search

jhipster / generator-jhipster

JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures.
https://www.jhipster.tech
Apache License 2.0
21.53k stars 4.02k forks source link

Two-factor Authentication and Refresh Token #8242

Closed abhisheksharma85 closed 6 years ago

abhisheksharma85 commented 6 years ago
Overview of the feature request

I have implemented Two-factor authentication and Refresh Token in my gateway. I would I have to make it more generic and provide my contribution.

Either email or phone number will receive an OTP code (Identification code) upon login. We can make it in few different ways: Two Factor/Multi Factor Authentication (MFA)

  1. OTP always required.
  2. One time until user login from different device (we can also do it for different IP)
  3. We will use browser signature and identify user and whether or not OTP is required.

Refresh Token

  1. We are using JWT for authentication token. Since we don't store JWT so there is not way to delete of expire it once we login. And if someone can get JWT then he/she can have access to all resources.
  2. I have reduced JWT expiry to 1 min and implemented concept of Refresh Token.
  3. Upon login I generate Refresh Token and store this token in DB.
  4. Created a resource /api/refresh when I post this refresh token every min and in response it send a new id_token which I update on client side.
  5. Now if user decide to logout then I delete refresh_token from DB and id_token will be valid for at most 1 min.
  6. I have updated authentication and now I am store device i.e., web, ios, android etc.. this way I will set expire for id_token. In case of web my id_token expire is 1 min and in case of smart device it will be 1 week.
  7. When user launch app then in background I check whether id_token is valid /api/validate if not then I use api/refresh to get new id_token.

Single Sign in

  1. In our application we only allow 1 login and if user login from different device they will logout from other devices (expect app) i.e., only for web app.
  2. Using refresh token I am able to achieve it.
  3. During authentication I check in DB if there's any refresh_token (for web) exists. If so then it will be deleted.
  4. Now let's say user is already logged in from different device (web) then upon /api/refresh call it will send invalid access and we redirect to login page. I am currently working so that I can send push notification for real-time alert but not everyone allow browser notification.
Motivation for or Use Case
  1. I have to implement MFA so that I can make sure avoid brute force login or hacking.
  2. Refresh token to keep id_token shorter but keep it updating as long as user is active.
  3. Single Sign in so that at no time 2 diff ppl can use same login
Related issues or PR
amirensit commented 6 years ago

I am interested in integrating refresh token with jwt. Can you paste your code please ? ( if you don't mind )

abhisheksharma85 commented 6 years ago

Sure, I will. But there are multiple classes where I changed as well as created and Refresh Token Entity, I did it very specific for my application. I do want to make it generic and option based. Once I get approval from Julien I will start working on it. Share you email and I will send all code.

deepu105 commented 6 years ago

@abhisheksharma85 cant most of this be achieved with OIDC option? In either case this is quite a lot to put in the main code and I think its a perfect fit for a module. Can you build this as a module first? if there is enough interest in it we can merge it back here. I'm closing the ticket for now but you guys are welcome to continue any discussion here

deepu105 commented 6 years ago

@abhisheksharma85 also don't hesitate to ask us for any help you need with the module https://www.jhipster.tech/modules/creating-a-module/

abhisheksharma85 commented 6 years ago

Sure Deepu ! I will make it as module

johnmartin4561 commented 5 years ago
Overview of the feature request

I have implemented Two-factor authentication and Refresh Token in my gateway. I would I have to make it more generic and provide my contribution.

Either email or phone number will receive an OTP code (Identification code) upon login. We can make it in few different ways: Two Factor/Multi Factor Authentication (MFA)

  1. OTP always required.
  2. One time until user login from different device (we can also do it for different IP)
  3. We will use browser signature and identify user and whether or not OTP is required.

Refresh Token

  1. We are using JWT for authentication token. Since we don't store JWT so there is not way to delete of expire it once we login. And if someone can get JWT then he/she can have access to all resources.
  2. I have reduced JWT expiry to 1 min and implemented concept of Refresh Token.
  3. Upon login I generate Refresh Token and store this token in DB.
  4. Created a resource /api/refresh when I post this refresh token every min and in response it send a new id_token which I update on client side.
  5. Now if user decide to logout then I delete refresh_token from DB and id_token will be valid for at most 1 min.
  6. I have updated authentication and now I am store device i.e., web, ios, android etc.. this way I will set expire for id_token. In case of web my id_token expire is 1 min and in case of smart device it will be 1 week.
  7. When user launch app then in background I check whether id_token is valid /api/validate if not then I use api/refresh to get new id_token.

Single Sign in

  1. In our application we only allow 1 login and if user login from different device they will logout from other devices (expect app) i.e., only for web app.
  2. Using refresh token I am able to achieve it.
  3. During authentication I check in DB if there's any refresh_token (for web) exists. If so then it will be deleted.
  4. Now let's say user is already logged in from different device (web) then upon /api/refresh call it will send invalid access and we redirect to login page. I am currently working so that I can send push notification for real-time alert but not everyone allow browser notification.
Motivation for or Use Case
  1. I have to implement MFA so that I can make sure avoid brute force login or hacking.
  2. Refresh token to keep id_token shorter but keep it updating as long as user is active.
  3. Single Sign in so that at no time 2 diff ppl can use same login
Related issues or PR
  • [ ] Checking this box is mandatory (this is just to show you read everything)

Hi @abhisheksharma85 ,

I am working on project based on JHipster and there is a requirement for two step authentication. Could you please guide me how to achieve this in JHipster application. If you give me some code snippet so it will be great.

