '20 15:01 chriskapp

Hi,

Sorry, I wasn't to clear in my explanation. The goal of my request is to add a second authentication solution. This OTP code can be generated by Google OTP app.

I imagine this process :

=> The yellow elements can be optional if the administrator doesn't configure OTP mechanism (per example flag in file configuration.php). => Expiration time can also be defined in the config file.

The modifications in the database can be :

  • fusio_user : add a field OTP_secret to define the element to generate the code (using OTP_secret and user email)
  • fusio_OTP_device : user_id, device_id, date, expire

I will try to understand where and how I can add this subject in the current version.

Regards

Jimmy

----- Mail original -----

De: "Christoph Kappestein" [email protected] À: "apioo/fusio" [email protected] Cc: "jimmy2cv" [email protected], "Author" [email protected] Envoyé: Dimanche 12 Janvier 2020 16:25:24 Objet: Re: [apioo/fusio] OTP solution (#285)

Hi, ok so if we create a connection we usually wrap a library and the user can then configure the connection. In this case we could use a library like https://github.com/Spomky-Labs/otphp But if I think about it Iam not really sure whether a connection is needed you can also simply require the library with composer require spomky-labs/otphp in your project. Then you could create an endpoint which returns the QR-Code uri and another endpoint to verify the OTP. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub , or unsubscribe .

jimmy2cv avatar Jan 13 '20 21:01 jimmy2cv

Ok, so for this you would need to change the default implementation since an adapter does not provide the fitting options. You can take a look at the repository here: https://github.com/apioo/fusio-impl

We have already a system to provide different login provider i.e. google or github see https://github.com/apioo/fusio-impl/blob/master/src/Provider/User/Github.php but I think it will be difficult to use this for the OTP use case since it is focused on OAuth2.

chriskapp avatar Jan 14 '20 20:01 chriskapp