chrishasz / spgo

SPGo: A Lightweight, Open Source, SharePoint IDE for Visual Studio Code
https://www.chrishasz.com/spgo
MIT License
60 stars 11 forks source link

Multi factor authentication #102

Open dvd73 opened 4 years ago

dvd73 commented 4 years ago

Do you support multi factor authentication? What settings do I need to have in spgo.json? Thanks

koltyakov commented 4 years ago

Nope. For 2FA Add-in Only Auth should be used or creating user app password.

dvd73 commented 4 years ago

Ok, I have clientId, clientSecret and realm. What authenticationType I need to use? Shall I use authenticationDetails for clientId, clientSecret and realm?

koltyakov commented 4 years ago

Got it, I thought that Add-in Only is exposed in SPGo. It's not at the moment. Thus, you can try App Password.

chrishasz commented 4 years ago

Thanks @koltyakov!

@dvd73 you can view documentation on App Password configuration for SPGo here: https://www.chrishasz.com/spgo/authentication/two-factor-authentication

dvd73 commented 4 years ago

How Application ID and App Password are specified in the spgo.json file?

koltyakov commented 4 years ago

App password is just something which you use instead of user password when connecting with a tool.

nlvraghavendra commented 4 years ago

I've a similar requirement. Classic auth is disabled in our organization and I currently use Client ID/Client Secret to upload files into SharePoint libraries from a C# application. I'm looking to switch to SPGo and I'm not clear if SPGo supports this.

UPDATE: Nevermind. I just found this - https://stackoverflow.com/questions/57569646/internalservicefault-when-trying-to-connect-spgo-to-sp-online-in-vs-code

chrishasz commented 4 years ago

@nlvraghavendra - are you unable to use an app password with your SharePoint Tenant? I would try that approach first, rather than App ID/Password.

This isn't the first time I've had that request, so I will create a new Issue to add Addin-only authentication to a future release of SPGo.

jow5 commented 4 years ago

I'm SUPER interested in this "MFA" login thing getting worked out, but no expert at VS Code. Still, I just happened to add the Azure App Service extension to Code, and was presented with a browser login window! Maybe there's a technique to be unearthed from that extension?

Extension: ms-azuretools.vscode-azureappservice

I've done a bit of spelunking that might get someone-able-to-use-it to the techniques being used.

https://github.com/microsoft/vscode-azureappservice appears to authorize the user in line 69 via /src/explorer/AzureAccountTreeItem.ts, which gets AzureAccountTreeItemBase from vscode-azureextensionui

vscode-azureextensionui is from https://github.com/microsoft/vscode-azuretools/tree/master/ui https://github.com/microsoft/vscode-azuretools/blob/master/ui/src/treeDataProvider/AzureAccountTreeItemBase.ts

which uses extensions.getExtension<AzureAccount, which appears to be defined in https://github.com/microsoft/vscode-azure-account/blob/master/src/extension.ts where createStatusBarItem and AzureLoginHelper appear to be the applicable factory methods

AzureLoginHelper is from https://github.com/microsoft/vscode-azure-account/blob/master/src/azure-account.ts Where, in https://github.com/microsoft/vscode-azure-account/blob/master/src/azure-account.ts::login there is a path to login via codeFlowLogin https://github.com/microsoft/vscode-azure-account/blob/master/src/codeFlowLogin.ts::login which line 135 uses "vscode.env.openExternal"

Whew.

This is where I lose the thread a bit -- there's a local server, maybe? That redirects to the remote login?

Anyway, hope this helps the cause!

CPritch commented 4 years ago

Hi @chrishasz I'll be more than happy to implement any Auth protocols as it's critical for me; we have a few tenants where App Passwords are now disabled. Just let me know which auth mechanism from MSAL that you'd like me to prioritise.

chrishasz commented 4 years ago

Hello @jow5, @CPritch -

Thank you both for your interest. I definitely want to support this method of authentication with SPGo if possible. I have a couple thoughts on how best to implement this:

SPGo uses node-sp-auth under the covers for SharePoint Authentication, so all auth-related activities are performed by this library. That includes things like token storage and refresh.

Visual Studio Code is the runtime environment for all extensions, and uses electron under the covers. However, much of the core electron functionality is hidden from extensions by the VSCode execution context. Things like https windows to external sites are blocked, which makes MFA with Office365 difficult (impossible?)

I want to dig into the links that @jow5 posted above, as well as this post on Stack Overflow which suggests an alternate approach.

If I was implementing 2FA, or MFA login, I would want it somewhere that could be reused, so the best place would be within node-sp-auth. I would like to see what @s-KaiNet thinks in terms of architecture and inclusion in node-sp-auth.

Maybe we can work together on a POC to prove this out. I would like to create a test extension for visual studio that uses the approaches listed above to make sure something like this would even work for VSCode.

Thoughts?

s-KaiNet commented 4 years ago

When it comes to node-sp-auth, then if you have 2FA enabled for your account, you can't use username \ password authentication directly. There are three workarounds:

  1. Use add-in only authentication.
  2. Use app passwords.
  3. Use on-demand authentication.

SPGo doesn't support option 1, option 3 doesn't work in VSCode. 2 is the only option that works here, but a tenant administrator might disable app passwords. Those users currently can't use SPGo.

How to cover those users? I see two options:

  1. Add add-in only support in SPGo.
  2. Implement Azure AD authentication with auth code flow or device code flow inside SPGo natively.

While option 1 is clear, let's discuss option 2 in detail.

The only way to support users with 2FA (and without app passwords) is to let them use a browser to complete all MFA challenges. It's possible through the custom Azure AD app registration (multitenant). You can use either

In auth code flow you create a local http server, which opens a browser and intercepts requests. The key point is that the flow doesn't use client secret, because you can't store it securely inside VSCode extension. That's why you need native app registration here.

In device code flow you simply open a device login page right from VSCode, users log in, you save the token. Device code flow looks easier for development.

There is a VSCode extension, which uses both methods, Azure Accounts. Check out codeFlowLogin.ts and device code login. o365cli uses the same approach in one of the authentication methods.

Now why I'm not planning to add support of all mentioned things in node-sp-auth. Simply because there is a library, which implements all authenticated methods - node-adal. node-adal is used internally by Azure Account VSCode extension and by o365 cli.

That's my point, hope it helps.