You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by "Kruiger, J.F. (Han)" <ha...@tno.nl.INVALID> on 2021/04/12 13:25:41 UTC
Multifactor authentication in Fuseki
Hi there,
I'm looking for a solution to have multifactor authentication (MFA) in Fuseki.
I'm pretty sure this lies outside of the scope of Apache Jena, but perhaps Fuseki's UI should be able to be compatible with it at some point in the future.
I have found a potential solution to get multifactor authentication to work in Shiro: http://shiro-user.582556.n2.nabble.com/MFA-Possible-Solution-td7581444.html
TLDR; they use 2 Shiro realms, and a login can only succeed if both realms allow it.
However, if we were to keep using Fuseki's UI, this will break, since it only asks for a username and password.
Is there a (not too hacky) way to customize Fuseki's UI so that it can ask the user for more authentication details? And perhaps to add pages for user registration with one-time passwords to set up the MFA.
What are your thoughts on this? Any suggestion is welcome.
Best,
Han
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.
Re: Multifactor authentication in Fuseki
Posted by "Kruiger, J.F. (Han)" <ha...@tno.nl.INVALID>.
Hi Rob & Andy,
Thanks a lot for the suggestions!
Best,
Han
________________________________________
Van: Andy Seaborne <an...@apache.org>
Verzonden: maandag 12 april 2021 22:19:33
Aan: users@jena.apache.org
Onderwerp: Re: Multifactor authentication in Fuseki
On 12/04/2021 15:50, Rob Vesse wrote:
> Han
>
> The general approach to this kind of complex sign on scenario would be to use an external authentication service/protocol e.g. OAuth2/Open ID Connect which handles the multi-factor authentication and then configure your applications authentication layer to just validate the Json Web Tokens (JWTs) that assert a users identity.
>
> Shrio out of the box does not have OAuth2 integration, this tutorial post - https://dzone.com/articles/how-to-use-apache-shiro-and-oauth-20-to-build-a-se - looks like a possible approach and refers to https://github.com/oktadeveloper/okta-shiro-plugin as a plugin to provide this capability.
>
> So my recommendation would be to provide your own separate OAuth2 compliant authentication server (try JBoss Keycloak if you're looking for an OSS solution) and then add validation of its tokens into your Fuseki setup
>
> Rob
1/
A way to interface to external authentication service is to use a
reverse proxy (RP) and have Fuseki only talk to the proxy. Then the RP
is the user access point and can be any webserver (Apache https, nginx,
...) which may give you a wider range of auth solutions.
2/
Fuseki accepts a Jetty XML configuration file to build the server so
that's another approach.
Andy
>
>
> On 12/04/2021, 14:26, "Kruiger, J.F. (Han)" <ha...@tno.nl.INVALID> wrote:
>
> Hi there,
>
> I'm looking for a solution to have multifactor authentication (MFA) in Fuseki.
>
> I'm pretty sure this lies outside of the scope of Apache Jena, but perhaps Fuseki's UI should be able to be compatible with it at some point in the future.
>
> I have found a potential solution to get multifactor authentication to work in Shiro: http://shiro-user.582556.n2.nabble.com/MFA-Possible-Solution-td7581444.html
> TLDR; they use 2 Shiro realms, and a login can only succeed if both realms allow it.
>
> However, if we were to keep using Fuseki's UI, this will break, since it only asks for a username and password.
>
> Is there a (not too hacky) way to customize Fuseki's UI so that it can ask the user for more authentication details? And perhaps to add pages for user registration with one-time passwords to set up the MFA.
>
> What are your thoughts on this? Any suggestion is welcome.
>
> Best,
> Han
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.
>
>
>
>
>
Re: Multifactor authentication in Fuseki
Posted by Andy Seaborne <an...@apache.org>.
