Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mature authentication offering #304

Closed
jrozner opened this issue Apr 27, 2021 · 2 comments
Closed

Mature authentication offering #304

jrozner opened this issue Apr 27, 2021 · 2 comments
Labels
enhancement New feature or request triage Issue needs triage
Milestone
Maturity of authe...

Comments

@jrozner
Copy link
Member

jrozner commented Apr 27, 2021

This is more of a tracking issue for a series of features around building out and maturing the authentication capabilities of ashirt. This is meant to ask and answer questions so that we can move toward creating the set of individual features that we'll end up actually building. This issue does not mean that all of the below features have the same priority or that we need to build all of them but they are at least worth discussing and coming up with a plan for if and when they will be built.

Currently ashirt supports local auth and okta which meets our needs internally and likely the needs of some potential users. In general we're missing integration with some other common single sign on options and new/upcoming mfa options that we are likely to see others desiring to use. This will split into two categories: authN and mfa options.

AuthN

  • Generic OIDC2 (can okta share this?)
  • SAML
  • webauthn

MFA

  • u2f/FIDO2
@jrozner jrozner added enhancement New feature or request triage Issue needs triage labels Apr 27, 2021
@jrozner jrozner added this to the Maturity of authentication milestone Apr 27, 2021
@JoelAtDeluxe
Copy link
Collaborator

Generic ODIC:

  • Back end
    It looks like Okta is at least 90% compatible with Google and Discord. Making Okta work with these two might be easy enough. At a glance, it looks like we need to change how the token exchange works slightly (it looks like google and discord expect the client id and secret provided as query parameters. Okta, at least previously, expected these as basic authentication), and we should expand the number of configurations we need -- specifically we need the authorization url and token url.
  • Front end
    This is a bit tricky. I think we should be able to abstract this enough to work with generic oidc providers, but we're likely to lose specific styling. So, if we wanted to use google odic, we probably wouldn't have the google G next to the button. One possibility, if we really want this, would be to have named service integration are just fancy wrappers around generic OIDC.

@jrozner
Copy link
Member Author

jrozner commented Feb 7, 2022

Generic OIDC2 implementation has been added (#358) and we've removed the original Okta specific version (#452). There doesn't seem to be any reason to implement SAML for federated auth at this point since we've implemented generic OIDC2. I'm going to close this issue and open a specific one for adding webauthn.

@jrozner jrozner closed this as completed Feb 7, 2022
@jrozner jrozner mentioned this issue Feb 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triage Issue needs triage
Projects
None yet
Milestone
Maturity of authentication
Development

No branches or pull requests
2 participants
@jrozner @JoelAtDeluxe