Skip to content
This repository has been archived by the owner on Jun 23, 2021. It is now read-only.

Support the privacyIDEA Push Token #31

Open
cornelinux opened this issue Feb 6, 2020 · 5 comments
Open

Support the privacyIDEA Push Token #31

cornelinux opened this issue Feb 6, 2020 · 5 comments
Assignees
@sbidy
Labels
enhancement
Milestone
1.3.8

Comments

@cornelinux
Copy link
Contributor

For a while the privacyIDEA Push Token is around, that allows the easy authentication via a push message (after a complex setup has been done)
We already added the push functionality to the ownCloud Plugin and I am not sure keycloak? SimpleSAMLphp?.

It would be nice, if the ADFS plugin also provided this possibility.

Interesting reads are here:

https://privacyidea.readthedocs.io/en/latest/configuration/authentication_modes.html
https://privacyidea.readthedocs.io/en/latest/configuration/tokens/push.html#push-token
https://github.com/privacyidea/privacyidea/wiki/concept%3A-PushToken

I am happy to assist in any way.
@sbidy sbidy self-assigned this Feb 6, 2020
@sbidy sbidy added this to the 1.6.4 milestone Feb 10, 2020
@sbidy
Copy link
Owner

sbidy commented Feb 10, 2020

@cornelinux from a API perspective the trigger will be the same as for the Mail or SMS token? (https://privacyidea.readthedocs.io/en/latest/modules/api/validate.html#post--validate-triggerchallenge)

In this case the implementation is still there.
Please correct me if I'm wrong 😄

In the next days I'll extend my test environment with this token type.

@cornelinux
Copy link
Contributor Author

Yes, SMS and Email work the same. Either trigger with an admin and triggerchallenge or trigger by user with a PIN. But for the workflow they are completely the same.

@splumhoff
Copy link

splumhoff commented Apr 21, 2020
edited
Loading

I've tested it in our enviroment, works perfectly. After the User entered the credential and click next, the Push-Token is initiated. The following Token-Input-Formular can then just be submitted with an empty input.
If the User has more than one Token assigned (TOTP and HOTP in my test cases) the respective PIN can also be entered if the Push-Token is unavailable.

As discussed in #2 an admin-user is currently required to issue the Push-Token. From my sight that behavior is correct as the push-token has to be initiated via /validate/triggerChallenge in BeginAuthentication (Before OTP-Form appears) since a call to /validate/check without admin-credentials and without a User-Password would issue a failed login-attempt. @cornelinux is this correct?

@cmammoli
Copy link

cmammoli commented May 8, 2020

I've tested it in our enviroment, works perfectly. After the User entered the credential and click next, the Push-Token is initiated. The following Token-Input-Formular can then just be submitted with an empty input.

I can confirm it works, but having to submit an empty string is not very intuitive from an end user perspective IMHO

@splumhoff
Copy link

I can confirm it works, but having to submit an empty string is not very intuitive from an end user perspective IMHO

That's true, but what could be an alternative?

If the current User has exactly one token of type "Push" you could hide the text-input in the submit-form. As far as I understand, the API-Function TriggerChallenge is called, but regarding to https://privacyidea.readthedocs.io/en/latest/modules/api/validate.html it does not returns the types of the token which are assigned to the user. Without knowing the types, it seems not possible to differentiate if the text input should be shown or not.

@sbidy sbidy modified the milestones: 1.3.7, 1.3.8 May 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sbidy sbidy

Labels
enhancement
Projects
None yet
Milestone
1.3.8
Development

No branches or pull requests
4 participants
@sbidy @cmammoli @cornelinux @splumhoff