How to use with for tfa (two factor authentication aka 2fa)

Created on 18 August 2021, over 3 years ago
Updated 1 August 2024, 5 months ago

Problem/Motivation

drupalauth4ssp assumes that a user will be logged in immediately after submitting the user/login form.
This assumption is incompatible with 2-factor authentication via tfa module, which redirects the user/login submit to an interstitial page to complete its identity verification before finalizing authentication.

Is there some switch or configuration option I can implement, or does this require a deeper patch?

✨ Feature request
Status

Needs review

Version

2.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States AaronBauman Philadelphia

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡³πŸ‡±Netherlands tvoesenek

    This is a re-roll of #4, based on πŸ“Œ Automated Drupal 10 compatibility fixes Needs review

  • πŸ‡³πŸ‡±Netherlands johan_vm Tilburg

    This is a re-roll of #5, based on 2.0.0-rc1

  • πŸ‡ΊπŸ‡ΈUnited States rex.barkdoll

    I'm on the 1.4 version of the module on D9, preparing for an upgrade to D10. I've applied the latest patch (#6) the previous ones wouldn't apply.

    When I complete the TFA verification, the SAML request does not return me to the SP, it leaves me on the IDP's home page.

    Is there a way to complete the SAML loop and return to the SP with the proper credentials?

    I'm also noticing that after I've logged in, when I go to the SP again, it hasn't received the credentials and I have to click on the login link again to authenticate. Since I'm already logged in, it works - but it's a little annoying to go through that twice.

    SOOOOO much appreciation for all the hard work that's gone into this module.

    Also, if people aren't experiencing this same breakage in the 2.x version, I'm happy to upgrade to D10 and retest then.

  • πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    Thanks for the effort Team!

    I've took the patch from #6 and modified it a bit. The most important change is that redirect to the service provider after login and TFA entry now works.

    Updated code is in the https://git.drupalcode.org/project/drupalauth4ssp/-/merge_requests/10 merge request. For convenience attaching the patch with the changes here is well.

    This was tested on D10.3, PHP 8.1 and Apache.

    I would really appreciate if people can test the patch on their set ups as that would give better coverage, and provide feedback here sooner rather than later.

  • Assigned to RoSk0
  • Status changed to Needs work 6 months ago
  • πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    There is still some work to be done here to properly support TFA - it already works fine when set up fully , including users, but during the rollout there will be time when users are already enforced to have TFA, but haven't set that up yet. During this period, if they are allowed to skip TFA, they will , until allowed number of times to skip is used.

    Looking into how to support both, normal and rollout periods.

  • Issue was unassigned.
  • Status changed to Needs review 6 months ago
  • πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    Updated the merge request to support rollout scenarios. Following are test cases I used:

    ## Test cases
    
    ### IDP first
    
    - [x] TFA not required and not set up
      - [x] registration
      - [x] log in
    - [x] TFA not required and set up - logged in using TFA
    - [x] TFA required and not set up
      - [x] password reset
      - [x] log in
    - [x] TFA required and set up - logged in using TFA
    
    ### SP first
    
    - [x] TFA not required and not set up on SP1
    - [x] TFA not required and set up - logged in using TFA on SP2
    - [x] TFA required and not set up - logged in on SP1 and redirect to TFA setup as only one skip was allowed, saw `Your login in flow was interrupted to set up TFA` message. Set up TFA, clicked the link and landed on the SP1
    - [x] TFA required and set up - logged in using TFA
    
    
  • πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    Patch for testing.

  • πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    Found a problem with a fallback redirect. Raised a core issue πŸ› Using LocalRedirectResponse with "" URL in controller results in LogicException Active for it.

    Updated merge request https://git.drupalcode.org/project/drupalauth4ssp/-/merge_requests/10 and attaching new patch.

  • πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    Addressing feedback after initial user testing:

    • showing message allowing a user to return to the service provide only after TFA was set up
    • improving wording
    • clean up session after TFA entry

    Attaching patch form the latest version of the merge request https://git.drupalcode.org/project/drupalauth4ssp/-/merge_requests/10 .

  • πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    Previous patch version fails to apply for some reason...

    Attaching the patch from the same commit, but with code only changes.

Production build 0.71.5 2024