Skip to content

Muzosh/nextcloud_twofactor_webeid

Repository files navigation

twofactor_webeid

This installable Nextcloud App provides 2-factor authentication for Web-eID solution.

Currently it is supposed to run with InfinitEID solution, but with easy implementation of authenticate function it also works with other Web-eID compatible cards.

Usage (DEVELOPER)

  1. Clone this repository into <nextcloud-path>/apps directory
  2. (IMPORTANT) Rename this application folder from nextcloud_twofactor_webeid to twofactor_webeid.
  3. Install authtoken validation library by composer install (check composer.json for require details)
  4. Check function lib/Service/WebEidService.php:authenticate() and implement other authentication mechanism if needed
  5. Use OCC command to enable this app (to register it):
    • occ app:enable twofactor_webeid
  6. Use OCC command to enable this app for specific user:
    • occ twofactorauth:enable <userID> twofactor_webeid
  7. Use OCC command to specify a subject CN loaded on the on-card user certificate:
    • occ user:setting <userID> twofactor_webeid subject_cn "<user subject CN>"
  8. After specified <userID> logins with username+password, he is asked to insert card into reader and click on Authenticate button
  9. Add trusted certificates into /trustedcerts
  10. Web-eID authenticaton process is executed

Web-eID validation PHP library details

The following list describes all relevant code that need to be implemented in order to authenticate via Web-eID using PHP validation library installed by Composer:

  • js/web-eid-challenge.js - adds handler on button click which calls relevant methods from web-eid.js (see official documentation for more details)
  • lib/Provider/WebEidProvider.php:getTemplate() and verifyChallenge() - high level functions for obtaining challenge and verifying authtoken
  • lib/Service/WebEidConfig.php - few configuration values required by Web-eID library
  • lib/Service/WebEidService.php - low level functions for providing Web-eID objects
  • lib/Service/SessionBackedChallengeNonceStore.php - example implementation of challenge nonce store using built-in Nextcloud session object
  • templates/WebEidChallenge.php - prepared html page containing a form with challenge input, which is sent to verifyChallenge() function by Nextcloud