Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-136

Add support for TFA - initially Duo

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Done
    • None
    • 0.9.11-incubating
    • guacamole-client
    • None

    Description

      Copied from downstream GUAC-1574:

      Add support for two-factor authentication to Guacamole, initially providing an implementation supporting Duo, but keeping in mind that future implementations will likely be made for other TFA providers (similar to the MySQL and PostgreSQL authentication backends sharing a common core).

      The Duo API makes things considerably simple, and is nicely in line with the authentication system already present in Guacamole. The auth process would be as follows:

      1. The user attempts to sign into Guacamole as usual.
      2. The authentication attempt succeeds.
      3. The Duo authentication extension vetoes the authentication attempt, requesting additional information. This request is part of the Guacamole extension API, and in this case would trigger the Duo prompt to appear.
      4. The user submits the additional information. This data is forwarded by the Duo API to Guacamole's authentication system, which then issues a new authentication request on behalf of the user with the additional data.
      5. The Duo authentication extension validates the additional data, allows the authentication attempt to succeed, and the user is in.

      The specifics of this would require defining a new field type which contains the Duo <iframe>, and properly calling Duo's Java equivalent to their verify_response() function when the TFA response is received. Though their API is aimed at performing a POST to some arbitrary URL on the user's behalf, they also provide a JavaScript callback which will be invoked instead, allowing us to assign the field value and invoke form submit.

      Attachments

        Issue Links

          Activity

            People

              mjumper Mike Jumper
              mjumper Mike Jumper
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: