The Single Sign-On Multi-Factor portal for web apps

Overview

Build Go Report Card Docker Tag Docker Size GitHub Release AUR source version AUR binary version AUR development version License Sponsor Discord Matrix

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies like nginx, Traefik or HAProxy to let them know whether requests should either be allowed or redirected to Authelia's portal for authentication.

Documentation is available at https://www.authelia.com/docs.

The following is a simple diagram of the architecture:

Authelia can be installed as a standalone service from the AUR, APT, FreeBSD Ports, or using a Static binary, .deb package, Docker or Kubernetes either manually or via the Helm Chart (beta) leveraging ingress controllers and ingress configurations.

Here is what Authelia's portal looks like:

Features summary

This is a list of the key features of Authelia:

For more details about the features, follow Features.

If you want to know more about the roadmap, follow Roadmap.

Proxy support

Authelia works in combination with nginx, Traefik or HAProxy. It can be deployed on bare metal with Docker or on top of Kubernetes.

Help Wanted: Assistance would be appreciated in getting Authelia working with Caddy and Envoy.

Getting Started

docker-compose

The docker-compose bundles act as a starting point for anyone wanting to see Authelia in action. You will have to customize them to your needs as they come with self-signed certificates.

Local

The Local compose bundle is intended to test Authelia without worrying about configuration. It's meant to be used for scenarios where the server is not be exposed to the internet. Domains will be defined in the local hosts file and self-signed certificates will be utilised.

Lite

The Lite compose bundle is intended for scenarios where the server will be exposed to the internet, domains and DNS will need to be setup accordingly and certificates will be generated through LetsEncrypt. The Lite element refers to minimal external dependencies; File based user storage, SQLite based configuration storage. In this configuration, the service will not scale well.

Full

The Full compose bundle is intended for scenarios where the server will be exposed to the internet, domains and DNS will need to be setup accordingly and certificates will be generated through LetsEncrypt. The Full element refers to a scalable setup which includes external dependencies; LDAP based user storage, Database based configuration storage (MariaDB, MySQL or Postgres).

Deployment

Now that you have tested Authelia and you want to try it out in your own infrastructure, you can learn how to deploy and use it with Deployment. This guide will show you how to deploy it on bare metal as well as on Kubernetes.

Security

Authelia takes security very seriously. If you discover a vulnerability in Authelia, please see our Security Policy.

For more information about security related matters, please read the documentation.

Contact Options

Several contact options exist for our community, the primary one being Matrix. These are in addition to GitHub issues for creating a new issue.

Matrix

Community members are invited to join the Matrix Space which includes both the Support Room and the Contributing Room.

  • The core team members are identified as administrators in the Space and individual Rooms.
  • All channels are linked to Discord.

Discord

Community members are invited to join the Discord Server.

Email

You can contact the core team by email via [email protected]. Please note the
[email protected] is also available but is strictly reserved for security related matters.

Breaking changes

Since Authelia is still under active development, it is subject to breaking changes. It's recommended to pin a version tag instead of using the latest tag and reading the release notes before upgrading. This is where you will find information about breaking changes and what you should do to overcome said changes.

Why Open Source?

You might wonder why Authelia is open source while it adds a great deal of security and user experience to your infrastructure at zero cost. It is open source because we firmly believe that security should be available for all to benefit in the face of the battlefield which is the Internet, with near zero effort.

Additionally, keeping the code open source is a way to leave it auditable by anyone who is willing to contribute. This way, you can be confident that the product remains secure and does not act maliciously.

It's important to keep in mind Authelia is not directly exposed on the Internet (your reverse proxies are) however, it's still the control plane for your internal security so take care of it!

Contribute

If you want to contribute to Authelia, please read our contribution guidelines.

Authelia exists thanks to all the people who contribute so don't be shy, come chat with us on either Matrix or Discord and start contributing too.

Thanks goes to these wonderful people (emoji key):


ClΓ©ment Michaud

πŸ’» πŸ“– πŸ€” 🚧 πŸ’¬ πŸ‘€ ⚠️

Amir Zarrinkafsh

πŸ’» πŸ“– πŸ€” 🚧 πŸ’¬ πŸ‘€ ⚠️

James Elliott

πŸ’» πŸ“– πŸ€” 🚧 πŸ’¬ πŸ‘€ ⚠️

Antoine Favre

πŸ› πŸ€”

BankaiNoJutsu

πŸ’» 🎨

Philipp Rintz

πŸ“–

Callan Bryant

πŸ’» πŸ“–

Ian

πŸ’»

FrozenDragoon

πŸ’»

vdot0x23

πŸ’»

alexw1982

πŸ“–

Sohalt

πŸ’» πŸ“–

Stoica Tedy

πŸ’»

Dylan Smith

πŸ’»

Lukas Klass

πŸ“–

Philipp Staiger

πŸ’» πŸ“– ⚠️

James Hodgkinson

πŸ“–

Chris Smith

πŸ“–

MihΓ‘ly

πŸ“–

Silver Bullet

πŸ“–

Paul Williams

πŸ’» ⚠️

Timo

πŸ“–

Andrew Kliskey

πŸ“–

Kristof Mattei

πŸ“–

ZMiguel Valdiviesso

πŸ“–

akusei

πŸ’» πŸ“–

Daniel Miller

πŸ“–

Dustin Sweigart

πŸ’» πŸ“– ⚠️

Shawn Haggard

πŸ’» ⚠️

Kevyn Bruyere

πŸ“–

Daniel Sutton

πŸ’»

Valentin HΓΆbel

πŸ’»

thehedgefrog

πŸ“–

Victor

πŸ“–

Chris Whisker

πŸ“–

nasatome

πŸ“–

Begley Brothers (Development)

πŸ“–

Mike Kusold

πŸ’»

Dimitris Zervas

πŸ“–

TheCatLady

πŸ€”

Lauri VΓ΅sandi

πŸ€”

Kennard Vermeiren

πŸ€”

ThinkChaos

πŸ’» πŸ“– ⚠️

Hasan

πŸ›‘οΈ

David Chidell

??

Marcel Marquardt

πŸ›

Ian Gallagher

πŸ“–

Wu Han

πŸ“–

lavih

πŸ“–

Jon B.

πŸ›‘οΈ

Alex Gustafsson

πŸ’» πŸ“–

Arsenović Arsen

πŸ’» ⚠️ πŸ›‘οΈ

dakriy

πŸ’»

Dave

πŸ““

Nicolas Reymundo

πŸ“–

polandy

πŸ“–

This project follows the all-contributors specification. Contributions of any kind welcome!

Backers

Thank you to all our backers! πŸ™ Become a backer and help us sustain our community. The money we currently receive is dedicated to bootstrap a bug bounty program to give us as many eyes as we can to detect potential vulnerabilities.

Sponsors

Any company can become a sponsor by donating or providing any benefit to the project or the team helping improve Authelia.

Help Wanted: We are actively looking for sponsorship to obtain either a code security audit, penetration testing, or other audits related to improving the security of Authelia.

Companies contributing to Authelia will have a specical mention below. [Become a sponsor]

Balto

Thank you to Balto Balto for hosting our apt repository.

Digital Ocean

Thank you to Digital Ocean DigitalOcean for contributing on OpenCollective.

JetBrains

Thank you to JetBrains JetBrains for providing us with free licenses to their great tools.

License

Authelia is licensed under the Apache 2.0 license. The terms of the license are detailed in LICENSE.

FOSSA Status

Comments
  • Make Authelia and Traefik play nice

    Make Authelia and Traefik play nice

    Forward auth has been implemented in Traefik, which is supposed to be similar too ngx_http_auth_request_module which Authelia depends on in NGINX. https://github.com/containous/traefik/pull/1972 https://github.com/containous/traefik/pull/2110

    Sample traefik.toml config:

    defaultEntryPoints = ["https"]
    [entryPoints]
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.auth.forward]
      address = "https://auth.domain.tld/verify"
    

    However Traefik stalls indefinitely when this option is enabled in Traefik and sending forward auth to Authelia. I don't know if this is related to https://github.com/containous/traefik/pull/2127, or if it's an different issue. It seem's like whatever Authelia responds isn't parsed properly by Traefik.

    I'm going to use this issue to track the problem. Do you have any ideas @clems4ever?

    Solving this would remove the NGINX dependency entirely in an Traefik environment when using Authelia

    type/enhancement priority/3/medium 
    opened by jkaberg 84
  • Authelia + Caddy v2 Configuration?

    Authelia + Caddy v2 Configuration?

    Hello! I noticed that Caddy v2 doesn't have a proxy integration on Authelia docs: https://www.authelia.com/docs/deployment/supported-proxies/

    Are you planning on adding one?

    priority/4/normal type/feature 
    opened by planecore 43
  • authelia crashes

    authelia crashes

    Bug Report

    Description

    Authelia crashes without visible reason

    Expected Behaviour

    # systemctl status authelia
    ● authelia.service - Authelia authentication and authorization server
       Loaded: loaded (/etc/systemd/system/authelia.service; enabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Tue 2022-07-26 23:20:51 MSK; 8min ago
      Process: 25221 ExecStart=/usr/bin/authelia --config /home/devops/authelia.config.yml (code=exited, status=2)
     Main PID: 25221 (code=exited, status=2)
    
    Jul 26 23:20:51 ansible-sirius authelia[25221]: github.com/valyala/[email protected]/server.go:2308 +0x11ae
    Jul 26 23:20:51 ansible-sirius authelia[25221]: github.com/valyala/fasthttp.(*workerPool).workerFunc(0xc0003c8280, 0xc002704000)
    Jul 26 23:20:51 ansible-sirius authelia[25221]: github.com/valyala/[email protected]/workerpool.go:224 +0xa9
    Jul 26 23:20:51 ansible-sirius authelia[25221]: github.com/valyala/fasthttp.(*workerPool).getCh.func1()
    Jul 26 23:20:51 ansible-sirius authelia[25221]: github.com/valyala/[email protected]/workerpool.go:196 +0x38
    Jul 26 23:20:51 ansible-sirius authelia[25221]: created by github.com/valyala/fasthttp.(*workerPool).getCh
    Jul 26 23:20:51 ansible-sirius authelia[25221]: github.com/valyala/[email protected]/workerpool.go:195 +0x1b5
    Jul 26 23:20:51 ansible-sirius systemd[1]: authelia.service: main process exited, code=exited, status=2/INVALIDARGUMENT
    Jul 26 23:20:51 ansible-sirius systemd[1]: Unit authelia.service entered failed state.
    Jul 26 23:20:51 ansible-sirius systemd[1]: authelia.service failed.
    

    Reproduction Steps

    Update authelia to v4.36.2/3 from v4.35.6

    Additional Information

    N/A

    type/question type/documentation 
    opened by adpavlov 42
  • How do I configure HAProxy on pfsense?

    How do I configure HAProxy on pfsense?

    Hi everyone!

    I'm a noob at HAProxy, but recently got a router and installed pfsense on it. Now, I'm trying to use HAProxy on it, and just fail to understand what to fill and where from https://www.authelia.com/docs/deployment/supported-proxies/haproxy.html

    Can someone please tell me how to do this? I have no problem doing it on Traefik, but pfsense's HAProxy remains a mystery to me.

    Many thanks!

    priority/4/normal type/integration-issue Help Wanted 
    opened by schklom 34
  • Docker Container Unhealthy in 4.23.1

    Docker Container Unhealthy in 4.23.1

    Hello all and thank you for the great project. I recently updated my container from 4.23.0 to 4.23.1 and when running docker ps, I can see that the authelia container is unhealthy. As a temporary fixed, I've rolled back to 4.23.0 where this isn't an issue. Is this an issue with my configuration and breaking changes or an error within the project?

    Logs when running 4.23.1:

    time="2020-11-14T00:20:01-05:00" level=info msg="Logging severity set to debug"
    time="2020-11-14T00:20:02-05:00" level=debug msg="Storage schema is being checked to verify it is up to date"
    time="2020-11-14T00:20:02-05:00" level=debug msg="Storage schema is up to date"
    time="2020-11-14T00:20:02-05:00" level=debug msg="Notifier SMTP client initializing TLS configuration"
    time="2020-11-14T00:20:02-05:00" level=debug msg="Notifier SMTP client attempting connection to xxx.xxx.xxx:587"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP client connected successfully"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP server supports STARTTLS (disableVerifyCert: false, ServerName: xxx.xxx.xxx), attempting"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP STARTTLS completed without error"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP server supports authentication with the following mechanisms: PLAIN LOGIN"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP client attempting AUTH PLAIN with server"
    time="2020-11-14T00:20:04-05:00" level=debug msg="Notifier SMTP client authenticated successfully with the server"
    time="2020-11-14T00:20:04-05:00" level=warning msg="Error reading hosts memory limit: open /sys/fs/cgroup/memory/memory.limit_in_bytes: no such file or directory"
    time="2020-11-14T00:20:04-05:00" level=info msg="Authelia is listening for non-TLS connections on 0.0.0.0:9091"
    

    I'm running authelia/authelia:4.23.1 on arch64/aarch64.

