FSN#37583 Authenticatie via JWT

svn path=/Website/trunk/; revision=30542

APPL/API2/model_fac_idp.inc

@@ -50,7 +50,8 @@ function fac_idp()
         "secret": {
             "dbs": "fac_idp_secret",
             "label": L("fac_idp_secret"),
-            "typ": "varchar"
+            "typ": "varchar",
+            "defaultvalue": shared.random(32)
         },
         "audience": {
             "dbs": "fac_idp_audience",
@@ -69,8 +70,14 @@ function fac_idp()
             "typ": "varchar"
         },
         "timeout": {
-            "dbs": "fac_idp_timeout",
-            "label": L("fac_idp_timeout"),
+            "dbs": "fac_idp_clockskew",
+            "label": L("fac_idp_clockskew"),
+            "typ": "number",
+            "defaultvalue": 30
+        },
+        "duration": {
+            "dbs": "fac_idp_duration",
+            "label": L("fac_idp_duration"),
             "typ": "number"
         },
         "remote_loginurl": {
@@ -98,12 +105,14 @@ function fac_idp()
             "label": L("fac_idp_ipauto"),
             "typ": "check0"
         },
+/*
         "company": {
              "dbs": "prs_bedrijf_key",
              "typ": "key",
              "foreign": "prs_bedrijf",
              "label": L("lcl_idp_company")
-        },
+        }
+        ,
         "department": {
              "dbs": "prs_afdeling_key",
              "typ": "key",
@@ -116,6 +125,7 @@ function fac_idp()
             "typ": "key",
             "foreign": fac_functie_foreign()
         },
+*/
         "internal": {
             "dbs": "fac_idp_internal",
             "label": L("fac_idp_internal"),

APPL/PDA/mobile.inc

@@ -15,7 +15,7 @@ if (S("mobile_enabled") != 1)
   shared.simpel_page("Mobile module not enabled."); // Wel betalen he!
 
 if (S("mobile_guest_user") > -1 && (typeof Session("user_key") == "undefined" || Session("user_key") == "-1"))
-  tryLogin(S("mobile_guest_user"), null);
+  tryLogin(S("mobile_guest_user"), null, { noPassword: true });
 
 // Uses S("mobile_alg_level");  // L, G of V
 

APPL/Shared/Login.inc

@@ -297,7 +297,6 @@ function otpcodes(otpsecret)
     return result;
 }
 
-// Bij een OTP beschermd account moet achteraan wachtwoord 6 cijfers staan
 function testpassword(prs_key, wachtwoord, pmobile)
 {
     if (!wachtwoord)
@@ -325,6 +324,10 @@ function testpassword(prs_key, wachtwoord, pmobile)
 
     if (pmobile==1) // Mobile 'verzonnen' wachtwoord
     {
+        wachtwoord = wachtwoord.toLowerCase(); // wij sturen lowercase base32
+        wachtwoord = wachtwoord.replace(/0/i, 'o'); // 0 / 1 / 8 komen daar niet in voor
+        wachtwoord = wachtwoord.replace(/1/i, 'l');
+        wachtwoord = wachtwoord.replace(/8/i, 'b');
         if (mobauth == wachtwoord && mobauthexp && new Date() <= mobauthexp)
         {
             return true; // Goed
@@ -487,7 +490,9 @@ function verify_otp (prs_key, otprequest, otpsecret, otpcounter)
 /* global */ login_fail_reason = L("lcl_login_wrong");
 /* global */ otp_user_key = -1;
 
-function tryLogin(username, wachtwoord, pmobile, otpcode, params) {
+function tryLogin(username, wachtwoord, params)
+{
+    params = params || {};
     Session.Contents.Remove("org_user_key");
 
     if (!username || username == 'undefined')
@@ -528,7 +533,7 @@ function tryLogin(username, wachtwoord, pmobile, otpcode, params) {
     if (wachtwoord == null) // SSO
         found = true; // En zijn we verder wel klaar
     else
-        found = testpassword(oRs("prs_perslid_key").Value, wachtwoord, pmobile);
+        found = testpassword(oRs("prs_perslid_key").Value, wachtwoord, params.pmobile);
 
