auth0 mfa-otp about node-oauth2-server HOT 11 CLOSED

I did, though it's not an appropriate grant flow -- I can provide an example of what I did, it essentially is a middle layer that sits on top of my authorization_code grant type.

Are there any RFC guide lines for MFA for OAuth that we can maybe implement here? I really don't see anything on the official one.

from node-oauth2-server.

I would be happy if you could provide me the example.

I think MFA is defined in the Financial Grade API.

from node-oauth2-server.

@HappyZombies

I dont want to pressure you but can you tell me, when you could provide me your code, please?

Thx.

from node-oauth2-server.

I'll try to get something by EOD or this week, I'll throw it on the example repo. Probably be an in memory database though to speed things up

from node-oauth2-server.

@Uzlopak great to see you here :-D What do you both about adding this to the examples repo?

from node-oauth2-server.

Yup I am actually making the code in the example repo :)

from node-oauth2-server.

I really hope you can give me that middleware. In the meantime I start to extend oauth2-server with

• AssociateHandler like https://auth0.com/docs/login/mfa/ropg-mfa/enroll-and-challenge-otp-authenticators#enroll-authenticator
• AuthenticatorsHandler like https://auth0.com/docs/login/mfa/ropg-mfa/enroll-and-challenge-email-authenticators#challenge-with-email
• ChallengeHandler https://auth0.com/docs/login/mfa/ropg-mfa/enroll-and-challenge-email-authenticators#challenge-user-with-otp

Is there any interest in adding this feature to this project?

from node-oauth2-server.

@Uzlopak regarding the last comment I think this should be discussed in the examples repo, right @HappyZombies ?

from node-oauth2-server.

We can still talk here since we already got the thread going, once I put the example up we can move discussion.

@Uzlopak This isn't really a middleware, but really just extra functionality that sits on top of the authorization_code flow -- though I am sure it can be used as custom grant extension that this module provides.

I will try my best to get you an example tonight! But essentially, we have a /login route that dispatches a two factor request, if successful we store the users id in a session and the authorization_code grant will take an additional field called twoFactorCode (or whatever you want) along with the scope, scope, state, response_type, redirect_uri, and client_id.

When we call .authorize, we supply the authenticateHandler that validates the two factor code and returns the user that is trying to login (with the assistance of the session that has the user id). And so on the authorization_code flow continues.

from node-oauth2-server.

@Uzlopak I added the example here https://github.com/node-oauth/node-oauth2-server-examples/tree/feature.mfa-example/mfa-example Keep in mind again that this a custom implementation and doesn't follow anything in particular. Uses everything in memory.

This example is not quiet done yet, I still gotta mock/implement some small things, but the overall part of it is done :) Please let me know if you have any questions.

(Also keep in mind I kinda just threw this together, maybe with more time I can make a real working example with MySQL maybe)

from node-oauth2-server.

Thank you ;)

from node-oauth2-server.