iam
iam copied to clipboard
indigo-iam
WIP: Support for multi-factor authentication through authenticator app #418
Overview
This adds the option of enabling multi-factor authentication through an authenticator app on an IAM account. This is designed to be flexible so that the user can enable or disable it at their will. The additional verification step kicks in after username and password authentication has taken place. At this stage, the user is "pre-authenticated" - they still cannot access the rest of the application. They are redirected to a verification page, whereby they enter a TOTP or a recovery code to be granted full authentication.
Documentation
- Proposal document (constructed September-December 2021)
- Feature list
- README
- Step by step guide DOC and PDF
- Graphical release plan (constructed with ProductPlan in January 2022) (timeline out of date but relevant in terms of features)
- Remaining questions and best practices
Screenshots
Verify page
Multi-factor settings button
Multi-factor settings menu
Enabling multi-factor via a QR code and authenticator app
Display of recovery codes
SonarCloud Quality Gate failed. 
2 Bugs
0 Vulnerabilities
0 Security Hotspots
21 Code Smells
91.2% Coverage
0.0% Duplication
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
@enricovianello based on the time I have left, I'm going to mark this as Ready for review now. This will allow us to move my work from my IAM fork into the IAM repo proper. I think we should make a new branch on the IAM repo and change the base branch of this PR to that new branch.
Here's some preliminary info about where I'm at:
- I have commented as much code as I can and fixed any failing tests that relate to MFA.
- Current failing tests are few and seem to relate to OAuth functionality. I didn't directly touch these files during development but they are failing due to the introduction of the
ExtendedAuthenticationTokenreplacingUsernamePasswordAuthenticationTokenas the default authentication object. - Not all of the MFA work I have done has been fully tested. The existing tests cover everything besides the integration of MFA into the OAuth2 login process.
Tomorrow, I will endeavour to finish off any remaining documentation and send it to you and Francesco. I will also add links to it in this PR and will include a wider amount of information relating to all the features that have been tackled and what is remaining.
EDIT: there is one final test in one of my controllers that is still failing. If I have time tomorrow, I'll look at it but it's not a big task.
Feature list as of 11/03/2022
Implemented
- Authenticator app working for local IAM authentication only
- Multi-factor settings menu on dashboard
- OAuth2 integration with IAM clients
- Additional information passed to IAM clients in the form of an
amrclaim in the OAuth2 id_token (see RFC 8176) - Recovery codes as backup to TOTP
Not yet implemented
- Integration with external identity providers
- Encryption and decryption of MFA secrets and recovery codes
- Support for MFA customisation by IAM admins (includes enable and disable feature, right now MFA is enabled permanently)
- Optional: Support for hardware token as another factor of authentication, e.g. YubiKey
Thanks, Sam, for your nice work and all the best for your next challenge.
Thanks, Sam, for your nice work and all the best for your next challenge.
Thanks Francesco, just working on one final document to add to this PR and then I'll forward all the documentation in an email to you and Enrico when I'm done.
