Menu
I want to add multi-factor authentication with TOTP soft tokens to an Angular & Spring application, while keeping everything as close as possible to the defaults of Spring Boot Security Starter.
The token-validation happens locally (with the aerogear-otp-java library), no third party API provider.
Setting up tokens for a user works, but validating them by leveraging Spring Security Authentication Manager/Providers does not.
The API has an endpoint /auth/token from which the frontend can get a JWT token by providing username and password. The response also includes an authentication-status, which can be either AUTHENTICATED or PRE_AUTHENTICATED_MFA_REQUIRED.
If the user requires MFA, the token is issued with a single granted authority of PRE_AUTHENTICATED_MFA_REQUIRED and an expiration-time of 5 minutes. This allows the user to access the endpoint /auth/mfa-token where they can provide the TOTP code from their Authenticator app and get the fully authenticated token to access the site.
I have created my custom MfaAuthenticationProvider which implements AuthenticationProvider:
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
// validate the OTP code
}
@Override
public boolean supports(Class<?> authentication) {
return OneTimePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
And a OneTimePasswordAuthenticationToken which extends AbstractAuthenticationToken to hold the username (taken from the signed JWT) and the OTP code.
I have my custom WebSecurityConfigurerAdapter, where I add my custom AuthenticationProvider via http.authenticationProvider(). Accoring to the JavaDoc, this seems to be the right place:
Allows adding an additional AuthenticationProvider to be used
The relevant parts of my SecurityConfig looks like this.
@Configuration
@EnableWebSecurity
@EnableJpaAuditing(auditorAwareRef = "appSecurityAuditorAware")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final TokenProvider tokenProvider;
public SecurityConfig(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authenticationProvider(new MfaAuthenticationProvider());
http.authorizeRequests()
// Public endpoints, HTML, Assets, Error Pages and Login
.antMatchers("/", "favicon.ico", "/asset/**", "/pages/**", "/api/auth/token").permitAll()
// MFA auth endpoint
.antMatchers("/api/auth/mfa-token").hasAuthority(ROLE_PRE_AUTH_MFA_REQUIRED)
// much more config
The AuthController has the AuthenticationManagerBuilder injected and is pulling it all together.
@RestController
@RequestMapping(AUTH)
public class AuthController {
private final TokenProvider tokenProvider;
private final AuthenticationManagerBuilder authenticationManagerBuilder;
public AuthController(TokenProvider tokenProvider, AuthenticationManagerBuilder authenticationManagerBuilder) {
this.tokenProvider = tokenProvider;
this.authenticationManagerBuilder = authenticationManagerBuilder;
}
@PostMapping("/mfa-token")
public ResponseEntity<Token> mfaToken(@Valid @RequestBody OneTimePassword oneTimePassword) {
var username = SecurityUtils.getCurrentUserLogin().orElse("");
var authenticationToken = new OneTimePasswordAuthenticationToken(username, oneTimePassword.getCode());
var authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
// rest of class
However, posting against /auth/mfa-token leads to this error:
"error": "Forbidden",
"message": "Access Denied",
"trace": "org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for de.....OneTimePasswordAuthenticationToken
Why does Spring Security not pick up my Authentication Provider? Debugging the controller shows me that DaoAuthenticationProvider is the only Authentication Provider in AuthenticationProviderManager.
If I expose my MfaAuthenticationProvider as bean, it is the only Provider that is registered, so I get the opposite:
No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken.
So, how do I get both?
What is the recommended way to integrate an additional AuthenticationProvider into a Spring Boot Security Starter configured system, so that I get both, the DaoAuthenticationProvider and my own custom MfaAuthenticationProvider? I want to keep the defaults of Spring Boot Scurity Starter and have my own Provider additionally.
I know that the OTP algorithm does not by itself protect against replay attacks within the time slice in which the code is valid; RFC 6238 makes this clear
The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
I was wondering if there is a recommended way to implement protection. Since the OTP tokens are time based I am thinking of storing the last successful login on the user's model and making sure there is only one successful login per 30 seconds time slice. This of course means synchronization on the user model. Any better approaches?
Thank you.
--
PS: since this is a question about security I am looking for an answer drawing from credible and/or official sources. Thank you.
850
JWT and Social Authentication using Spring Boot Two-factor authentication is a way to increase the security of your product by adding an extra layer of security by asking the user to provide a second form of identification alongside username and password.
OAuth 2.0 and MFA are not related to one another directly. OAuth 2.0 is an authorization protocol which provides a client application with the delegated access. Way of delegation is defined by grant type and based on the use case you can choose one or another.
Can You Combine Both SSO and MFA? Yes! It is recommended that you implement both to get the most benefits. Single Sign On has ease of use benefits but less security benefits and Multifactor Authentication has more security benefits but less ease of use benefits.
To answer my own question, this is how I implemented it, after further research.
I have a provider as a pojo that implements AuthenticationProvider. It's deliberately not a Bean/Component. Otherwise Spring would register it as the only Provider.
public class MfaAuthenticationProvider implements AuthenticationProvider {
private final AccountService accountService;
@Override
public Authentication authenticate(Authentication authentication) {
// here be code
}
In my SecurityConfig, I let Spring autowire the AuthenticationManagerBuilder and manually inject my MfaAuthenticationProvider
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final AuthenticationManagerBuilder authenticationManagerBuilder;
@Override
protected void configure(HttpSecurity http) throws Exception {
// other code
authenticationManagerBuilder.authenticationProvider(getMfaAuthenticationProvider());
// more code
}
// package private for testing purposes.
MfaAuthenticationProvider getMfaAuthenticationProvider() {
return new MfaAuthenticationProvider(accountService);
}
After standard authentication, if the user has MFA enabled, they are pre authenticated with a granted authority of PRE_AUTHENTICATED_MFA_REQUIRED. This allows them to access a single endpoint, /auth/mfa-token.
This endpoint takes the username from the valid JWT and the provided TOTP and sends it to the authenticate() method of the authenticationManagerBuilder, which chooses the MfaAuthenticationProvider as it can handle OneTimePasswordAuthenticationToken.
var authenticationToken = new OneTimePasswordAuthenticationToken(usernameFromJwt, providedOtp);
var authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With