Backlog #4078

Two Step Authentication

Added by Ruben S. Montero over 5 years ago. Updated over 5 years ago.

Status:PendingStart date:10/23/2015
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Drivers - Auth
Target version:-

Description

This issue is to add the capability of OpenNebula to integrate with multi-step authentication methods. Usually this involves sending user identification to the driver and make the driver contact a service to request an auth token. This last step needs user interaction (e.g. Google ID platform and the like)

History

#1 Updated by Carlo Daffara over 5 years ago

Totally second this. We are already looking into the Latch addon ( https://github.com/carlosms/opennebula-latch-addon ) to modify and use with U2F/FIDO authentication usb keys, so a more standardised way of working would be great.

#2 Updated by Boris Parak over 5 years ago

Ruben S. Montero wrote:

This issue is to add the capability of OpenNebula to integrate with multi-step authentication methods. Usually this involves sending user identification to the driver and make the driver contact a service to request an auth token. This last step needs user interaction (e.g. Google ID platform and the like)

I agree, even a (more) generic mechanism where the driver responds with a redirect URL would be useful. This redirect URL would point the user to an external authentication service, this service can implement an arbitrary authentication mechanism. After the authentication process has been completed, the user will get a token (opaque, its actual format or content is not important) and return back to OpenNebula.

So, this redirect driver could be a special implementation of the 'default' driver. If nothing else succeeds, it will redirect the user. When the user returns, a different driver in the driver chain will succeed and let the user in.

What do you think?

#3 Updated by Ruben S. Montero over 5 years ago

Hi Boris

Yes I think it make sense. We could extend the current login token (OpenNebula oneuser login) two implement a two step one, the first step will return the URI. The client goes to the target auth URL and authenticates, in the second step the result of the authentication (the opaque token) sent to the driver to validate. Once validated a full OpenNebula token (<user_name>:<token>) is generated and could be used to authZ. We need to think how to make this process happen from desktop usage (i.e. kind of pinentry?) or Suntone.

Cheers

#4 Updated by Ruben S. Montero over 5 years ago

  • Priority changed from Normal to High
  • Target version deleted (Release 5.0)

Also available in: Atom PDF