unity-idm-discuss

[Unity-idm-discuss] enforcing 2FA

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman
we are planning to enforce 2FA on /home endpoint. Can you confirm that
Oauth admins would need to enter second factor if they log in at this
endpoint with the client credentials but the normal authentication of
the client in Authorization code flow is not effected.

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] enforcing 2FA

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 30.05.2023 o 13:06, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman
> we are planning to enforce 2FA on /home endpoint. Can you confirm that
> Oauth admins would need to enter second factor if they log in at this
> endpoint with the client credentials but the normal authentication of
> the client in Authorization code flow is not effected.

It depends on details of your setup. Can you provide your envisioned 
realms setup and what is the assignment of home and oauth endpoints to 
realms?

Best,
Krzysztof

Re: [Unity-idm-discuss] enforcing 2FA

[Sander A. <sa....@fz...>]

Hi Krzysztof,
we are just using two realms. The adminRealm for console endpoint and
the defaultRealm for all other endpoints. But we could create a third
one dedicated to the home endpoint for the oauth clients.

Best regards,
Sander

On Wed, 2023-05-31 at 11:09 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 30.05.2023 o 13:06, Sander Apweiler pisze:
> > Hi Krzysztof, hi Roman
> > we are planning to enforce 2FA on /home endpoint. Can you confirm
> > that
> > Oauth admins would need to enter second factor if they log in at
> > this
> > endpoint with the client credentials but the normal authentication
> > of
> > the client in Authorization code flow is not effected.
> 
> It depends on details of your setup. Can you provide your envisioned 
> realms setup and what is the assignment of home and oauth endpoints
> to 
> realms?
> 
> Best,
> Krzysztof
> 
> 
> 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] enforcing 2FA

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 31.05.2023 o 11:30, Sander Apweiler pisze:
> Hi Krzysztof,
> we are just using two realms. The adminRealm for console endpoint and
> the defaultRealm for all other endpoints. But we could create a third
> one dedicated to the home endpoint for the oauth clients.

Hm. So what are the two flows in which you expect to have different authN?

Let's say you create one realm for the Home endpoint. This realm will 
require MFA. Then all users accessing this endpoint will need to 
authenticate with MFA. That is easy. But I still don't understand your 
setup.

I don't know what do you mean by "normal authentication of the client in 
AuthZ code flow".  Please be more verbose. What are the authn options? 
Wat are the endpoints in question (just /home or /home and OAuth IdP?)?


Krzysztof

> Best regards,
> Sander
>
> On Wed, 2023-05-31 at 11:09 +0200, Krzysztof Benedyczak wrote:
>> Hi Sander,
>>
>> W dniu 30.05.2023 o 13:06, Sander Apweiler pisze:
>>> Hi Krzysztof, hi Roman
>>> we are planning to enforce 2FA on /home endpoint. Can you confirm
>>> that
>>> Oauth admins would need to enter second factor if they log in at
>>> this
>>> endpoint with the client credentials but the normal authentication
>>> of
>>> the client in Authorization code flow is not effected.
>> It depends on details of your setup. Can you provide your envisioned
>> realms setup and what is the assignment of home and oauth endpoints
>> to
>> realms?
>>
>> Best,
>> Krzysztof
>>
>>
>>
>>
>> _______________________________________________
>> Unity-idm-discuss mailing list
>> Uni...@li...
>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss