Opened 4 years ago

Closed 4 years ago

#2131 closed enhancement (fixed)

Add support for installing multiple authentication managers

Reported by: Nicklas Nordborg Owned by: everyone
Priority: major Milestone: BASE 3.14
Component: web Version:
Keywords: Cc:

Description

It would be very nice if BASE could support multiple authentication managers for logging in. The use case is that some some user may, for example, have a !Yubikey already and want to use that while some user could just as well use OTP instead.

In one sense BASE already supports having more than one authentication manager installed. It will try them one at a time in some order. The "problem" is that the actual implementations are a bit picky and may not allow other types of authentication. For example, the Yubikey extension may block an OTP login before the OTP extension gets a chance to check if the login is correct or not.

Another problem is that the login form is also static and the first one (in some order) is selected by BASE. While some combinations may work between different extensions other combinations are impossible. For example, the OTP login form can be used with Yubikey if the login field is used for the Yubikey-generated value, but in the Yubikey login form there is no place to enter the 6 OTP digits. It would be nice to have a menu of installed login forms where the user can select which type of login to use.

Getting the BASE core and web client ready for this should not require that much work, but the actual implementations must also be updated to make them work together with other login managers.

Change History (13)

comment:1 Changed 4 years ago by Nicklas Nordborg

(In [7529]) References #2131: Add support for installing multiple authentication managers

If there are more than one installed login manager the login page now displays a selection list with the ability to switch between them.

One "problem" is that the CSS and javascript for all login managers are loaded and CSS rules may not work well together. For example, if the Yubikey and OTP extensions are both enabled, the yubikey icon is displayed in the "Login" field also for the OTP login. On the other hand, the OTP icon is always displayed in the help text...

To fix this the extensions need to update their CSS rules so that they only apply when their own login form is active. To help with this, BASE will set an attribute on the <body> tag:

  <body data-login-form="id-of-login-form">

where id-of-login-form' is the value returned by the LoginFormAction?.getId()` method. Scripts should also check this value.

comment:2 Changed 4 years ago by Nicklas Nordborg

(In [7530]) References #2131: Add support for installing multiple authentication managers

The most recently used login form should now be remembered and automatically loaded the next time.

comment:3 Changed 4 years ago by Nicklas Nordborg

(In [7531]) References #2131: Add support for installing multiple authentication managers

The "Switch user" dialog should now work with multiple login forms.

comment:4 Changed 4 years ago by Nicklas Nordborg

(In [7536]) References #2131: Add support for installing multiple authentication managers

Added an "external" version of the default username+password login form. This is is disabled by default but need to be used when another external authentication manager has been installed and some users still need to be able to login with username+password.

comment:5 Changed 4 years ago by Nicklas Nordborg

(In [7537]) References #2131: Add support for installing multiple authentication managers

Redesign of the login form to avoid things that "jump" around when switching login manager.

comment:6 Changed 4 years ago by Nicklas Nordborg

(In [7538]) References #2131: Add support for installing multiple authentication managers

Moved "Impersonate" functionality to it's own script file, since the latest changes caused it to re-load endlessly.

comment:7 Changed 4 years ago by Nicklas Nordborg

(In [7539]) References #2131: Add support for installing multiple authentication managers

Added AuthenticationManager.vetoAuthenticatedUser() method. This will make it possible for authentication managers to cooperate and allow or deny users to login with more than one authentication method.

comment:8 Changed 4 years ago by Nicklas Nordborg

(In [7540]) References #2131: Add support for installing multiple authentication managers

Updated the error handling for NotLoggedIn exceptions. The existing solution didn't work well with multiple authentication manages since switching between them reloads the login form. This causes other context information to be lost.

The new solution only display an error message with a link that opens the login dialog in a popup window. Once the login has been completed the page with the error message is reloaded and hopefully the original action can be completed.

comment:9 Changed 4 years ago by Nicklas Nordborg

(In [7542]) References #2131: Add support for installing multiple authentication managers

The 'Password' login form was not filling out the dialog due to the <div> element getting set to display: table;.

comment:10 Changed 4 years ago by Nicklas Nordborg

(In [7543]) References #2131: Add support for installing multiple authentication managers

Updated developer documentation about supporting multiple login managers on a single server.

comment:11 Changed 4 years ago by Nicklas Nordborg

(In [7544]) References #2131: Add support for installing multiple authentication managers

Added support for CSS syntax in the documentation.

comment:12 Changed 4 years ago by Nicklas Nordborg

(In [7545]) References #2131: Add support for installing multiple authentication managers

Added note to the update information about the changes.

comment:13 Changed 4 years ago by Nicklas Nordborg

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.