     if (!found)
         return false;
@@ -549,7 +554,7 @@ function tryLogin(username, wachtwoord, pmobile, otpcode, params) {
         }
         doLogin(oRs("prs_perslid_key").Value, params);
     }
-    else if (otpcode && testotp(oRs("prs_perslid_key").Value, otpcode))
+    else if (params.otpcode && testotp(oRs("prs_perslid_key").Value, params.otpcode))
         doLogin(oRs("prs_perslid_key").Value, params);
     else // Wordt opgepikt door login_save.asp
         /* global */ otp_user_key = oRs("prs_perslid_key").Value;
@@ -699,7 +704,7 @@ function SecureSSO(ssoProps)
     		    strDecryptedCode = ssoProps.fnparseName(strDecryptedCode)
     		    //Response.write ("<p>Na fnparseName: " + strDecryptedCode)
     		}
-		    if (tryLogin(strDecryptedCode, null))
+		    if (tryLogin(strDecryptedCode, null, { noPassword: true }))
 		    {
 		        if (ssoProps.fnonSuccess)
 		            ssoProps.fnonSuccess(user_key);
@@ -838,7 +843,7 @@ function SimpleSSO()
             l = username.length;
             if( i < l-1 ) username = username.substring(i+1,l);
         }
-        tryLogin(username,null);
+        tryLogin(username, null, { noPassword: true });
     }
 }
 
@@ -870,7 +875,7 @@ function IntegratedSSO()
             l = username.length;
             if( i < l-1 ) username = username.substring(i+1,l);
         }
-        tryLogin(username,null);
+        tryLogin(username, null, { noPassword: true });
     }
 }
 

APPL/Shared/loginTry.asp

@@ -3,6 +3,8 @@
     $Revision$
     $Id$
 
+    Met vernieuwde kennis zou ik dit bestand authenticate.asp noemen
+
     We weten niet wie de gebruiker is.
     Probeer op allerlei manieren SSO
     Als het lukt geven we een user_key terug in Session("user_key");
@@ -29,7 +31,7 @@ if (typeof Session("sso_sgf") == "string") // Vanuit FACWS001-portal/ sso_sgf.as
 {
     Session.Contents.Remove("ASPFIXATION"); // Niet moeilijk doen
     settings.overrule_setting("login_use_email", 0); // We hebben altijd login gescanned namelijk
-    tryLogin(String(Session("sso_sgf")),null);
+    tryLogin(String(Session("sso_sgf")), null, { noPassword: true });
     if (user_key < 0 && parseInt(String(Session("sso_sgf")), 10))
         doLogin(parseInt(String(Session("sso_sgf")), 10)); // je mag ook key meegeven
 
@@ -114,7 +116,7 @@ if (user_key < 0 && jwt)  // TODO of uit http-header authorization: Bearer of ui
     if (oRs.Eof)
         abort_with_warning("Unknown JWT issuer: " + claim.payload.iss);
 
-    var verify = jwt_verify(claim, oRs("fac_idp_secret").Value, oRs("fac_idp_timeout").Value);
+    var verify = jwt_verify(claim, oRs("fac_idp_secret").Value, oRs("fac_idp_clockskew").Value);
     if (verify.err)
         abort_with_warning("Invalid JWT: " + verify.err);
     // TODO: claim.payload.iss gebruiken om FAC_IDP_CODE te zoeken
@@ -124,7 +126,7 @@ if (user_key < 0 && jwt)  // TODO of uit http-header authorization: Bearer of ui
     Session.Contents.Remove("ASPFIXATION"); // Niet moeilijk doen
     settings.overrule_setting("login_use_email", 0); // We hebben altijd login gescanned namelijk
     if (claim.payload.username)
-        tryLogin(claim.payload.username, null, null, null, { noFacSession: by_bearer });
+        tryLogin(claim.payload.username, null, { noPassword: true, noFacSession: by_bearer });
     if (user_key < 0 && claim.perslid_key > 0)
         doLogin(claim.payload.perslid_key, null, { noFacSession: by_bearer }); // je mag ook key meegeven
     Session("idp_key") = oRs("fac_idp_key").Value;
@@ -178,7 +180,7 @@ if (user_key < 0 && getQParam("sso", ""))
     if (oRs("fac_idp_type").Value == 3) // die doet het verder zelf
     {
         SecureSSO({ strSharedKey: oRs("fac_idp_secret").Value,
-                    Timeout: oRs("fac_idp_timeout").Value,
+                    Timeout: oRs("fac_idp_clockskew").Value,
                     ssoURL: oRs("fac_idp_remote_loginurl").Value,
                     sso: sso
                   });

APPL/Shared/login_save.asp

@@ -28,7 +28,7 @@ var remember = getFParam("remember", "off")=="on";
 
 var ismobile = getFParam("mobile");
 
-tryLogin(nm, ps, ismobile, otpcode); // nm = username, ps = wachtwoord
+tryLogin(nm, ps, { mobile: ismobile, otpcode: otpcode}); // nm = username, ps = wachtwoord
 
 result = { success: user_key > 0 };