2FA #25
Comments
|
Hey @nickperry thanks for the comment. I was trying to make osprey a bit more independent of the backend, so that it could also use other connectors that return custom login pages, but I haven't spent much time with it. The idea was to allow a configuration for osprey per connector so that it knows how to read and post the login form. That way we could use any backend and the config would be on osprey itself. I was using htmlquery and xpath, but I was not very happy with the way I did it. The only other branch in the repo is the one with the code, in case you want to take a look, but it is pretty much a very raw attempt. |
|
Hey @nickperry , not sure if you're still looking into this or not. The way I've seen 2fa implemented is to use an LDAP proxy which does the following:
I've seen this used in production and it works well. You do have to pay for Duo, but it will work on mobile and supports OTP / SMS / Push based 2fa. This is their auth-proxy If you need OTP, an alternative way to do this is to have the user type their Just some thoughts for anyone stumbling across this. |
I love Osprey, but we have a new requirement for multi factor authentication.
There are other tools I can use to achieve OTP MFA for Kubernetes with OIDC, but as far as I can see they are all reliant on using a web browser, but I am loathed to abandon the clean, CLI only approach of Osprey.
From a quick look at the Dex code, I don't think it supports MFA.
If an alternative OIDC provider with MFA support offered customisable web templates like Dex does, it would be quite easy to adapt Osprey to work with it and pass an OTP value along with the username / password.
The text was updated successfully, but these errors were encountered: