The current authentication methods for Core REST services are:
Console and Enduser allow to log-in via web:
- by providing username and password values - which will be internally used to obtain a JWT value from Core, that will be then internally used for all subsequent REST calls
- by mean of SAML 2.0 or OIDC extensions, if enabled and configured - which will require an external authentication to succeed in order for the Core to generate a JWT value, that will be internally used for all subsequent REST calls
It can be observed that, unless required by the external entities involved by SAML 2.0 or OIDC, there is no strong authentication option available. Requirements
- option to enable / disable MFA for authentication
- store MFA secret and recovery codes along with password value in the SyncopeUser table and properties for
admin
- introduce new REST endpoints to enroll and dismiss MFA secret and recovery codes
- with MFA disabled, keep the current behavior for REST services, Console and Enduser
- with MFA enabled:
- REST
- leave unchanged authentication process for
anonymous
- require username and password for Basic Authentication for the MFA enrollment endpoint
- require username, password and OTP for Basic Authentication for all other REST endpoints, including the one to obtain a JWT value
- Console and Enduser
- support MFA enrollment and dismiss via web forms
- require username. password and OTP for login
|
