spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard
verified publisher icon spring-projects

How-to: Authenticate a user with two-factor authentication

Open jgrandja opened this issue 4 years ago • 12 comments

Publish a guide on How-to: Authenticate a user with two-factor authentication

Related gh-499

jgrandja avatar Dec 17 '21 16:12 jgrandja

@jgrandja Hello. I would like to work on this issue. But This is my first time contributing to an open-source project. Therefore, I need some guidance. Could you please give me more information about this issue?

HarunSMetin avatar Jan 26 '22 11:01 HarunSMetin

Thanks for your interest @HarunSMetin.

We're still early in writing the reference documentation and have a few things we need to iron out as far as the format goes. Our plan is to release the initial version in 0.3.0 and then will likely open things up to external contributions at that point.

jgrandja avatar Jan 26 '22 19:01 jgrandja

Hello, we are looking into supporting two-factor authentication; this guide would be of great help. Any ideas when this would be available? Thanks

schepuri-bisc avatar Apr 13 '22 18:04 schepuri-bisc

Hi @schepuri-bisc, I'm glad you have interest in this topic. I do too. However, it's not at the top of the list at the moment, as it's not currently the most up-voted.

I built a sample some time ago that I will eventually use to build this how-to guide. Take a look at this branch. It is based on the mfa sample in spring-security-samples, and I added a nice UI to demonstrate some additional concepts. Hope it helps!

sjohnr avatar Apr 14 '22 15:04 sjohnr

@sjohnr This is great! The sample is a lot more useful than the how-to guide. Thank you for the quick response.

schepuri-bisc avatar Apr 14 '22 22:04 schepuri-bisc

Hi @schepuri-bisc, I'm glad you have interest in this topic. I do too. However, it's not at the top of the list at the moment, as it's not currently the most up-voted.

I built a sample some time ago that I will eventually use to build this how-to guide. Take a look at this branch. It is based on the mfa sample in spring-security-samples, and I added a nice UI to demonstrate some additional concepts. Hope it helps!

When I follow the mfa sample, I was able to bypass mfa by simple closing the current tab and re-login from the client application. Can anyone else confirm this behavior or I am missing something?

ramonmalcolm10 avatar May 22 '23 09:05 ramonmalcolm10

When I follow the mfa sample, I was able to bypass mfa by simple closing the current tab and re-login from the client application. Can anyone else confirm this behavior or I am missing something?

Hi @ramonmalcolm10, thanks for your interest and trying out the sample! Yes, unfortunately the sample is incomplete and also on a very out of date branch.

The issue you mention is because this line simply requires any authenticated user (including a partially authenticated one). Once we get closer to finalizing a how-to guide for this, I will revisit the authorization config, but at a minimum the /oauth2/authorize endpoint needs to require hasRole("USER"). There could be other improvements as well, which is why this issue is still waiting to be tackled.

sjohnr avatar May 22 '23 15:05 sjohnr

Anytime line on this, this features is critical for me

ramonmalcolm10 avatar Jun 30 '23 09:06 ramonmalcolm10

I tried to make a working system, based on the Steve Riesenberg code. The code works but is not quite right yet. Can anyone give me advice on getting everything right? Github: https://github.com/wdkeyser02/SpringMfaAuthorizationServer/tree/main/SpringMFAAuthorizationServer01

wdkeyser02 avatar Oct 08 '23 18:10 wdkeyser02

Can you try out the code to this video? https://www.youtube.com/watch?v=0dSgrhv2nrE&t=28s

Thanks.

wdkeyser02 avatar Oct 19 '23 11:10 wdkeyser02