-
Notifications
You must be signed in to change notification settings - Fork 8
Multi Factor Auth
- user get two tokens after login:
- shortTerm token (for auth)
- longTerm refresh-token (for get new shortTerm token)
- they have the same content:
id(+ extraData from hooks)
The shortTerm token contains which providers used for authenticating (eg.: LDAP, Facebook, email), so the client application can handle this information.
Each provider can have an optionally expiration condition:
- expiration after X time after login (eg: 30 day: when login at may 1 then expiring on jun 1)
- expiration after X time inactivity (eg: 2 day: if the user use every day then will not expire)
The longTerm token contains which providers used + the providers login time and the longTerm token creation time.
When client call refresh-token api, we check each provider and remove that if it expired.
- expiration after X time after login:
'current time' - token.providers.'provider'.loginAt < 'X from config' - expiration after X time inactivity:
'current time' - token.createdAt < 'X from config'
shortTerm token:
{ "id": "user-id-1", "providers": ["facebook"] }
longTerm token:
{
"id": "user-id-1",
"createdAt": 1571256246000
"providers": [
{ "name": "facebook", "loginAt": 1571256246000 }
]
}
shortTerm token (not changed):
{ "id": "user-id-1", "providers": ["facebook"] }
longTerm token (createdAt changed):
{
"id": "user-id-1",
"createdAt": 1571256417000
"providers": [
{ "name": "facebook", "loginAt": 1571256246000 }
]
}
shortTerm token (ldap added to providers):
{ "id": "user-id-1", "providers": ["facebook", "ldap"] }
longTerm token (createdAt changed, and ldap added to providers):
{
"id": "user-id-1",
"createdAt": 1571256561000
"providers": [
{ "name": "facebook", "loginAt": 1571256246000 },
{ "name": "ldap", "loginAt": 1571256561000 }
]
}
Config:
- ldap expiration after 1 hour after login
- google expiration after 2 hour after login
shortTerm token:
{ "id": "user-id-1", "providers": ["ldap", "google"] }
longTerm token:
{
"id": "user-id-1",
"createdAt": 1571256561000
"providers": [
{ "name": "ldap", "loginAt": 1571256246000 },
{ "name": "google", "loginAt": 1571256561000 }
]
}
shortTerm token (ldap removed from providers):
{ "id": "user-id-1", "providers": ["google"] }
longTerm token (createdAt changed, ldap removed from providers):
{
"id": "user-id-1",
"createdAt": 1571259846000
"providers": [
{ "name": "google", "loginAt": 1571256561000 }
]
}
ERROR 401 because zero provider left
- add
createdAtto longTerm token - add
providersto shortTerm and longTerm token - auth service login improve with optionally existing token (login with second/third/etc provider)
- improve providers api to login with existing token
- auth service register improve with optionally existing token (login with second/third/etc provider)
- improve providers api to register with existing token
- add expiration logic to refresh-token api
- core api optionally requires multi auth (from config. eg:
ldap,totponly access when have ldap and totp)