Integrate Two-Factor Authentication Into Security Layer #73
Comments
There is a experimental "proof-of-concept" implementation in branch firewall-integration. In the following I'll describe what I did and where the problems are. Hopefully someone can point me into the right direction. Two-factor authentication becomes a real authentication provider, which has to be enabled in the firewall configuration. On login, the authenticated token (e.g. a
In the latest implementation there is a compiler pass to decorate all authentication providers with some logic to wrap the security token. When an authentication provider returns a token, which requires two-factor authentication, the decorator wraps the original token with a The Although there is a The User enters authentication code and submits the form. TwoFactorListener checks the code. If the code is correct, the authenticated token is unwrapped from the |
@stof Since you already commented on the firewall issue. Do you have an idea how to solve that? Or can you point me to someone who could? Thanks! |
hello @scheb, I would like to help you with the problem. At the moment, I don't understand how to reproduce the problem in unit tests. Maybe we can work together on a solution. |
@sebastianblum I'm not sure which problem you mean. The problem with the master request (issues #70 & #71) cannot be reproduced with unit tests, because it only appears when the bundle interacts with the security layer in a real working environment. This issue here is about integrating the bundle in Symfony's security layer. As a proof-of-concept I've put together an implementation, which can be seen in that firewall-integration branch. None of that integration already has tests, it's just quickly put together, so see if it would work at all. So you cannot test anything of that new implementation through tests - yet. Although the current implementation would work, I'm not sure about certain solutions, especially the way the token is wrapped. So some advice from a security-component expert would be really helpful. |
Update:
This is no longer the case. In the latest implementation there is a compiler pass to decorate all authentication providers with some logic to wrap the security token. Best solution so far. |
Hello, Since you want to create a firewall "type", I guess you will keep the login form, and add the "two facto" form for google, email, sms and so on. It also can be merged into one form which I think is a very bad idea. If we stick with the first plan, what role would have the user on the second form? To be honest, I think it's time for a new role :D |
The user would only have Adding a new role like |
I understand your point of you. I'll explain my expected usage: One solution that would be viable is to consider "IS_AUTHENTICATED_FULLY" like "IS_AUTHENTICATED_REMEMBERED" and create a more trusted status like "IS_MULTIPLE_FACTOR_AUTHENTICATED". I believe this is not easy. Anyway, I wanted to share this situation with you in order to build a strong vision of what you want to achieve. I think it might require some change in the security component, I don't know if it is very open to such improvement. I'll try to help as much as possible. |
@SulivanDotEu I understand what you want, but i think your solution is to complicated. The 2 Factor Authentication (in the case of google authenticator) is enabled, if a secret in stored in the user object. So you can have both, users with and without 2 factor authentication. The #13 issue is a proposal, that the 2factor can configured on individual firewalls and that you should solve your problem. You need 2 firewalls like main and admin and only for the admin firewall you enable the 2 factor authentication. |
@sebastianblum It's complicated I agree. But those kind of solution would allow developer to configure the access_control like this: As you mention, I use the "secret is empty or not" to active for specific users. |
is there any new progress with this process? |
No, not really. There a the proof-of-concept branch, which is working to some degree (some features are missing), but overall I'm not satisfied with the implementation. Too many things that feel hacky and unstable. I wanted to get advise from someone with deeper knowledge on the security component, but didn't get a reaction from the Symfony core people. Also, I have a pull request pending for the security-acl component, which is laying around for months now. Kind of disappointing. And then, since I couldn't get any progress, lost interest in it, especially since I myself am no longer using the bundle actively. |
Ok, I'm more of using this a reference on how to apply two factor to silex, which has been helping a lot so I thank you for that. 😄 kinda surprised symfony isn't more interested in baking it in, seeing that their security component is so robust and 2FA is a growing demand for login security. Depending on how successful I get with it, maybe I'll try to offer some help to this repo in exchange for it helping me get a good bounce-off point. |
@scheb I completely understand your situation. I'm thankful for your bundle, even that I would love to see a proper integration into the security layer with, as @SulivanDotEu asked for it, proper roles connected to it. Like @eman1986 remarked, it's extremely surprising that Symfony didn't think of integrating such things in the core. It seems that Symfony may be sort of powerful in that domain but not flexible. The 2 factor authentication should also adapt to the firewalls, as described above. Why should it block access to public pages when only the user password has been entered and the one-time password hasn't yet? I guess it's simply a technical restriction. Two factor authentication would be so easy to implement and configure; the 'only' hard thing is to integrate it in a proper way into Symfony and collect it into a bundle. I'm tempted to call handlers in each controller where authentication is required. Not clean at all, I know. 😞 |
I'm close to a working solution, though I'm using symfony guard which does make things a bit easier and give you a bit more control. I have more work to do as its not 100% functional yet but I'm very close. |
@eman1986 That's great news! Looking forward to it. By the way, anti brute force has not been foreseen by the Symfony-creators either. (But that should be quite easy to implement.) |
great @eman1986 :) |
Very nice to hear @eman1986! |
@eman1986 Do you finally have a working solution? |
I still have one kink to work out but I've tabled it to work on a different project. I'm looking to get it working fully once I get a chance to get back to it. With guard, its somewhat easy to do, just need to get one small thing figured out and I'll have it working fully. I should note, I'm using Silex on my project so once I get it fully working, it may require some extra work for those on a full symfony stack (mainly the wire-up portion as they do it completely different) |
@eman1986 if you have it working on silex should be a bliss to move it to symfony, thanks so much 👍 |
I think someone who has symfony experience would be able to port it over pretty easily. I'll make a gist of it once I get back to working on it. The only hiccup I'm hitting is its going into an endless login loop, I think I may know what it is, but that's what I'm stuck on with it before I can call it a success. I may be taking another look at it soon as my current project could use it too. |
@eman1986 Would be great if you could share your solution with us. I think everyone here is curious. |
Btw. my pull request symfony/security-acl#26 was merged recently. But no release yet that includes the commit. |
the PR is good @scheb but what would be nice is to describe how to tab into that Interface |
@dunglas told me that the reason that it was delayed was that there is not assigned maintainer for the ACL component. But he did merge it 👍 |
I'm going to be working on this again, once I get all the kinks out, I'll make a gist that everyone can look at to get an idea of how to do this. |
Since Symfony 4 is coming, I give it another try to get in contact with the Symfony folks. I still think it would be a way better bundle if it was properly integrated with the security layer. |
So this is finally happening. Created a 3.x branch where I'm currently reworking the old "firewall-integration" branch for Symfony 3.4+ |
Ping @sebastianblum @bytehead The current dev-master (v3.0.0-beta1 release for your convenience) version is now feature-complete for the 3.x version. Feel free to test it. Upgrade instructions can be found here: https://github.com/scheb/two-factor-bundle/blob/master/UPGRADE.md The only "feature" missing is a proper implementation for the controller. Things I'd like to get feedback on:
|
Thank you!
Exactly one of my questions and needs I'll have. 😄 |
Proposed solution for form rendering:
|
|
v3.0.0-beta2 now has a working controller and form renderer implementation. Please note that you need to update the route config if you've been on beta1 before. |
And there it is: 3.0.0 out now. Thanks to everyone contributing during the development process! Special thanks to @chalasr who pointed me into the right directions in the beginning. |
Thanks a lot! |
Excerpt from the documentation:
Overall, the current implementation causes some issues, which cannot really be solved, as long as two-factor authentication doesn't become part of the actual security layer.
kernel.request
event, which causes problems in ESI environments,The text was updated successfully, but these errors were encountered: