Closed
Bug 1225366
Opened 9 years ago
Closed 9 years ago
allow duo authentication for users already enrolled with duo
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: glob, Assigned: glob)
Details
Attachments
(1 file)
8.96 KB,
patch
|
dylan
:
review+
dylan
:
feedback+
|
Details | Diff | Splinter Review |
i was chatting with atoll on irc about the duo situation on bmo. he pointed me towards the /preauth endpoint: https://www.duosecurity.com/docs/authapi#/preauth this will allow us to change our enrolment process to provide duo support to users who are currently enrolled, and provide an appropriate message to people who are not. this negates current duo licensing concerns. after someone provides their ldap email address, we'd query /preauth and if we get { result: auth } or { result: allow } we can continue the enrolment process. otherwise we should display a message that duo isn't available for their account. once duo is available to all employees (q1 2016 is the current estimate), then we can update the message to direct people towards the enrolment process instead.
"our enrolment process" above references BMO's MFA enrolment process, not login.mozilla.com or Duo iframe enrolment process. Advise discussing with :rtucker to confirm, but I'm happy to be online for that if needed to clarify/research/whatever anything here.
- add preauth check so we can display a nice error to the user if they are not duo-enrolled
Comment on attachment 8688857 [details] [diff] [review] 1225366_1.patch Review of attachment 8688857 [details] [diff] [review]: ----------------------------------------------------------------- ::: Bugzilla/DuoAPI.pm @@ +143,5 @@ > + my $self = shift; > + my $res = $self->api_call(@_); > + my $json = $res->content(); > + if ($json !~ /^{/) { > + croak($json); Would this be more useful as croak('Invalid response: ' . $json); ? ::: template/en/default/account/prefs/mfa.html.tmpl @@ +138,4 @@ > [% IF Param("duo_host") && user.in_group("mozilla-employee-confidential") %] > <button type="button" id="mfa-select-duo">Duo Security</button><br> > <blockquote> > + Requires a <a href="https://login.mozilla.com/duo_enrollments/" target="_blank">Duo Security</a> Consider linking to a mana page here, rather than to login.m.c, since the relevant EUS mana page would provide users with steps to *request* Duo, and once you've received an allocation, to *enroll* Duo - while the page linked here only functions if you are both permitted to enroll AND haven't yet actually enrolled yet. ::: template/en/default/mfa/duo/not_enrolled.html.tmpl @@ +48,5 @@ > + completed the Duo Security enrollment process. > + </p> > + > + <p> > + Note: Duo Security MFA may not yet be available for your Mozilla account. Consider "Contact EUS for more information" or similar.
(In reply to Richard Soderberg [:atoll] from comment #3) > ::: Bugzilla/DuoAPI.pm > Would this be more useful as croak('Invalid response: ' . $json); ? that's code from the a module duo supplies so i'm hesitant to carry changes here unless necessary. in this case it isn't :) > Consider linking to a mana page here, rather than to login.m.c, since the > relevant EUS mana page would provide users with steps to *request* Duo, and > once you've received an allocation, to *enroll* Duo - while the page linked > here only functions if you are both permitted to enroll AND haven't yet > actually enrolled yet. sounds reasonable. https://mana.mozilla.org/wiki/display/SD/DuoSecurity ? > > + Note: Duo Security MFA may not yet be available for your Mozilla account. > > Consider "Contact EUS for more information" or similar. also reasonable; thanks.
Updated•9 years ago
|
Attachment #8688857 -
Flags: feedback+
Comment 6•9 years ago
|
||
Comment on attachment 8688857 [details] [diff] [review] 1225366_1.patch Review of attachment 8688857 [details] [diff] [review]: ----------------------------------------------------------------- r=dylan (it took some digging to find my duo testing creds)
Attachment #8688857 -
Flags: review?(dylan) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 94800e1..14bb07a master -> master
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•