Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi step authentication #1
Multi step authentication #1
Changes from all commits
eebdfa6
a44ca17
ab281aa
be32658
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with adding a new event here. Honestly, one of the biggest things we were usure about is if we had enough events and if events were dispatched at a logical places. I think it makes sense to have something after authenticated token is created.
I am however not sure about "The authentication is not complete yes IS_AUTHENTICATED_FULLY == false". I've talked about this previously as well - so we may just agree to disagree on this :). I think it makes sense to think about 2fa as level of assurance. In other words, using a username+password form would make a user LoA level 1. This means a user is already authenticated (ie.
isGranted("IS_AUTHENTICATED_FULLY") === true
). However, if you enforce 2fa for the whole website you would add something like{ pattern: "^/", roles: "LEVEL_OF_ASSURANCE_2" }
to your access control. Symfony/this bundle would then need to provide some sort of "authentication elevation classes" that can make a user LoA 2 by filling in a 2FA code.This would allow users to enforce 2FA for some parts of the website (e.g. the admin panel), but not require it on others (e.g. when that same admin user just wants to edit their own personal profile). It would also remove most of the issues this bundle needs to work around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd say they are ;). A lot of things can be done with the current setup. The only thing that I see missing is this ability to influence the security token somehow before it becomes effective. But this is an entirely new feature, the old security system also couldn't do it.
I could imagine something similar to the "RequestEvent", which would allow a listener to return an alternative security token to be used (similar to the response of RequestEvent). I'll give it a shot and implement a proposal.
Regarding
IS_AUTHENTICATED_FULLY
, I'll put together some thoughts on this later.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wouterj Regarding the event, how does this look to you? 5ad1640
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wouterj Regarding
IS_AUTHENTICATED_FULLY
:I understand
IS_AUTHENTICATED_FULLY
as the flag that tells "you can trust this identity".An account with 2fa should only be "authenticated fully" when they have passed 2fa. Until they've completed the 2fa authentication process, these clients have just claimed to be someone but not proven it. So that identify cannot be assumed trustworthy in any way and therefore
IS_AUTHENTICATED_FULLY
should evaluate false.Also, I want this attribute to express "you can trust this identity now" in a system that has both users with 2fa enabled and users which have it disabled.
IS_AUTHENTICATED_FULLY
becomes true immediately after login.IS_AUTHENTICATED_FULLY
must be false. Only when you complete 2faIS_AUTHENTICATED_FULLY
it becomes true.So in both cases, the same attribute
IS_AUTHENTICATED_FULLY
can be used to check if you can trust that identity and you don't need to care about specifics of the account.Compared to that, in a "level of assurance" system, both kinds of users would have the same "trust level" right after login, even the 2fa-enabled user that hasn't completed 2fa yet. And once that user has completed 2fa, they have a higher trust-level. So there's the issue, you don't have a single attribute to check if the identity is equally trustworthy. You'd always need to look at the user account, check if it requires 2fa and then use either level 2 or 3.
Nevertheless, I believe trust levels would be a great addition to the security system. I sometimes get the request from users, who only want to protect certain paths with 2fa. So they actually want to user to be "trustworthy" already after login and want 2fa as an extra (effectively what trust levels are). This contradicts my concept of 2fa, because I'm saying "your identity is not trustworth until you've completed 2fa".
Both concepts are pretty close together, so there must be a way to join them. Probably the best idea would be to remove the concept of
IS_AUTHENTICATED_FULLY
and come up with some mechanic to determine "you can trust this identity" which can be implemented/configured by the developer according to their needs.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, thanks for clarifying the difference between LoA and 2FA. In our application, 2FA is something that is required for admins and not available for users (it's on our list to make it optional). So based on what you are saying, 2FA is something decided from a user perspective (a user may or may not want 2FA), while LoA is something enforced by the application (some paths require a specific LoA).
This makes sense to me now 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting thought! So
AuthenticationTrustResolver#isFullFlegded()
should actually do something like below if we're going to implement LoA.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly, that could be the way to go. Should be
>=
btw ;)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would that also fix https://github.com/scheb/symfony/pull/1/files#diff-d6ccb5922f9ccac25c0993a763c4e5b4R185 ?
I think a RememberMeToken should always be a low LoA. So at first sight, I think we no longer have to prevent remember me cookies to be set if we require a higher LoA because of 2FA (e.g. remember me is LoA 1 and 2FA will be around LoA 3)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True. There wouldn't be a need to prevent the cookie being set. Restarting the session would start with a low trust level, so low the identity wouldn't be trusted. So the client would be forced to go through 2fa. It would no longer be possible to bypass 2fa with a remember-me cookie.
Independent of that I still believe the RememberMeServices needs some refactoring.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh 100% agreed. I think the second paragraph in that class (and where I also left a comment) still applies. I'm afraid BC will be quite a challenge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Honestly, I think this whole remember me services needs some refactoring. Almost anything in this abstract class should be done in the authenticator instead (the
RememberMeToken
is now generated twice, to be able to support this legacy logic in the authenticator).So yes, I agree with deprecating this abstract class and making the sub-classes real functioning classes on their own (with probably a new interface). That probably requires a new investigating to see the effects of this change and how it can be done in a BC way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've taken a shot at this in: symfony#40145