Identityserver4: Two Factor Authentication using Identity Server 4

This is something that your UI would be responsible for, not IdentityServer.

@brockallen thanks. But how can I make sure that the token is issued to request owner only after two factor authentication. Is it the responsibility of front end? Suppose front end does not take necessary precautions, and the token to access the API has breached security? Can anything be done with asp.net identity 2fa? Please help. Thanks.

I don't know how you'd do two factor while using the token endpoint directly -- that's not the normal flow. You should use a browser and redirect the user to the authorization endpoint.

@brockallen Thanks. What do you suggest as the normal flow to implement 2fa while using Identity Server for generating token for the APIs.

2fa is unrelated to flows. 2fa is part of authentication. see our samples: https://identityserver4.readthedocs.io/en/release/quickstarts/6_aspnet_identity.html

Thanks @brockallen Have gone through the document. Can I use the RO Grant to achieve that while giving full control to the client UI implementing that? Or I have to force the client UI to redirect to the Authentication page in which Identity Server resides?

Ok, now we're back to resource owner flow. I'll repeat:

This is something that your UI would be responsible for, not IdentityServer.

2fa is unrelated to IdentityServer. if you require the use of resource owner flow the your UI is responsible for figuring out how to get 2fa to work. I can't help you any more than that.

@brockallen What grant type should I consider then while implementing this when the client is something like an SPA in angular js or other UI framework?

SPA = implicit flow

@leastprivilege Thanks. Will look into this.

@satyajit-behera did you come to any conclusion with this? I am looking into it currently and would appreciate any design tips on how to best go about this.

@brockallen - I appreciate that it's not part of the flow, but it's hard to find documentation about what the best practices are about how I should design my user interface.

I'm trying to use IdentityServer4 as an authentication point for a couple of native iOS and Android apps, and I'd prefer to keep the UI entirely inside those apps. It seems like I'd just build a form inside the app, get the username and password, and submit them to the token endpoint for a password grant.

But if I want to add two factor authentication in - whats the best practice? Do I write a custom endpoint to trigger the sending of the 2fa code, then send that as a "acr_value" to the token endpoint?

I'm just a little lost - as a full stack developer, it's hard to find these resources. It'd be really helpful if IdentityServer4 had a little more documentation about how to set this up, or at least links to help me figure out how to put all the pieces together. I could hack something together, I'm sure, but I'd really like it to represent best practices, and I just can't figure out what the best practice is here.

what sort sorts of 2fa did you want to enable? The simple Microsoft/google authenticator app, or yubi keys? The former is in a pull request that was never merged. The later is a work in process. If you are using visual studio, you can just build an app with identity enabled to see what it looks like and copy the parts you like.

Honestly, I was assuming I'd just send a text message and get a 5 or 6 digit code, but the Microsoft/Google Authenticator would probably work as well.

see issue 2079

@BuairtRi I know this thread is dead, but I am trying to figure out the same thing here. I have implemented in IS4 the authenticator login flow for our website but our native windows app uses the token endpoint to authenticate. Do we need to make our own API for this and turn off the default token endpoint?

We would need a response indicating that the authenticator code is required, then we can modify the native client's UI to take a code and send that into IS to authenticate the user.

Shouldn't use implicit flow anymore as it is insecure. See the updated
guidelines nicely explained by Brock:
https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/

For user facing native/mobile apps, use Auth code + PKCE flow, after
credential validation is completed by the UI.

On Tue, Oct 22, 2019 at 2:20 PM Corey Cunha notifications@github.com
wrote:

@BuairtRi https://github.com/BuairtRi I know this thread is dead, but I
am trying to figure out the same thing here. I have implemented in IS4 the
authenticator login flow for our website but our native windows app uses
the token endpoint to authenticate. Do we need to make our own API for this
and turn off the default token endpoint?

We would need a response indicating that the authenticator code is
required, then we can modify the native client's UI to take a code and send
that into IS to authenticate the user.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/IdentityServer/IdentityServer4/issues/1046?email_source=notifications&email_token=AA7IJS6VYHH3OU5B7EWQ7CDQP477PA5CNFSM4DHEP2M2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB6WWJQ#issuecomment-545090342,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AA7IJS2M3K3PC6QFJ2KEWULQP477PANCNFSM4DHEP2MQ
.

Thanks @ghanashyaml . I'll have a look at that and the recommended flow of auth code + pkce and see where to go from there. I'm full stack but new to the authentication world, so most of the documentation on IS4 is very cryptic to me (and seems to be written with someone with authentication already known and internalized in mind).

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.