MON - 28th NOV 2016

[veris-ankitpopli]

Ref #11

:rocket: MFA

• deux & django-two-factor-auth both provide separate authentication URLs to enable MFA.
• deux
  • :+1: has twilio integration & extendible interfaces to support multiple MFAs.
  • :+1: has DRF support.

• django-two-factor-auth

  • :-1: tied with django sessions. Will have to wire it up with DRF.

  • :+1: better documentation as compared to deux :point_up_2:

  • :+1: gives end to end flow for MFA. (:+1: :+1: for reference, even if we decide not to use this.)

  • :+1: includes Google Authenticator/Authy support based on TOTP

  • pyotp - if none of the above :point_up_2: fits well, :point_left: should come in handy.

:thinking: X-HTTP-MFA header (as suggested by @peeyush-tm) makes much more sense than providing separate auth URLs :disappointed: :thinking: Get started with Veris Lock :wink: (Login Widget) and test MFA :point_up_2:.

[veris-ankitpopli]

:question::question: TechM & E&Y buys Veris services. Both configure the lock in a similar way:

1. Google ID provider
2. Google Authenticator as MFA.

Assumption: User configured Google Authenticator when E&Y added him as a member.

• User reaches TechM and signs in. Can he use the same Authenticator he configured for identification ?

[veris-neerajdhiman]

• Integrated all-auth & rest-auth .

• :smirk: Looked for enabling same providers per different organization.

  • There are two ways of doing this.

  • django Site framework

    • User all-auth package as it is (they user multi-site functionality of Django to enabling the same).
    • whenever an organization add any provider create a domain for that org and add provider accordingly.
    • Create 1:1 relation between provider and organization, org-domain we have issued.
    • Now if issue every organization their domain names (which we created) then everything will work well. no hooks need :bowtie: .
    • If don't issue any custom domain to organizations and they access veris via same domain (say enterprise.veris.in) then we have to write a hook :fearful: (probably a middle-ware) which will change the domain based on organization in request on the fly so that all auth can select appropriate provider for that organization.

  • Fork and override all auth :scream:

    • over ride the way with which all auth is selecting the social provider, they are using current side for this , if we add organization filter with that then our problem will be resolved.
    • In this case we need 1:1 relation between organization and provider.

So tomorrow will be the judgement day :mortar_board: , If we didn't select the best way then get ready for :bamboo:

[veris-amoghbanta]

😤 https://branch.io/ {tried it for app links and deep linking but it's server stopped in between (really bad uptime)} 🚀 LinkingIOS for react native

[veris-abhinavanand]

Links are dynamic now, changing as per idp. Integrated branch.io (deep linking working fine, app links not working as expected on android 6.0+)

[peeyush-tm]

Next UP - multiple organizations, would use the same widget, to serve their members with separate processes.