Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactoring and iterating on GUA #4565

Open
wants to merge 262 commits into
base: master
from

Conversation

@hsartoris-bard
Copy link
Contributor

hsartoris-bard commented Dec 19, 2019

This is very much a work in progress, but I figured I'd put in a PR now in case it's a terrible idea to pursue.

Goals

  • Refactor multiphase authentication out of GUA; i.e., allow separate username and password entry generically. This would be helpful for situations where one wants to delegate authentication for some accounts (not collecting a password at all) or trigger MFA prior to password entry, among other possibilities.
    • I got through a lot of this process, although as of this PR it's incomplete. After establishing a functional baseline for a separate multiphase webflow, I'll refactor GUA to use it as a dependency.
  • Expand capabilities of GUA to include additional forms of image attribute resolution
  • Extend GUA functionality to optionally not explicitly have the user validate the image, but instead present it in-line on the main login page after the initial userid entry has taken place, a la Okta.
    • This is also implemented in the above POC, but it simply changes the GUA behavior globally, rather than allowing for configuration.

Full disclosure: I'm not by any means a Spring Boot developer, but I am pretty good at figuring things out, and I'm interested in sustaining CAS as an extensible and thus viable option in a world filled with hosted, 3rd-party auth services. I'm interested in thoughts both as to how I'm going about this, and whether or not it's a good idea.

apereocas-bot and others added 30 commits Dec 17, 2019
…e @ConditionalOnClass instead
…al action, which refers to new method on webutils
…, which was clearly a thing that needed to happen right now
@hsartoris-bard

This comment has been minimized.

Copy link
Contributor Author

hsartoris-bard commented Jan 22, 2020

@mmoayyed Any thoughts thus far? I'd like to add a Groovy-based evaluation within what is currently StoreUserIdForAuthenticationAction, with the option to redirect the user based on the received event; however, this seems to replicate a fair bit of the webflow defined by cas-server-support-interrupt-webflow. As things stand, the interrupt webflow is quite incompatible with multiphase, as it expects a completed authentication event, so a lot of case-by-case evaluation would have to be added to that codebase to make it make sense to register multiphase with it.

I'm interested in what you think of that, as well as more general thoughts/desired changes around the work I've done so far.

apereocas-bot and others added 26 commits Jan 22, 2020
…phaseAuthenticationAction to ensure it doesn't override MFA webflows
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.