Comments (6)
Hi, yes this should be possible with the passwordless option but unfortunately it is not working for me right now. You can check the bug I opened and got no answer until now #9513
There is also a video tutorial that explains how to do: https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.youtube.com/watch%3Fv%3DaEpT2fYGwLw&ved=2ahUKEwjWwu3lj4GGAxUTk1YBHaH0BE8QwqsBegQIDxAG&usg=AOvVaw1z7CtFPqozw-sBGqMfLxvl
Please let me know if you can find out how to make it work as I really would like to have it as well.
Thanks
from authentik.
The Tutorial is not what I try to achieve.
He is using his Phone as a Security Key to Log in to his Computer.
I want it the other way around.
The Users should authenticate on a normal Computer.
The Computer should then show a QR Code wich the User could scan to Authenticate on a different Device like a Smartphone or in our case a Zebra WS50 Scanner.
from authentik.
I can't imagine it working in the way you described but you have other options that may perform something similar to what you need.
Maybe you don't really need a computer, you could have a printed qr-code in a paper or anywhere. Scan it with your device, select your passkey (on your device) and you are in! Of course the qr-code could be in a computer screen but not really necessary in this situation.
If you explain better why you want this flow maybe we can help you more. Is it to avoid the slow user/password entry in a small screen? The step above does not need it.
Is the step above lacking of security? why not merging it with a mobile phone scan?
device scan qr-code tag > device choose passwordless login and present a qr-code > Mobile phone (or maybe a computer with camera) scan that qr-code > device is logged in. Not a single letter typed on the device......
from authentik.
Primary reason for not having a "normal" auth flow with the workers entering a email and a password is the small screen size of the Zebra WS50.
Here is a picture of one for reference:
The targeted Users are our Production workers.
Most of them aren't very tech savvy so we need a way for them to quickly authenticate on such a small device.
The different devices aren't fixed to users everyday someone else could work on a station.
Currently we have implemented a basic authentification into each of our tools.
By auto suggesting the users email and using very short passwords they can authenticate fast.
This also works on the WS50 but its a bit cumbersome and not really secure.
Furthermore i believe this email auto complete/suggestion does not work with authentik.
I would be open to other approaches for authenticating on such a small device.
Using a dedicated Login Terminal wich wich displays the Login QR code for the individual user was just my first idea.
In the workflow i imagined, every production worker would receive a SmartCard.
They would authenticate using their card on one of the Login Terminals.
Then they would scan the Login QR Code using the WS50 and are authenticated on the WS50.
Maybe i will have to implement this flow using authentik's REST API.
So that I create a dedicated Login Terminal app wich handles the authentik Auth.
The App then could request a Token from authentik and embed it in a QR Code.
Then the App on the WS50 could scan the Code extract the Token and authenticate the user over authentik's REST API.
I guess this should be possible using Machine-to-machine authentication described here: https://docs.goauthentik.io/docs/providers/oauth2/client_credentials
from authentik.
I understood you points, and your desire to use the already scanner capable equipment to scan something (a login PC or something like this) to login, but as far as I know the standard is opposite. The already logged in device scan the other.
Anyway, you have a simple and easy solution using passwordless:
1: open a link on your device, it will show a qr code without any user input.
2: Employee mobile phone scans the qr code and log in. Both android and iOS are passkey capable without any extra app.
*Don't want/can't use employee mobile phone? Another possibility is a USB key or NFC key depending of your device capabilities
Think that to make the user identification safe and simple as one click you need to give the employees something that will unique identify them like a USB key or a mobile phone.
Besides this you will have to implement something less usual and take a risk. Remember that unusual things that are considered niche can take longer time to get devs attention when something break in a new version or in a technology change, unless you are paying a lot.
from authentik.
We don't want the employees to use their private phones.
Giving every employee a mobile phone was also a consideration we already had.
The WS50 does have NFC capabilities and we already considered using that for authentication.
I think I have enough ideas now to create a example Project to test different auth approaches.
Thanks very much @it-global-architect for your input!
from authentik.
Related Issues (20)
- Upgrade from 2024.2.2 to 2024.4.2 Raises issue on SCIM users primary key. HOT 2
- Cloudflare Access Guide
- Allow specifying outpost AUTHENTIK_TOKEN using blueprints
- Add support for setting X-FRAME-OPTIONS and CSP HOT 2
- Documentation about invitations not telling to add invitation stage to enrollment flow HOT 2
- Overriding trusted proxy CIDRs does not work HOT 2
- OIDC Provider Fails Across VLANs/Subnets HOT 1
- Overriding trusted proxy CIDRs does not work HOT 4
- User Names with commas break email sending
- One login to rule (access) them all! HOT 3
- device code flow gives error invalid_grant
- Does disabling password hashing remove already hashed passwords ?
- Github Icon, not showing up at login HOT 1
- Authentik OIDC Provider Does Not Use TLS Certificates
- Proxy provider unauthenticated blacklist
- Broken macOS/Safari support
- An option to sync LDAP sources partially
- Deadlock reported by database
- Missing Space in Login Screen for Applications
- Jellyfin LDAP Bind User Permissions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentik.