Generator-jhipster: Two-factor Authentication and Refresh Token

I am interested in integrating refresh token with jwt. Can you paste your code please ? ( if you don't mind )

Sure, I will. But there are multiple classes where I changed as well as created and Refresh Token Entity, I did it very specific for my application. I do want to make it generic and option based. Once I get approval from Julien I will start working on it. Share you email and I will send all code.

@abhisheksharma85 cant most of this be achieved with OIDC option? In either case this is quite a lot to put in the main code and I think its a perfect fit for a module. Can you build this as a module first? if there is enough interest in it we can merge it back here. I'm closing the ticket for now but you guys are welcome to continue any discussion here

@abhisheksharma85 also don't hesitate to ask us for any help you need with the module
https://www.jhipster.tech/modules/creating-a-module/

Sure Deepu ! I will make it as module

Overview of the feature request

I have implemented Two-factor authentication and Refresh Token in my gateway. I would I have to make it more generic and provide my contribution.

Either email or phone number will receive an OTP code (Identification code) upon login. We can make it in few different ways:
Two Factor/Multi Factor Authentication (MFA)

1. OTP always required.
2. One time until user login from different device (we can also do it for different IP)
3. We will use browser signature and identify user and whether or not OTP is required.

Refresh Token

1. We are using JWT for authentication token. Since we don't store JWT so there is not way to delete of expire it once we login. And if someone can get JWT then he/she can have access to all resources.
2. I have reduced JWT expiry to 1 min and implemented concept of Refresh Token.
3. Upon login I generate Refresh Token and store this token in DB.
4. Created a resource /api/refresh when I post this refresh token every min and in response it send a new id_token which I update on client side.
5. Now if user decide to logout then I delete refresh_token from DB and id_token will be valid for at most 1 min.
6. I have updated authentication and now I am store device i.e., web, ios, android etc.. this way I will set expire for id_token. In case of web my id_token expire is 1 min and in case of smart device it will be 1 week.
7. When user launch app then in background I check whether id_token is valid /api/validate if not then I use api/refresh to get new id_token.

Single Sign in

1. In our application we only allow 1 login and if user login from different device they will logout from other devices (expect app) i.e., only for web app.
2. Using refresh token I am able to achieve it.
3. During authentication I check in DB if there's any refresh_token (for web) exists. If so then it will be deleted.
4. Now let's say user is already logged in from different device (web) then upon /api/refresh call it will send invalid access and we redirect to login page. I am currently working so that I can send push notification for real-time alert but not everyone allow browser notification.

Motivation for or Use Case

1. I have to implement MFA so that I can make sure avoid brute force login or hacking.
2. Refresh token to keep id_token shorter but keep it updating as long as user is active.
3. Single Sign in so that at no time 2 diff ppl can use same login

Related issues or PR

• [ ] Checking this box is mandatory (this is just to show you read everything)

Hi @abhisheksharma85 ,

I am working on project based on JHipster and there is a requirement for two step authentication. Could you please guide me how to achieve this in JHipster application. If you give me some code snippet so it will be great.

Thank you.

Sure I will send you over weekend.

Send me your email address

On Wed, Nov 14, 2018, 10:46 PM johnmartin4561 <[email protected]
wrote:

Overview of the feature request

I have implemented Two-factor authentication and Refresh Token in my
gateway. I would I have to make it more generic and provide my contribution.

Either email or phone number will receive an OTP code (Identification
code) upon login. We can make it in few different ways:
Two Factor/Multi Factor Authentication (MFA)

1. OTP always required.
2. One time until user login from different device (we can also do it
   for different IP)
3. We will use browser signature and identify user and whether or not
   OTP is required.

Refresh Token

1. We are using JWT for authentication token. Since we don't store JWT
   so there is not way to delete of expire it once we login. And if someone
   can get JWT then he/she can have access to all resources.
2. I have reduced JWT expiry to 1 min and implemented concept of
   Refresh Token.
3. Upon login I generate Refresh Token and store this token in DB.
4. Created a resource /api/refresh when I post this refresh token
   every min and in response it send a new id_token which I update on client
   side.
5. Now if user decide to logout then I delete refresh_token from DB
   and id_token will be valid for at most 1 min.
6. I have updated authentication and now I am store device i.e., web,
   ios, android etc.. this way I will set expire for id_token. In case of web
   my id_token expire is 1 min and in case of smart device it will be 1 week.
7. When user launch app then in background I check whether id_token is
   valid /api/validate if not then I use api/refresh to get new id_token.

Single Sign in

1. In our application we only allow 1 login and if user login from
   different device they will logout from other devices (expect app) i.e.,
   only for web app.
2. Using refresh token I am able to achieve it.
3. During authentication I check in DB if there's any refresh_token
   (for web) exists. If so then it will be deleted.
4. Now let's say user is already logged in from different device (web)
   then upon /api/refresh call it will send invalid access and we redirect to
   login page. I am currently working so that I can send push notification for
   real-time alert but not everyone allow browser notification.

Motivation for or Use Case

1. I have to implement MFA so that I can make sure avoid brute force
   login or hacking.
2. Refresh token to keep id_token shorter but keep it updating as long
   as user is active.
3. Single Sign in so that at no time 2 diff ppl can use same login

Related issues or PR

• Checking this box is mandatory (this is just to show you read
  everything)

Hi @abhisheksharma85 https://github.com/abhisheksharma85 ,

I am working on project based on JHipster and there is a requirement for
two step authentication. Could you please guide me how to achieve this in
JHipster application. If you give me some code snippet so it will be great.

Thank you.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/jhipster/generator-jhipster/issues/8242#issuecomment-438935637,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAThAqs5Bo3EETWyJ5GykkNA3Op3hjMEks5uvQ20gaJpZM4WeNRn
.

Thank you @abhisheksharma85 ,

Here is my email address :- [email protected]

If you use OIDC and Okta, it's pretty easy to enable MFA. Here's a tutorial that shows you how: https://developer.okta.com/blog/2018/06/12/mfa-in-spring-boot

hi @abhisheksharma85 - do you have any update? I'd need to implement 2FA would love to look at your code :)

@abhisheksharma85 Have you managed to implement two-factor authentication on your end?

Yes. Using AWS SNS. Currently working MFA using Auth Provider

On Wed, Aug 12, 2020, 8:40 AM Alexandre Cassagne notifications@github.com
wrote:

@abhisheksharma85 https://github.com/abhisheksharma85 Have you managed
to implement two-factor authentication on your end?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/jhipster/generator-jhipster/issues/8242#issuecomment-672951194,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AACOCAXMP3PMRUO6Y466VITSAKZYVANCNFSM4FTY2RTQ
.

Just in case anyone finds this issue through google:
I just successfully implemented 2FA for my UAA + microservices setup following this great tutorial
https://sultanov.dev/blog/multi-factor-authentication-with-spring-boot-and-oauth2/
In addition to the described steps, the gateway needs to be configured to forward the mfa request params.
My solution now also supports otps sent via SMS, which is pretty easy to set up once the Google Authenticator is working.
Hope this might help someone searching for something similar.

@iroCheese I've also run through the same tutorial and implemented MFA this way. Perhaps we should start a blueprint/feature proposal for JHipster. It would be nice to get some "validation" that this was implemented properly

@iroCheese I've also run through the same tutorial and implemented MFA this way. Perhaps we should start a blueprint/feature proposal for JHipster. It would be nice to get some "validation" that this was implemented properly

I'd love to do that but sadly at the moment I just don't see myself finding the time to do this properly. However this might change at some point. I'd really like to give something back to the JHipster community