friendica
/
friendica-addons
7
2
Fork 13
Code Issues 3 Pull Requests 2 Releases 16 Wiki Activity

Add an addon for password-based authentication against Keycloak. #1116

Merged
very-ape merged 1 commits from keycloakpassword into develop 2021-05-19 19:10:40 +02:00
Conversation 3 Commits 1 Files Changed 3 +169
very-ape commented 2021-05-19 01:05:19 +02:00 (Migrated from github.com)
Copy Link

My idea with this addon was to allow the user to use their Keycloak password wherever password confirmation is required in the Friendica UI, but I see that (at least in the case of the two factor UI) this is done by directly checking the user's password in the database.

Would it be possible to use the "authenticate" hook for this instead/in addition? The way that it's done now would seem to create issues with any external authentication mechanism at all, even if the addon saves a copy of the user's hashed password in Friendica's database upon authentication. For example, if I were to log in via the LDAP addon and then change my password on the LDAP side, Friendica will continue expecting my old password in these password confirmation boxes until I log out and back in. Using the "authenticate" hook instead would solve this problem of credentials getting out of sync and would prevent the user's credentials from being stored in more places than necessary, which seems a little bit better to me from a security perspective.

Edit: It seems like DI::auth()->withPassword (or some abbreviated derivative of it) instead of User::getIdFromPasswordAuthentication might do the trick, at least for the check in Module/Settings/TwoFactor/Index.php. This is work I'd be willing to do myself, if it seems good and right to y'all for me to do so.

Edit 2: Reviewing the ldapauth addon again, I see that there's actually no credential synchronization done beyond the initial user creation upon first login. So if I ever change my password in LDAP, I'll still have to manually change my password in Friendica for those "current password" boxes to stop expecting my old password. My mistake.

My idea with this addon was to allow the user to use their Keycloak password wherever password confirmation is required in the Friendica UI, but I see that (at least in the case of the two factor UI) this is done by directly checking the user's password in the database. Would it be possible to use the "authenticate" hook for this instead/in addition? The way that it's done now would seem to create issues with any external authentication mechanism at all, even if the addon saves a copy of the user's hashed password in Friendica's database upon authentication. ~~For example, if I were to log in via the LDAP addon and then change my password on the LDAP side, Friendica will continue expecting my old password in these password confirmation boxes until I log out and back in.~~ Using the "authenticate" hook instead would solve this problem of credentials getting out of sync and would prevent the user's credentials from being stored in more places than necessary, which seems a little bit better to me from a security perspective. Edit: It seems like DI::auth()->withPassword (or some abbreviated derivative of it) instead of User::getIdFromPasswordAuthentication might do the trick, at least for the check in Module/Settings/TwoFactor/Index.php. This is work I'd be willing to do myself, if it seems good and right to y'all for me to do so. Edit 2: Reviewing the ldapauth addon again, I see that there's actually no credential synchronization done beyond the initial user creation upon first login. So if I ever change my password in LDAP, I'll still have to manually change my password in Friendica for those "current password" boxes to stop expecting my old password. My mistake.
MrPetovan commented 2021-05-19 17:58:47 +02:00 (Migrated from github.com)
Copy Link

It took me a minute and a couple reads to understand the issue, but now I get it. Yes, it would be better to use the authenticate hook, if you're up for it, please go ahead.

It took me a minute and a couple reads to understand the issue, but now I get it. Yes, it would be better to use the `authenticate` hook, if you're up for it, please go ahead.
🎉 1
MrPetovan commented 2021-05-19 18:10:00 +02:00 (Migrated from github.com)
Copy Link

Does this PR depends on the work you've planned?

Does this PR depends on the work you've planned?
very-ape commented 2021-05-19 18:36:07 +02:00 (Migrated from github.com)
Copy Link

No, it's just enhanced by it. This addon works fine as it is.

No, it's just enhanced by it. This addon works fine as it is.
👍 1
MrPetovan (Migrated from github.com) approved these changes 2021-05-19 19:10:34 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
MrPetovan
Labels
Clear labels   
2018.09

   
2019.01

   
2019.03

   
2019.06

   
2019.09

   
2019.12

   
2020.03

   
2020.06

   
2020.09

   
2020.12

   
2021.03

   
2021.07

   
2021.09

   
2022.02

   
2022.06

   
2022.09

   
2022.12

   
2023.04

   
2023.05

   
2023.09

   
2024.03

   
2024.06

   
dependencies

Pull requests that update a dependency file

  
Hackathon 2021
No Label
2018.09
2019.01
2019.03
2019.06
2019.09
2019.12
2020.03
2020.06
2020.09
2020.12
2021.03
2021.07
2021.09
2022.02
2022.06
2022.09
2022.12
2023.04
2023.05
2023.09
2024.03
2024.06
dependencies
Hackathon 2021
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: friendica/friendica-addons#1116
No description provided.
Delete Branch "keycloakpassword"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?