Push via Telegram bot

[gbtb]

Hello 😃

I'm working on integration project of PrivacyIDEA into VPN authentication workflow of my employer. Due to UX requirements and some limitations of our AD and Cisco setup we decided on using push tokens in a push_wait mode as a main option of doing 2FA. Our internal customer also requested another option of delivering push notifications - Telegram bot. And so I'm currently in a process of adding said functionality into PrivacyIDEA.

Roughly, here is what I plan to do:

1. Add new token type - Telegram push, adapting existing code of Push token. Registration workflow would stay the same, using QR code. Asymmetric keys generation is not feasible, so user just scans and sends qr to a bot, and bot saves the link between user in realm and telegram account id of that user.
2. Authentication workflow would be identical to a push token - PI sends a message to a user through a bot, with two buttons - accept and decline.
3. Considering bot implementation, I picked pyTelegramBotAPI library. It has synchronous api, unlike more modern alternatives. And it also supports webhooks as a method of delivering of bot updates - that removes the need for long-running background process that polls telegram api. It even has an example specifically for flask, which I was able to run inside PrivacyIDEA app without much hassle.

Will you be interested in accepting such integration into main repository or should I develop it in our private fork?
If you're interested, I'm going to post updates and probably some questions as I move along. I would also much appreciate any additional advice you might have.

Thanks!

[github-actions]

Thank you for filing an issue and sharing your observations or ideas. Please be sure to provide as much information as possible to help us to work on this issue.

[plettich]

Hi @gbtb
we had an issue once about adding Telegram: #364 It seems there is still some interest in this topic.
I tried the Telegram bot once and after registering the phone(number) with the bot this seemed to work (a on-off communication would not work, i assume, that is why the issue was closed).
I hesitated to implement this because of the background job doing the polling.
It definitely sounds interesting.

[cornelinux]

In my understanding this is not possible in a sensible way: #364 (comment)

[gbtb]

In my understanding this is not possible in a sensible way: #364 (comment)

I think next comment #364 (comment) in this issue actually clarifies things pretty good. I'm sure it can be done on a Telegram side, because we currently have a commercial 2FA solution which does push delivery via private chat with a bot. User has to initiate dialog with a bot account once - to perform a registration of an account. Afterwards bot is able to send you messages into this chat at will. Telegram bots have support for inlining buttons below a message, so user just clicks accept and gets connected to a vpn.

[gbtb]

Hello again 👋
I opened a draft PR with Telegram Push implementation. My initial plan was surprisingly on point - I took push token code and refactored it until in worked 😄 . I tested it in our VPN setup and it worked well.
So, I want to kindly ask you guys to look at the code and tell me what else is required before it becomes good enough to be accepted?

Also, I want to ask you about one particular problem I can't get how to fix. I want to add a nav link alongside the QR code (as Push does), but href gets mangled for some reason - like that unsafe:https://t.me/test_2fa_push_bot?start=SXLHUdB0EwFBM0orpf7H-5Piksr81QGEascmf_00HLuUVuhRv0jBM_Arp-jWDH_J.

[plettich]

We disable all links to unknown sources here:

privacyidea/privacyidea/static/app.js

Line 161 in 0a9c618

$compileProvider.aHrefSanitizationTrustedUrlList(url_re);

This is to avoid XSS attacks:
https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationTrustedUrlList
We need to think about trusting all t.me URLs...