Page MenuHomePhorge

OTP authentication for Roundcube
Open, NormalPublic

Description

Add OTP-based two-factor authentication to Roundcube. M3 provides a conceptual draft how this is supposed to work.

A Roundcube plugin for handling two-factor authentication shall be implemented, with a driver-based backend to support multiple methods (FreeOTP, Yubikey, etc.). Users can enable OTP for their account through the preferences by selecting one of the methods provided by the plugin.

The actual validation and storage of OTP secrets associated with a user account shall be handled by a service external to the Roundcube web server, only reachable through an API/RPC from the Roundcube server(s). This external "validation" service needs to be designed and implemented separately.

Details

Ticket Type
Task

Related Objects

Event Timeline

bruederli claimed this task.
bruederli raised the priority of this task from to 60.
bruederli updated the task description. (Show Details)
bruederli changed Ticket Type from Task to Task.
bruederli added subscribers: grote, bruederli.

Here's a first draft of the class structure for this plugin:

Screen_Shot_2015-06-04_at_10.16.01.png (841×1 px, 202 KB)

Both the kolab_2fa plugin as well as the Kolab2FA\Service\JSONRPC controller can make use of the save driver and storage classes. Configuration can specify, whether the plugin operates locally or delegates all driver calls to a JSON-RPC service running on an external host. The Kolab2FA\Driver\Remote driver represents the connection to the 2FA service running on an external system, provided by JSONRPC controller.

bruederli edited projects, added Restricted Project; removed Sprint Server 201522.Jun 9 2015, 10:00 AM
bruederli moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
bruederli removed a project: Restricted Project.Jun 12 2015, 1:35 PM

The Roundcube plugin is basically functional to run locally as of commit rRPK9cd117d7. There's some documentation about the kolab_2fa plugin, its components, installation and configuration in the README.md. Please note that the Yubikey driver doesn't work with the LDAP storage due to missing coverage in the FreeIPA schema.

Some sensible additions and extensions to this plugin are files as subtickets.

vanmeeuwen lowered the priority of this task from 60 to Normal.Mar 28 2019, 8:13 AM