Rework AJAX-based authentication to enable 2FA, notifications, etc
Summary
Currently, Auth::SSL and Auth::Kerberos work by sending an AJAX query to the server. The ajax query creates the session and sets the cookie. Because of that, 2FA, notifications, etc, does not work.
Design proposition
Modify these plugins to use a dedicated route, such as /authssl and /authkrb
This route has a simpler purpose: do the auth (GSSAPI or extract TLS header), and if successful, create a temporary state (OneTimeToken could be used) containing the username. Then, the JS code receives this state, and does a top-level POST to the portal's normal URL (non-AJAX request) with that temporary state. Auth::Kerberos / Auth::SSL can extract the username from this state in their authenticate
method and proceed with normal login
Open topics:
- How to handle failure
- it it ok to change current behavior
- Combination
Edited by Maxime Besson