On 12/04/2021 15:50, Rob Vesse wrote:
> Han
>
> The general approach to this kind of complex sign on scenario would be to use an external authentication service/protocol e.g. OAuth2/Open ID Connect which handles the multi-factor authentication and then configure your applications authentication layer to just validate the Json Web Tokens (JWTs) that assert a users identity.
>
> Shrio out of the box does not have OAuth2 integration, this tutorial post - https://dzone.com/articles/how-to-use-apache-shiro-and-oauth-20-to-build-a-se - looks like a possible approach and refers to https://github.com/oktadeveloper/okta-shiro-plugin as a plugin to provide this capability.
>
> So my recommendation would be to provide your own separate OAuth2 compliant authentication server (try JBoss Keycloak if you're looking for an OSS solution) and then add validation of its tokens into your Fuseki setup
>
> Rob
1/
A way to interface to external authentication service is to use a
reverse proxy (RP) and have Fuseki only talk to the proxy. Then the RP
is the user access point and can be any webserver (Apache https, nginx,
...) which may give you a wider range of auth solutions.
2/
Fuseki accepts a Jetty XML configuration file to build the server so
that's another approach.
Andy
>
>
> On 12/04/2021, 14:26, "Kruiger, J.F. (Han)" <ha...@tno.nl.INVALID> wrote:
>
> Hi there,
>
> I'm looking for a solution to have multifactor authentication (MFA) in Fuseki.
>
> I'm pretty sure this lies outside of the scope of Apache Jena, but perhaps Fuseki's UI should be able to be compatible with it at some point in the future.
>
> I have found a potential solution to get multifactor authentication to work in Shiro: http://shiro-user.582556.n2.nabble.com/MFA-Possible-Solution-td7581444.html
> TLDR; they use 2 Shiro realms, and a login can only succeed if both realms allow it.
>
> However, if we were to keep using Fuseki's UI, this will break, since it only asks for a username and password.
>
> Is there a (not too hacky) way to customize Fuseki's UI so that it can ask the user for more authentication details? And perhaps to add pages for user registration with one-time passwords to set up the MFA.
>
> What are your thoughts on this? Any suggestion is welcome.
>
> Best,
> Han
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.
>
>
>
>
>
Re: Multifactor authentication in Fuseki
Posted by Rob Vesse <rv...@dotnetrdf.org>.
Han
The general approach to this kind of complex sign on scenario would be to use an external authentication service/protocol e.g. OAuth2/Open ID Connect which handles the multi-factor authentication and then configure your applications authentication layer to just validate the Json Web Tokens (JWTs) that assert a users identity.
Shrio out of the box does not have OAuth2 integration, this tutorial post - https://dzone.com/articles/how-to-use-apache-shiro-and-oauth-20-to-build-a-se - looks like a possible approach and refers to https://github.com/oktadeveloper/okta-shiro-plugin as a plugin to provide this capability.
So my recommendation would be to provide your own separate OAuth2 compliant authentication server (try JBoss Keycloak if you're looking for an OSS solution) and then add validation of its tokens into your Fuseki setup
Rob
On 12/04/2021, 14:26, "Kruiger, J.F. (Han)" <ha...@tno.nl.INVALID> wrote:
Hi there,
I'm looking for a solution to have multifactor authentication (MFA) in Fuseki.
I'm pretty sure this lies outside of the scope of Apache Jena, but perhaps Fuseki's UI should be able to be compatible with it at some point in the future.
I have found a potential solution to get multifactor authentication to work in Shiro: http://shiro-user.582556.n2.nabble.com/MFA-Possible-Solution-td7581444.html
TLDR; they use 2 Shiro realms, and a login can only succeed if both realms allow it.
However, if we were to keep using Fuseki's UI, this will break, since it only asks for a username and password.
Is there a (not too hacky) way to customize Fuseki's UI so that it can ask the user for more authentication details? And perhaps to add pages for user registration with one-time passwords to set up the MFA.
What are your thoughts on this? Any suggestion is welcome.
Best,
Han
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.