[Feature] Two-Factor Authentication for user-login #762
Comments
|
Hi, yes I agree. It is probably not too hard to add a TOTP - anything more than that I'd like to move to tools that are made for this, like authelia (which seems popular). There is also #489 where I wanted to address this. But I need to do some research first. It might be possible (with some fiddling I suspect, because docspelll is not prepared for this) already to put something like authelia in front of docspell, but this is just a feeling :) never tried it myself. |
|
Thanks for the quick answer. Thx for the awesome tool! |
|
How is it about Security Keys like the Yubikey with Webauthn/FIDO2/U2F? |
This sounds very useful, of course. Providing this directly from docspell is beyond the scope of this project. What I can imagine is to improve running behind an authentication provider like authelia, keycloak or other products that are made just for this and provide a variety of different authentication methods. I don't know all the details, if someone knows this or wants to do the research - please do and let me know :-) My current plan is to allow authentication via OpenID Connect. This should be compatible with many such tools, I'd think. |
About the authorization providers. I have a setup running keycloak and OAuth2proxy for that. Keycloak supports everything mentioned and it works quite well. |
Didn't know oauth2proxy - thanks! So you are using oauth2proxy together with keycloak as provider? And oauth2proxy also takes care of the redirects etc such that the application only needs to consume the JWT tokens?
Yes indeed! This is simply not working right now. Would keycloak for example allow to pass a request header that docspell could trust? This would be easy to add. Docspell could map a trusted header value to accounts (of course, this means to know your network… docspell must not be exposed then and the header must be only provided by your idp). Adding authentication via OpenID Connect should then also work with keycloak, I guess? This is a bit more work. |
|
Sorry for the late answer...
Yes exactly. Although I'm using the auth_request module from nginx, which works with the oauth2proxy. There's more on that in their docs.
I'm not sure tbh.
Keycloak has full OIDC support, so yes that would work. |
I know that currently there isn't much focus on user/collective management, but I think a small feature like TOTP-Two-Factor Authentication could be something small but still very useful.
Yes a secure/long password helps but account security should still be something with importance.
The text was updated successfully, but these errors were encountered: