search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.38k stars 2.05k forks source link

[WIP] Rework authentication code #30169

Open butonic opened 6 years ago

butonic commented 6 years ago

In deployments that allow passwerd/ldap based login and SSO via SAML we currently recommend to set up oc with password based login under /owncloud and SAML protected login under /oc-shib. That is bullshit because links generated when accessing the site via saml will contain the /oc-shib part, which prevents access to the share link without going through SAML. Setting overwrite.cli.url does not fix that (and is not intended for that).

I would be great to expose different factors under different urls, eg:

We could extend the existing OCP\Authentication\TwoFactorAuth\IProvider2, currently using urls like /login/challenge/totp

Instead of checking if twofactor is enabled I propose to look at how pam allows configuring the auth. A login via saml or pwd & sms could be configured like this:

'auth.factors' => [ // order is important ... or we store this inside the db
  'pwd' => 'required',
  'sms' => 'required',
  'saml' => 'sufficient'
],

After entering the login on /login the user will be redirected to /login/challenge/pwd to enter his password, then to /login/challenge/sms to enter a pin that was send via sms. The /login route can detect if a saml session is present and redirect the user to /login/challenge/saml which is a saml protected endpoint. This might even be done by apache to reflect the desired auth behavior (eg saml in the internal network, pwd+sms from outside)

Login via saml or password like this:

'auth.factors' => [
  'pwd' => 'sufficient',
  'saml' => 'sufficient'
],

It should be possible to directly use a url like /login/challenge/pwd?login=alice@example.org to fill in the user without having to go through the login page. This allows other systems like an F5 firewall do preauthenticate users and then directly invoke a certain factor.

Related

Questions

What about autoprovisioning upon first login?

What about matedata sync?

Scenarios

Log in via SAML with autoprovisioning

saml is required. no pwd based auth.

  1. saml token contains email. email is looked up in the account table. corresponding user is logged in.
  2. saml token contains userid. userid is looked up in the account table. corresponding user is logged in.

Log in LDAP user via SAML

saml is sufficient. pwd based auth against ldap possible as well.

  1. saml token contains email. email is looked up in the account table? directly in ldap? corresponding user is logged in. metadata is updated from ldap
  2. saml token contains userid. userid is looked up in ldap. returns a userid. corresponding user is logged in. -> userid lookups should happen directly with ldap to allow login with email, even if it was changed and differs from the account table, so that login and sync is still possible

Log in LDAP user via SAML or autoprovision

saml is sufficient. pwd based auth against ldap possible as well. if no ldap user is found it will be autoprovisioned

  1. saml token contains userid, email and displayname. email is looked up in ldap. returns a userid. corresponding user is logged in. metadata is updated from ldap
  2. saml token contains userid, email and displayname. email is looked up in ldap. not found. is looked up in account table? or directly in saml? corresponding user is logged in. metadata is updated from saml token

Log in user via Facebook or Twitter

'auth.factors' => [
  'facebook' => 'sufficient'
  'twitter' => 'sufficient'
],

show alternate login buttons on /login because no login needs to be entered, really or can that be the fb / twitter login which is then used to prefill the login requests for fb/twitter? might make sense if admin allows login via fb and user opted in to that so he enters his login and then is forwarded to /login/challenges/facebook instead of /login/challenges/pwd if fb fails he is forwarded to the pwd challenge as a fallback. What about the userid that fb / twitter provide. we need to tie that to the account. each factor needs his own mapping to an account. -> an oc_account_auth table with (accountid bigint, factor varchar 10, login varchar 255, lastlogin datetime) with a uniqe index on the first three columns

Log in user via Facebook or Twitter as the second factor

'auth.factors' => [
  'pwd' => 'required',
  'facebook' => 'required?'
  'twitter' => 'required?'
],

Hm noticing that a simple list is not good enough. how should the admin specify that he wants users to use twitter OR facebook OR an email token as a second factor? Present the user with the additional auth sources so he can choose?

Benefits:

ownclouders commented 6 years ago

GitMate.io thinks the contributor most likely able to help you is @PVince81.

butonic commented 6 years ago

hm. we could solve this for apps like user_shibboleth by making it provide a login endpoint at eg. oc.example.com/apps/user_shibboleth/auth. In the apache config we could then redirect unauthenticated users from the internal network to that endpoint. in addition to https://github.com/owncloud/documentation/blob/918fc44c1dc956d32c5d016f5428521a6a9b0d60/admin_manual/enterprise/user_management/user_auth_shibboleth.rst#apache-configuration we could do a redirect to that endpoint.

cc @dercorn @tomneedham

PVince81 commented 6 years ago

no activity, moving to backlog

we should decide when we want to actively work on this and schedule some time