[Feature Request]: TOTP Auth about schulcloud-server HOT 8 OPEN

Related to: #1745

from schulcloud-server.

Hi @Chaostheorie, I fully support this idea from the tech and the security side. We already tested some tings here. But: From a strategic side we suggested form the beginning of the project that the Schul/Cloud is used in conjunction with IDM systems provided by the federal states. And form the architectural part TOTP then belongs into the IDM layer. Still if someone would do a PR we will be happy to review and integrate.

from schulcloud-server.

@janrenz I totally agree with you: this belongs to the IDM layer and shouldn't be mixed in the business layer.
You can think about a solution based on keycloak.

from schulcloud-server.

@piwo1984 I'm sorry, if I'm asking a silly question, but where is your IDM-layer code located?
I'm new to the codebase and would love to help with this.

from schulcloud-server.

@Chaostheorie there isn't any code base. This is just an idea about a possible deployment architecture. As @janrenz mentioned this is out of scope of the Schul/Cloud project. But one can think about providing a lean deployment stack (docker-compose based) for others to get an instance of the SchulCloud up and running quickly.

from schulcloud-server.

Hi, the things we doing in a role as a IDM are in the Server Code. For states where we run with an external IDM, these IDMs are not part of this repo. Some use Univention products, some custom build stuff, some iserv.
For a local Docker based instance check: https://github.com/hpi-schul-cloud/docker-compose
For running at K8s you can check out the WIP branches like https://github.com/hpi-schul-cloud/schulcloud-server/tree/kubectls-experiments where we try to move the K8s specific stuff from an internal repo into the service repos.

from schulcloud-server.

@piwo1984 Are you sure this couldn't be integrated? AFAIK TOPT can be integrated without changing the environment too much.
Changes that would be required is an additional field for the Key in the identity manger (LDAP) and an additional field or dialog for the key in the login form. The input from this field can be checked by the server with the current time and the key.

@janrenz thank your pointing me to the repos. I will take a look at it later :)

from schulcloud-server.

@Chaostheorie I'm not aware of this "feature" of schulcloud-server. I will have to inspect this first. But I'm in doubt that integration TOPT will be this simple. In case you add such a functionality you have to make sure to don't break anything else.

from schulcloud-server.