    Image information:

    REPOSITORY                                 TAG                 IMAGE ID            CREATED             SIZE
    authelia/authelia                          latest              8fa2d96139ea        3 days ago          30.1MB
    

    Thank you :smile:

    type/bug status/ready 
    opened by JeffResc 32
  • Unable to mount configuration.yml

    Unable to mount configuration.yml

    I tried to install authelia with docker-compose but on startup authelia isn't able to find the configuration.yml. Especially it is impossible to mount the "/var/lib/authelia" volumen and on build the container automatically mounts /etc/authelia (where the configuration files are in. But even on changing the PUID or PGID to root or change the configuration-files in the (unexpected) volumen, authelia still goes in panic mode and logs missing configuration.

    I even copied your docker-compose.yml and still the same error. So either I'm doing something stupidly wrong (probably) or there is a bug (unlikely).

    time="2020-05-26T17:25:41+02:00" level=error msg="Provide a JWT secret using \"jwt_secret\" key"
    time="2020-05-26T17:25:41+02:00" level=error msg="Please provide `ldap` or `file` object in `authentication_backend`"
    time="2020-05-26T17:25:41+02:00" level=error msg="Set domain of the session object"
    time="2020-05-26T17:25:41+02:00" level=error msg="A storage configuration must be provided. It could be 'local', 'mysql' or 'postgres'"
    time="2020-05-26T17:25:41+02:00" level=error msg="A notifier configuration must be provided"
    panic: Some errors have been reported
    
    goroutine 1 [running]:
    main.startServer()
    	github.com/authelia/authelia/cmd/authelia/main.go:41 +0xc80
    main.main.func1(0xc00009c000, 0xc000232120, 0x0, 0x2)
    	github.com/authelia/authelia/cmd/authelia/main.go:126 +0x20
    github.com/spf13/cobra.(*Command).execute(0xc00009c000, 0xc000020190, 0x2, 0x2, 0xc00009c000, 0xc000020190)
    	github.com/spf13/[email protected]/command.go:842 +0x29d
    github.com/spf13/cobra.(*Command).ExecuteC(0xc00009c000, 0xc00013df58, 0x4, 0x4)
    	github.com/spf13/[email protected]/command.go:943 +0x317
    github.com/spf13/cobra.(*Command).Execute(...)
    	github.com/spf13/[email protected]/command.go:883
    main.main()
    	github.com/authelia/authelia/cmd/authelia/main.go:143 +0x166
    
    priority/1/critical 
    opened by dylanh50 32
  • Authelia V4 not working with traefik as it did before

    Authelia V4 not working with traefik as it did before

    I updated to authelia v4 today and everything seemed to work after I renamed my config from config.yml to configuration.yml. However, upon trying to login after browsing to one of my sites, I didn't get re-directed back to the site I came from. This was working before and seems to have been broken in v4. Was there any support removed that used to exist before? I'm happy to run through my config etc to help debug what has broken in the update, would just like to get this issue resolved if possible so i'm not stuck on v3.

    opened by zackpollard 30
  • U2F is not working under Firefox 62

    U2F is not working under Firefox 62

    The U2F key is not working under Firefox 62. When the 2FA page loaded, the hint of asking for U2F key is shown by Firefox, and the key is blinking. However, when touched the key, nothing will happen.

    The following error is found in the console after the page is loaded:

     TypeError: setting getter-only property "u2f" u2f-api.js:17:5
    	<Anonymous> https://login.example.com/js/u2f-api.js:17:5
    
    type/bug priority/3/medium 
    opened by SilverBut 30
  • help needed: protecting homeassistant mobile with authelia

    help needed: protecting homeassistant mobile with authelia

    Hello,

    I am using nginx proxy manager and authelia. I would like to protect my home assistant domain with authelia. I am using this endpoint protection code in nginx proxy manager advanced settings:

    https://github.com/ibracorp/authelia/blob/master/Protected%20Endpoint.conf

    This works in web-browsers:

    • brower login to has.mydomain.com
    • redirected for authentication at auth.mydomain.com
    • enter credentials, if successful redirects back to has.mydomain.com

    However in the home assistant companion app (android) what occurs is:

    • open mobile app
    • mobile app launches browser
    • brower login to has.mydomain.com
    • redirected for authentication at auth.mydomain.com
    • enter credentials, if successful redirects back to has.mydomain.com
    • home assistant companion app doesn't authenticate

    https://github.com/home-assistant/android/issues/1438#issuecomment-802956402 maybe related to this: return if (redirectUrl.startsWith(AUTH_CALLBACK) && !code.isNullOrBlank()) {

    I'm a bit out of my element here but hoping for some direction about how to make this work.

    opened by repomanz 28
  • Single Authelia Server for Multiple Endpoints

    Single Authelia Server for Multiple Endpoints

    I have my authelia setup in a docker container behind an NGINx proxy on Server 1.

    I can successfully use set $upstream_authelia http://[host_ip]:9091/api/verify; to use authelia to protect endpoints on Server 1.

    However, say on Server 2 I have other endpoints I want to protect. If I use set $upstream_authelia https://authelia.mydomain.com/api/verify; the redirect fails and I get a 500 error.

    How can I use authelia on remote endpoints securely ?

    opened by drtech981 26
  • Access to https://traefik.domain.co.nz/ is not authorized to user ,

    Access to https://traefik.domain.co.nz/ is not authorized to user ,

    Good Afternoon all. I have decided to setup Authelia for the first time today and I am having some problems

    Whenever I try to visit traefik.domain.co.nz It immediately takes me to a 404 page (The URLchanges to https://login.domain.co.nz/#/?rd=https%3A%2F%2Ftraefik.domain.co.nz%2F ) I do not get a sign in page at all. When I view the logs of authelia I get the following

    [email protected]    | time="2020-09-29T22:49:53-04:00" level=info msg="Logging severity set to debug"
    [email protected]    | time="2020-09-29T22:49:53-04:00" level=debug msg="Storage schema is being checked to verify it is up to date"
    [email protected]    | time="2020-09-29T22:49:53-04:00" level=debug msg="Storage schema is up to date"
    [email protected]    | time="2020-09-29T22:49:53-04:00" level=info msg="Authelia is listening for non-TLS connections on 0.0.0.0:9091"
    [email protected]    | time="2020-09-29T22:50:48-04:00" level=info msg="Access to https://traefik.domain.co.nz/ is not authorized to user , redirecting to https://login.domain.co.nz/#/?rd=https%3A%2F%2Ftraefik.domain.co.nz%2F" method=GET path=/api/verify remote_ip=10.0.0.28
    

    Here are my configs

    traefik.yml

    version: "3.8"
    
    secrets:
      AUTHELIA_JWT_SECRET:
        file: "/var/data/config/secrets/authelia_jwt_secret.secret"
      AUTHELIA_SESSION_SECRET:
        file: "/var/data/config/secrets/authelia_session_secret.secret"
    
    services:
      traefik:
        image: traefik:latest
        ports:
          - "80:80"
          - "8080:8080" # traefik dashboard
          - "443:443"
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - /var/data/config/traefikv2:/etc/traefik
        networks:
          - traefik_public
        deploy:
          labels:
            - "traefik.docker.network=traefik_public"
            - "traefik.http.routers.api.rule=Host(`traefik.domain.co.nz`)"
            - "[email protected]"
            - "traefik.http.services.api.loadbalancer.server.port=9999"
            - "[email protected]"
    
      authelia:
        image: authelia/authelia
        secrets:
          - AUTHELIA_JWT_SECRET
          - AUTHELIA_SESSION_SECRET
        environment:
          - TZ=America/New_York
        networks:
          - traefik_public
        ports:
          - 9091:9091
        volumes:
          - /var/data/config/authelia:/config
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.authelia.entrypoints=https"
          - "traefik.http.routers.authelia.rule=Host(`login.domain.co.nz`)"
          - "traefik.http.services.authelia.loadbalancer.server.port=9091"
          - "traefik.http.routers.authelia.tls=true"
    
    
    networks:
      traefik_public:
        external: true
    

    My middleware

      middlewares:
        forward-auth:
          forwardAuth:
            address: "http://authelia:9091/api/verify?rd=https://login.domain.co.nz/"
            trustForwardHeader: true
            authResponseHeaders:
              - "Remote-User"
              - "Remote-Groups"
    

    Authelia configuration

    host: 0.0.0.0
    port: 9091
    log_level: debug
    jwt_secret: xxx
    
    totp:
      issuer: authelia.com
      period: 30
      skew: 1
    
    
    authentication_backend:
      file:
        path: /config/users_database.yml
    
    access_control:
      default_policy: two_factor
      rules:
        - domain: "login.domain.co.nz"
          policy: bypass
    
    #    - domain: "*.domain.co.nz"
    #      policy: bypass
    #      networks:
    #      - 10.0.0.28
    
        - domain: "*.domain.co.nz"
          policy: two_factor
    
    
    session:
      name: authelia_session
      secret: xxx
      expiration: 3600
      inactivity: 300
      domain: domain.co.nz
    
    regulation:
      max_retries: 3
      find_time: 120
      ban_time: 300
    
    storage:
      local:
        path: /config/db.sqlite3
    
    notifier:
      filesystem:
        filename: /config/notification.txt
    

    If I uncomment the network bypass im able to visit the site normally. Does anyone know why it wont let me connect to the login page?

    Thanks

    type/question priority/2/high type/integration-issue 
    opened by Bencey 26
  • Notify User of Important Events

    Notify User of Important Events

    Description

    Email users when important events occur. This will require the following:

    1. [ ] A new email template specific for events.

    Use Case

    Examples:

    • [ ] 2FA credential added.
    • [ ] 2FA credential removed.
    • [ ] Suspicious Activity:
      • [ ] Webauthn Clone Detection.
    • [ ] Failed 2FA.
    • [ ] Failed login.
      • This will require some gatekeeping to prevent email spam.
      • Will likely be a future endeavor.
    • [ ] Login from new IP.
      • Requires logging which remote IP's users have logged in from.
      • Will likely be a future endeavor.
    • [ ] Login from new device.
      • Requires storing an opaque cryptographically secure value in localStorage.
      • Will likely be a future endeavor.
    • [ ] Consent Grant Notifications (OpenID Connect 1.0 / SAML 2.0).
      • Will likely be a future endeavor.
      • Skip implicit consent?
      • Allow users to opt in.
    • [ ] Allow users to enable/disable particular notifications.
      • Will likely be a future endeavor.

    Details

    No response

    Documentation

    No response

    priority/4/normal type/feature status/needs-design 
    opened by james-d-elliott 3
  • feat: skip email id verification if user is logged in with 2fa already

    feat: skip email id verification if user is logged in with 2fa already

    The current 2-factor authentication method registration flow requires email verification for both initial 2FA registration, and 2FA re-registration even if the user is already logged in with 2FA.

    This change removes email ID verification for users who are already logged in with 2-factor authentication. Users who have only completed first factor authentication (password) are still required to complete email ID verification.

    Token validation logic from IdentityVerificationFinish has been separated out into a new identityVerificationValidateToken function to satisfy cyclomatic complexity requirements.

    Note: This PR also re-enables the eslint plugin in vite.config.ts.

    opened by smkent 1
  • Design: Support for multiple WebAuthn devices for each user

    Design: Support for multiple WebAuthn devices for each user

    Description

    Desired user scenarios:

    Use Case

    It's common and recommended for users with hardware security tokens (ex. Yubikeys) to have more than one. As an example, I have a backup Yubikey in case my main key gets lost. Each of my Yubikeys are configured in my accounts where I use them for 2-factor authentication. Hardware security tokens are usable via the WebAuthn protocol, which Authelia already uses and supports.

    Sites which support hardware security tokens for 2-factor authentication generally support this use case. Examples include Google, Dropbox, and GitHub.

    This feature was requested in https://github.com/authelia/authelia/issues/275.

    Details

    For reference, this is the current WebAuthn device registration flow:

    1. On the login frame (at either the OneFactor or TwoFactor authentication levels), the user clicks the "Lost your device?" link registration-flow-link
    2. Authelia generates a token, encoded as JWT, and sends the user an email containing a link with the JWT token
    3. User clicks the link in their email
    4. Authelia retrieves the token from the URI, decodes and verifies the JWT, and performs the WebAuthn attestation ceremony.
    5. On successful WebAuthn device attestation, the new device info is stored in the Authelia database. Currently the device registration is hardcoded with a description of Primary. If an existing device was registered, it is overwritten.
    6. On WebAuthn device registration success, the user is redirected back to the login page (which then re-prompts for 2FA authentication with the new device).

    Proposed changes: Users can add more than one WebAuthn device to their account

    • As mentioned on Authelia's WebAuthn roadmap, the storage backend has existing support for multiple devices. Devices are overwritten on re-registration simply due to the hardcoded name (referred to in the backend as "description") Primary which is used for all devices. The hardcoded device name should be removed so it can be provided to the backend via the API as in https://github.com/authelia/authelia/pull/4363.

    • Support entry of a user-provided device name as part of the WebAuthn device registration flow. This can then be provided to the backend on registration via the previously mentioned API change.

      • The user should be prevented from reusing the name of existing device within their account by both the UI and backend

    Proposed changes: Users can manage their existing WebAuthn devices within their account

    • New UI is needed for device management. From the roadmap and discussions on Discord, the desired feature is an extensible user account settings UI. Although the UI may only support WebAuthn device management initially, this UI would later provide options for management of other 2FA options and other unrelated settings (such as Authelia service configuration options, perhaps).
      • Some existing features work around a settings UI is present in the feat-settings-ui branch. The UI in this branch currently looks like this:

    feat-settings-ui

    • WebAuthn settings UI should display information about registered devices:

      • User-entered device name ("description" in the backend)
      • Additional details such as registered date, and last used date. These values are already stored in the database.
      • No API endpoint currently exists for retrieving configured WebAuthn device information for a user. A new API endpoint is needed. (A new endpoint is present in the feat-settings-ui branch.)
    • WebAuthn settings UI should allow registration of multiple devices. Some options:

      1. Reuse existing registration flow. Without additional changes, re-launching the flow will send the user another email with a link+token. Opening this page will start the WebAuthn device attestation/registration flow. Pros: Smallest code change. Cons: Cumbersome for the user, as it requires an email round-trip for each new added device.
      2. Reuse existing registration flow, without requiring email verification when already logged in at the TwoFactor level. Pros: Still a smaller code change. Less cumbersome for the user. No expected security impact as the user already had to verify their email to register/log in with 2FA in the first place. Cons: Redirection to existing flow may be jarring for users.
      3. Reuse existing registration flow in a popup modal over the new settings UI, without requiring email verification when already logged in at the TwoFactor level. Pros: Most intuitive flow for the user. Modal popup makes it more obvious the registration function operates within the settings UI space. No expected security impact as the user already had to verify their email to register/log in with 2FA in the first place. Cons: Largest code change.
      • Note: Skipping email verification when logged in at the TwoFactor level could be accomplished by simply succeeding the identity verification middleware if the user's auth level is TwoFactor. I sketched this out here: https://github.com/smkent/authelia/pull/1
    • WebAuthn settings UI should allow rename of multiple devices.

      • A new API endpoint is needed for modifying a WebAuthn device.
    • WebAuthn settings UI should allow deletion of multiple devices.

      • A new API endpoint is needed for deleting a WebAuthn device.
      • When all WebAuthn devices are deleted, my preferred option is to:
        1. Do nothing. The user will remain logged in at the TwoFactor level within their current session. Logging in again will automatically restart the 2FA device registration prompt if no other 2FA methods are enabled. Pros: Less disruptive flow for the user. User can delete their last device and (re-)add a device in the settings UI without their session ending.

    Additional considerations

    • Email-based identity verification may be reworked via https://github.com/authelia/authelia/issues/3801, which would replace the JWT token with a randomly generated one time password. This may affect some of the proposed feature implementation above.

    Implementation steps

    • Remove hardcoded Primary device name for registered WebAuthn devices: https://github.com/authelia/authelia/pull/4363
    • Add device name prompt to WebAuthn device registration flow UI, and pass the entered name on registration in the API. Require a unique name for each of the user's devices, by indicating if the requested name is in use in the /api/secondfactor/webauthn/attestation response
    • ~~Add an endpoint to retrieve a user's WebAuthn devices information~~ (implemented within feat-settings-ui)
    • Create new UI for WebAuthn device management (as an extensible Settings UI) (partially implemented within feat-settings-ui)
    • Support WebAuthn device registration within the new settings UI
      • Skip identity verification when registering a new WebAuthn device if the user is already logged in with 2FA (WIP code https://github.com/smkent/authelia/pull/1)
      • Organize existing WebAuthn device registration flow into a React component
      • Provide option to launch WebAuthn device registration flow from the new settings UI
    • Support WebAuthn device rename within the new settings UI
      • Add API endpoint for setting the name of an existing WebAuthn device
      • Implement device rename in the settings UI using the above-mentioned endpoint
    • Support WebAuthn device deletion within the new settings UI
      • Add API endpoint for deleting an existing WebAuthn device
      • Implement device deletion in the settings UI using the above-mentioned endpoint

    Implementation follow-ups

    These todo items follow the implementation of the major design features in this issue.

    • Webauthn UI improvements:
      • [ ] Implement Webauthn device rename UI
        • Open question: What form should this take?
      • [ ] Optional: Confirm before deleting Webauthn devices
      • [ ] Use more compact display or alternate presentation method for Webauthn devices table?
        • Consider Webauthn / security key management UI designs in other apps for inspiration
        • Perhaps keys should be tiles instead of table rows?
        • Choose UI element(s) that work well with expandable / extended information
      • [ ] Open question: Should edit / delete actions show progress / failure or be optimistic?
      • [ ] Show a loading block in place of the devices list while the devices list is still loading https://github.com/authelia/authelia/pull/4406
      • [x] Indicate in the UI when no Webauthn devices are registered https://github.com/authelia/authelia/pull/4405
    • General UI improvements:
      • [x] Add element to close UI and return to login flow / landing page
      • [ ] ~~Open question: Should the left settings nav bar be collapsible?~~ (IMO this is feature creep for now)
    • Flow updates:
      • [ ] Initial 2FA enrollment should lead user back to second-factor authentication instead of leaving them in the settings UI at the OneFactor authentication level
        • Idea: Introduce / use a value indicating the current user has a higher authentication level available than their current level
    • Naming and text conventions
      • [ ] Rename the settings UI AppBar text from "Settings" to something more general (perhaps with Authelia branding)
      • [ ] Use consistent naming for Webauthn devices
        • The current UI refers to these as Webauthn devices in some places and security keys in others. We should choose and implement consistent naming for this feature. (TOTP / "One-Time Password" merits similar attention.)

    Future settings UI-related feature work

    These are additional brainstorming and should be ticketed separately.

    • Move TOTP management and enrollment flow into the settings UI
    • Move Duo management and enrollment flow into the settings UI
    • Indicate which 2FA methods are enabled / default in the settings UI
    • If the new settings UI will serve as the main landing page, populate the main ("Overview") tab with content
    • Misc UI improvements:
      • In the login flow, move the "Logout" and "Methods" buttons to be within the login frame
      • Set the visual login frame (box with rounded gray border) to be a more consistent height. Currently, progressions through the login and 2FA registration flows cause the visual login frame to change height on each step which is somewhat visually jarring for the user.
    priority/4/normal type/feature status/needs-design 
    opened by smkent 4
  • feat(web): experiment with login ui flow

    feat(web): experiment with login ui flow

    I'm experimenting with the login UI flow.

    Changes in here:

    • Move the 2FA method / logout links in the login flow to within the login form/flow main grid element
    • Create a basic two-button landing page with settings / logout links to replace the 2FA logged in checkmark landing view
    • Use /login as the first factor page URI, and use / as the logged in landing page URI
    • Redirect from the settings page to / if unauthenticated. (/ will further redirect to the correct login step.)
    opened by smkent 1
Releases(v4.37.2)
Owner
Authelia
An organization to federate opensource contributions to Authelia
Authelia
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Casbin 4.6k Nov 27, 2022
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

sso See our launch blog post for more information! Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadma

BuzzFeed 3k Nov 21, 2022
Basic Single Sign-On with Go

Basic Single Sign-On (SSO) This is a basic project to implement SSO with Go. List Structure Configuration Database Implement Register Request Check Us

Milad Poshtdari 0 Nov 5, 2021
A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

yinhuanyi 1 Nov 17, 2021
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

Nguyen Lam 1 May 10, 2022
Herbert Fischer 198 Oct 8, 2022
2FA (Two-Factor Authentication) application for CLI terminal with support to import/export andOTP files.

zauth zauth is a 2FA (Two-Factor Authentication) application for terminal written in Go. Features Supports both TOTP and HOTP codes. Add new entries d

Rijul Gulati 74 Nov 9, 2022
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
Sign, encrypt and authenticate http cookies with golang

ecookie sign, encrypt and authenticate cookies with golang... this package uses rabbit cipher to encrypt and blake2 hash function in order to authenti

Sina Ghaderi 5 Feb 3, 2022
A library for performing OAuth Device flow and Web application flow in Go client apps.

oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditionally,

GitHub CLI 350 Nov 21, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

Duo Labs 993 Nov 27, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

null 24 Nov 19, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 34 Sep 29, 2022
Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

❗ Cache package has been moved to libcache repository Go-Guardian Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to

Sanad Haj Yahya 418 Nov 20, 2022
Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Goth: Multi-Provider Authentication for Go Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applic

Mark Bates 3.9k Nov 27, 2022
🍍Jeff provides the simplest way to manage web sessions in Go.

jeff A tool for managing login sessions in Go. Motivation I was looking for a simple session management wrapper for Go and from what I could tell ther

Alan Braithwaite 242 Nov 22, 2022
JSON Web Token library

About … a JSON Web Token (JWT) library for the Go programming language. Feature complete Full test coverage Dependency free Key management The API enf

Pascal S. de Kloe 302 Nov 22, 2022
Safe, simple and fast JSON Web Tokens for Go

jwt JSON Web Token for Go RFC 7519, also see jwt.io for more. The latest version is v3. Rationale There are many JWT libraries, but many of them are h

cristaltech 576 Nov 19, 2022
This package provides json web token (jwt) middleware for goLang http servers

jwt-auth jwt auth middleware in goLang. If you're interested in using sessions, checkout my sessions library! README Contents: Quickstart Performance

Adam Hanna 223 Oct 29, 2022