Thank you.

abhisheksharma85 commented 5 years ago

Sure I will send you over weekend.

Send me your email address

On Wed, Nov 14, 2018, 10:46 PM johnmartin4561 <notifications@github.com wrote:

Overview of the feature request

I have implemented Two-factor authentication and Refresh Token in my gateway. I would I have to make it more generic and provide my contribution.

Either email or phone number will receive an OTP code (Identification code) upon login. We can make it in few different ways: Two Factor/Multi Factor Authentication (MFA)

  1. OTP always required.
  2. One time until user login from different device (we can also do it for different IP)
  3. We will use browser signature and identify user and whether or not OTP is required.

Refresh Token

  1. We are using JWT for authentication token. Since we don't store JWT so there is not way to delete of expire it once we login. And if someone can get JWT then he/she can have access to all resources.
  2. I have reduced JWT expiry to 1 min and implemented concept of Refresh Token.
  3. Upon login I generate Refresh Token and store this token in DB.
  4. Created a resource /api/refresh when I post this refresh token every min and in response it send a new id_token which I update on client side.
  5. Now if user decide to logout then I delete refresh_token from DB and id_token will be valid for at most 1 min.
  6. I have updated authentication and now I am store device i.e., web, ios, android etc.. this way I will set expire for id_token. In case of web my id_token expire is 1 min and in case of smart device it will be 1 week.
  7. When user launch app then in background I check whether id_token is valid /api/validate if not then I use api/refresh to get new id_token.

Single Sign in

  1. In our application we only allow 1 login and if user login from different device they will logout from other devices (expect app) i.e., only for web app.
  2. Using refresh token I am able to achieve it.
  3. During authentication I check in DB if there's any refresh_token (for web) exists. If so then it will be deleted.
  4. Now let's say user is already logged in from different device (web) then upon /api/refresh call it will send invalid access and we redirect to login page. I am currently working so that I can send push notification for real-time alert but not everyone allow browser notification.

Motivation for or Use Case

  1. I have to implement MFA so that I can make sure avoid brute force login or hacking.
  2. Refresh token to keep id_token shorter but keep it updating as long as user is active.
  3. Single Sign in so that at no time 2 diff ppl can use same login

Related issues or PR

  • Checking this box is mandatory (this is just to show you read everything)

Hi @abhisheksharma85 https://github.com/abhisheksharma85 ,

I am working on project based on JHipster and there is a requirement for two step authentication. Could you please guide me how to achieve this in JHipster application. If you give me some code snippet so it will be great.

Thank you.

ā€” You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/8242#issuecomment-438935637, or mute the thread https://github.com/notifications/unsubscribe-auth/AAThAqs5Bo3EETWyJ5GykkNA3Op3hjMEks5uvQ20gaJpZM4WeNRn .

johnmartin4561 commented 5 years ago

Thank you @abhisheksharma85 ,

Here is my email address :- johnmartin4561@gmail.com

mraible commented 5 years ago

If you use OIDC and Okta, it's pretty easy to enable MFA. Here's a tutorial that shows you how: https://developer.okta.com/blog/2018/06/12/mfa-in-spring-boot

piprog commented 5 years ago

hi @abhisheksharma85 - do you have any update? I'd need to implement 2FA would love to look at your code :)

AlexandreCassagne commented 4 years ago

@abhisheksharma85 Have you managed to implement two-factor authentication on your end?

abhisheksharma85 commented 4 years ago

Yes. Using AWS SNS. Currently working MFA using Auth Provider

On Wed, Aug 12, 2020, 8:40 AM Alexandre Cassagne notifications@github.com wrote:

@abhisheksharma85 https://github.com/abhisheksharma85 Have you managed to implement two-factor authentication on your end?

ā€” You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/8242#issuecomment-672951194, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACOCAXMP3PMRUO6Y466VITSAKZYVANCNFSM4FTY2RTQ .

iroCheese commented 4 years ago

Just in case anyone finds this issue through google: I just successfully implemented 2FA for my UAA + microservices setup following this great tutorial https://sultanov.dev/blog/multi-factor-authentication-with-spring-boot-and-oauth2/ In addition to the described steps, the gateway needs to be configured to forward the mfa request params. My solution now also supports otps sent via SMS, which is pretty easy to set up once the Google Authenticator is working. Hope this might help someone searching for something similar.

AlexandreCassagne commented 4 years ago

@iroCheese I've also run through the same tutorial and implemented MFA this way. Perhaps we should start a blueprint/feature proposal for JHipster. It would be nice to get some "validation" that this was implemented properly

iroCheese commented 4 years ago

@iroCheese I've also run through the same tutorial and implemented MFA this way. Perhaps we should start a blueprint/feature proposal for JHipster. It would be nice to get some "validation" that this was implemented properly

I'd love to do that but sadly at the moment I just don't see myself finding the time to do this properly. However this might change at some point. I'd really like to give something back to the JHipster community

raovishnu commented 1 year ago

@abhisheksharma85 hii I am working on project based on JHipster and there is a requirement for two step authentication. Could you please guide me how to achieve this in JHipster application. If you give me some code snippet so it will be great.

mraible commented 1 year ago

If you use Auth0, using MFA only requires you turn on the feature in your management dashboard.

https://www.jhipster.tech/security/#auth0