combined password and totp auth plugin for MFA
The current password and totp plugins are separate and there seems to be no way to enforce both at Keystone since the assumption is that a consumer of Keystone will pick which auth methods to use.
This makes the current TOTP plugin not as useful as it could be and the added requirement of the TOTP auth method makes it much harder to use.
This plugin would be an optional replacement of the current password plugin that would also be able to do TOTP checks for users that have TOTP credentials associated with their user account.
It would work by expecting a passcode appended to the password, and if TOTP credentials are present, it would strip the passcode and use it.
This would allow optional multi-factor auth (MFA) on a per user basis without restricting any API access for non-MFA users, and it would also allow MFA enabled users to still use the API, CLI, and Horizon as per normal simply by appending their TOTP passcode to their password.
Blueprint information
- Status:
- Complete
- Approver:
- Steve Martinelli
- Priority:
- Medium
- Drafter:
- Adrian Turjak
- Direction:
- Approved
- Assignee:
- Adrian Turjak
- Definition:
- Superseded
- Series goal:
- Accepted for ocata
- Implementation:
-
Needs Code Review
- Milestone target:
- None
- Started by
- Adrian Turjak
- Completed by
- Steve Martinelli
Related branches
Related bugs
Sprints
Whiteboard
Do we supersede this BP in favor of https:/
Yes, we do.
Gerrit topic: https:/
Addressed by: https:/
[WIP] combined password+totp auth plugin
Addressed by: https:/
Extended Password Auth with optional MFA
