Homekolab.org
Diffusion kolab f1a6d6b2c90e

MFA via CompanionApp

Authored by Christian Mollekopf <mollekopf@apheleia-it.ch> on Nov 3 2022, 12:22 PM.

Description

MFA via CompanionApp

  • API is protected by either api (full access), or mfa scopes
  • The second factor only interacts via the mfa scope
  • Each companion app get's it's own oauth_client, which enforces the allowed scope via the new allowed_scopes column + the TokenObserver.
  • MFA is not checked for MFA device interactions. This is to allow pairing & using a new device if an existing one was e.g. lost.
  • The QR-Code is now printable and includes the generated oauth_client secret. Together with the relaxation of mfa-checking for the mfa scope, this allows to create & print recovery qr-codes.

Further changes:

  • The companion app is now offered for direct download via configurable download link.
  • The companion app primary key is now a uuid (in binary form), since it's exposed in the api.

Notes:

  • The companion app table is truncated on migration because nothing is currently relying on it and no important data is lost.

Builds on D3698

Differential Revision: https://git.kolab.org/D3932

Details

Committed
Christian Mollekopf <mollekopf@apheleia-it.ch>Nov 16 2022, 4:12 PM
Pushed
mollekopfNov 16 2022, 4:27 PM
Differential Revision
D3932: MFA via CompanionApp
Parents
rK42091037a813: [Draft] 2FA via CompanionApp for Kolab4 logons
Branches
Unknown
Tags
Unknown
Build Status
Buildable 40616

Event Timeline

Christian Mollekopf <mollekopf@apheleia-it.ch> committed rKf1a6d6b2c90e: MFA via CompanionApp (authored by Christian Mollekopf <mollekopf@apheleia-it.ch>).Nov 16 2022, 4:12 PM