Hello all, Not sure if this mailing list is the right place to ask this question, but I have been working on extending guacamole-auth-jdbc with two factor authentication (specifically TOTP codes wiht Google Authenticator) and I am not sure how to proceed.
First I would like to say that I am really impressed by the guacamole-ext API. It only took me a few hours to get a basic two factor authentication working. I started with guacamole-auth-jdbc as base and added two attributes ( tfa-required and tfa-secret-key ) to the user model and added a form part to the modeleduser to configure this in the webinterface. I also added the mappings for the database, the automatic creation of a secret key for a user and the necessary logic in the retreiveAuthenticatedUser function that validates an authentication request. This basically works and you can now enable TFA for a user through the webinterface, and if that is enabled, the guacamole webinterface will ask for a TOTP code after logging in with password and username. The problem however is that the TOTP ( time-based one time password ) works with secret keys that both the user and the server need to have. The client generates a TOTP code based on the secret key and the current timestamp and the server can later validate that with the same secret key and derive when the code was generated. A code is valid if it was generated in the last 30 seconds. The google authenticator app has the option to register a new "account" by scanning a QR code that encodes an URL in the format of: otpauth://totp/ Example:al...@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example At the moment I manually enter the secret that shows up in a text box in the options menu, but I would really like to replace this with a QR code. Is that possible with the extension API? So far I have only found ways to add parts to forms etc... Any advice on how to implement this would be really appreciated. Kind regards, Lars van Ruiten P.S. If this is something that could be interesting for the community I would be happy to contribute the code.