search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.31k stars 69 forks source link

question: MFA disable? #339

Open tribor opened 1 month ago

tribor commented 1 month ago

I added MFA config via the 'User Dashboard'. After I logged out and tried to re-login I was asked for MFA.

So I have to use MFA right after i configured it? I thought I have to add require mfa to the transform user section first?

I want to use MFA not for all domains but only some of them. So how can I configure this? Is MFA set per user or can I also set it per domain?

{
        order authenticate before respond
        order authorize before basicauth

        security {
                local identity store localdb {
                        realm local
                        path /opt/startup/caddy/auth/users.json
                        user itsme {
                                name me
                                email me@here
                                password "bcrypt:10:$2a$14$q/.GQ[REDACTED]"
                                roles authp/admin authp/user
                        }
                }

                authentication portal myportal {
                        crypto default token lifetime 3600
                        crypto key sign-verify {env.JWT_SHARED_KEY}
                        enable identity store localdb
                        cookie domain [REDACTED]

                        ui {
                                static_asset "assets/images/logo.svg" "image/svg+xml" auth/lock.svg
                                links {
                                        "My Identity" "/whoami" icon "las la-user"
                                }
                        }
                        transform user {
                                match origin local
                                action add role authp/user
                                ui link "User Dashboard" /auth/profile/ icon "las la-cog"
                        }
                }

                authorization policy admins_policy {
                        set auth url https://[REDACTED]/
                        allow roles authp/admin authp/user
                        crypto key verify {env.JWT_SHARED_KEY}
                        acl rule {
                                comment allow users
                                match role authp/user
                                allow stop log info
                        }
                        acl rule {
                                comment default deny
                                match any
                                deny log warn
                        }
                }
        }
}
tribor commented 1 week ago

any ideas?

greenpau commented 1 week ago

So I have to use MFA right after i configured it? I thought I have to add require mfa to the transform user section first?

@tribor , yes. As soon as you add MFA (app or token) to your profile, you will start getting prompted for the second factor. You can have multiple tokens configured. You can supply any of them and as long as they are valid, you would get it. For example, I have app token, passcode on my PC, passcode on my phone, and hardware token. I added all 4 of them. I recommend adding app token first.

greenpau commented 1 week ago

I want to use MFA not for all domains but only some of them. So how can I configure this? Is MFA set per user or can I also set it per domain?

@tribor , that granularity does not exist. That would be new feature.