search

ory / hydra

OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
https://www.ory.sh/hydra/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.41k stars 1.48k forks source link

Dynamic MFA needed for Hydra with Kratos #3637

Open andremussche opened 11 months ago

andremussche commented 11 months ago

Preflight checklist

Ory Network Project

No response

Describe your problem

For a new project (dutch education) we need to enforce a 2FA check when the user wants to do something special (e.g. some admin functionality or view gpdr data). So normally the user logs in with e.g. Office365 via Kratos and gets access (via Hydra based on ID Token) but on some parts in the application we need to dynamically ask for a MFA (e.g. totp).

I can retrieve the "amr" values in the ID Token when the user has done an AAL2 login somehow, so that's not the problem:

I tried different kind of extra parameters to the "auth" call, like "acr_values=2", "aal=aal2":

But these params are not handled, so the Kratos redirect stays the same (no "aal" value):

Describe your ideal solution

The workaround (see below) feels weird of course: is there an other/better way to do this?

Or can Hydra be extended with a "acr_values" parameter:

Or with "amr_values" likes Microsoft:

Or maybe pass the "aal=aal2" parameter to Kratos?

Workarounds or alternatives

The only way I could get it working (locally) was using 2 Hydra instances:

  1. a normal one, with normal config: 
    urls:
self:
issuer: http://localhost:4444
consent: http://localhost:4455/consent
login: http://localhost:4455/login
  2. and a second one, using the same Hydra database and connected to the same Kratos instance, but with an extra AAL login parameter: 
    
serve:
admin:
port: 4442  # different port than default 4445
public:
port: 4443 # different port than default 4444

urls: self: issuer: http://localhost:4443 consent: http://localhost:4455/consent login: http://localhost:4455/login?aal=aal2 # enforce 2FA!



So the application initially requests an ID token using Hydra#1 and when the user wants to do some admin stuff it will request an ID token using Hydra#2 (and checks the "amr" claim of the JWT).

### Version

oryd/hydra:v2.2

### Additional Context

_No response_
andremussche commented 11 months ago

Maybe this is an option too: instead of a separate instance, make it configurable per client: https://github.com/ory/hydra/issues/3205

vinckr commented 11 months ago

Have you seen this: https://www.ory.sh/docs/kratos/mfa/step-up-authentication

Maybe your use case would be much easier if you leave out the OAuth2 part.

What is the reason to involve Hydra? IMHO OAuth2 is overkill for most projects.

Assume we know nothing about what you are trying to do, only thing we know is that you are building a new project in education.

andremussche commented 11 months ago

@vinckr Yes I know :). We will use Kratos as a "federation" hub and the user should be able to choose between Office365 (teachers or employees of our customer), our own legacy IDP and 2 educational OIDC providers (students) so we have one single "identity" server. Our customer has several (external) web apps which needs an identity on a standardized way so they choose OIDC with PKCE. AFAIK Kratos can connect with OIDC providers but we need Hydra so others can connect to us using OIDC? For another project, we use Kratos + oauthkeeper but there we have internal apps (behind the api gateway).