Closed BWibo closed 7 months ago
Hi @BWibo
In our implementation (CKAN 2.9.8) this is the who.ini file config:
[plugin:use_beaker]
use = repoze.who.plugins.use_beaker:make_plugin
key_name = ckan_session
delete_on_logout = True
[plugin:friendlyform]
use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
login_form_url= /user/login
login_handler_path = /login_generic
logout_handler_path = /user/logout
rememberer_name = use_beaker
post_login_url = /user/logged_in
post_logout_url = /user/logged_out
charset = utf-8
[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = repoze.who.classifiers:default_challenge_decider
[identifiers]
plugins =
friendlyform;browser
use_beaker
[authenticators]
plugins =
ckanext.security.authenticator:CKANLoginThrottle
ckanext.security.authenticator:BeakerRedisAuth
[challengers]
plugins =
friendlyform;browser
The issue with the QR code not displaying will be related to that error message in the logs. The mfa_configure file should be rendered by the ckan webassets pipeline and be available for request by the templates. It doesn't seem like that is happening in your case however?
This is likely the reason that you're not seeing the mfa challenge on the login page as well, as it uses javascript to override the form submission behaviour.
You should be able to see some script tags near the bottom of the body on the login page like these:
<script src="/webassets/webassets-external/54068721e204466fdd6561cabd04cca8_qrious.js" type="text/javascript"></script>
<script src="/webassets/webassets-external/204a98d1dce0cdc48a598deae34d8640_login_ajax.js" type="text/javascript"></script>
Also, you'll want to remove ckan.lib.authenticator:UsernamePasswordAuthenticator from your who.ini authenticators, as I'm pretty sure that's what is allowing you to bypass the 2fa on the login page
Closing this due to inactivity.
Thx, for the assistance. I'll reopen if this comes up again. For now, we have different solution.
Hey there,
thx for this greate extension. I'm currently trying to get this running on CKAN 2.9.9, but I'm facing a couple of issues. I have the extension successfully installed, the database migration was completed successfully. I can launch CKAN and login using username & password, but I'm not prompted for 2FA setup on first login. I can do the setup by navigating to user config page. This seems to work, but no QR-Code is displayed. I need to enter the token manually in 2FA app. Testing a code is confirmed to work.
Patch
flask_app.py
andpylons_app.py
From what is described in ckanext-security.patch, I created these two files. The changes are the same as in the patch, just shifted for a couple of line. Can you confirm that this is correct:
who.ini
Based on the documentation, I'm not entirely sure how to get this right. I tried to derive a working
who.ini
from the original CKAN 2.9.9 and the docs. Below is what I ended up with. The gives me the bahavior as described above.Can you please give some guidance how to configure this correctly:
[authenticators]
are required? Is the order important?auth_tkt
andckan.lib.authenticator:UsernamePasswordAuthenticator
logging in with username/password fails.login_form_url
,login_handler_path
or other settings in that section?Logs
From the CKAN logs I get this:
Should I be worried about this? How fix that?
This is it for now. Thx in advance for any support on this!