Opened 5 years ago
Closed 5 years ago
#2131 closed enhancement (fixed)
Add support for installing multiple authentication managers
| Reported by: | Nicklas Nordborg | Owned by: | everyone |
|---|---|---|---|
| Priority: | major | Milestone: | BASE 3.14 |
| Component: | web | Version: | |
| Keywords: | Cc: |
Description
It would be very nice if BASE could support multiple authentication managers for logging in. The use case is that some some user may, for example, have a !Yubikey already and want to use that while some user could just as well use OTP instead.
In one sense BASE already supports having more than one authentication manager installed. It will try them one at a time in some order. The "problem" is that the actual implementations are a bit picky and may not allow other types of authentication. For example, the Yubikey extension may block an OTP login before the OTP extension gets a chance to check if the login is correct or not.
Another problem is that the login form is also static and the first one (in some order) is selected by BASE. While some combinations may work between different extensions other combinations are impossible. For example, the OTP login form can be used with Yubikey if the login field is used for the Yubikey-generated value, but in the Yubikey login form there is no place to enter the 6 OTP digits. It would be nice to have a menu of installed login forms where the user can select which type of login to use.
Getting the BASE core and web client ready for this should not require that much work, but the actual implementations must also be updated to make them work together with other login managers.
Change History (13)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
comment:3 by , 5 years ago
comment:4 by , 5 years ago
(In [7536]) References #2131: Add support for installing multiple authentication managers
Added an "external" version of the default username+password login form. This is is disabled by default but need to be used when another external authentication manager has been installed and some users still need to be able to login with username+password.
comment:5 by , 5 years ago
comment:6 by , 5 years ago
comment:7 by , 5 years ago
comment:8 by , 5 years ago
(In [7540]) References #2131: Add support for installing multiple authentication managers
Updated the error handling for NotLoggedIn exceptions. The existing solution didn't work well with multiple authentication manages since switching between them reloads the login form. This causes other context information to be lost.
The new solution only display an error message with a link that opens the login dialog in a popup window. Once the login has been completed the page with the error message is reloaded and hopefully the original action can be completed.
comment:9 by , 5 years ago
comment:10 by , 5 years ago
comment:11 by , 5 years ago
comment:12 by , 5 years ago
comment:13 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
(In [7529]) References #2131: Add support for installing multiple authentication managers
If there are more than one installed login manager the login page now displays a selection list with the ability to switch between them.
One "problem" is that the CSS and javascript for all login managers are loaded and CSS rules may not work well together. For example, if the Yubikey and OTP extensions are both enabled, the yubikey icon is displayed in the "Login" field also for the OTP login. On the other hand, the OTP icon is always displayed in the help text...
To fix this the extensions need to update their CSS rules so that they only apply when their own login form is active. To help with this, BASE will set an attribute on the
<body>tag:where
id-of-login-form' is the value returned by theLoginFormAction.getId()` method. Scripts should also check this value.