Quarkus MFA (Multi-Factored Authentication)

Overview

⚠️ OIDC is the preferred Quarkus authentication mechanism: Centralized identity management is a universal IT organizational goal. Only consider using this alternative authentication mechanism to satisfy unique web application authentication requirements.

A Quarkus extension that provides enhanced form based authentication. It provides strong native authentication to supplement the preferred OIDC authentication mechanism.

Centralized identity management should be goal of all organizations and OIDC should be the primary form of authentication for Quarkus web applications. Consider utilizing this authentication extension under these two circumstances:

1. No OIDC Identity Provider Available - Some organizations may not have an OIDC IDP to utlize or it may be impratical to provision and/or configure an IDP for a web application with a small population of workers.

2. Secure backdoor authentication - Native authentication directly into the web application may be necessary in case the OIDC IDP becomes unavailable. Also runtime delegated administration of the OIDC multi-tenant configuration could potentially lock users out of the application and the administrators would need a means to restore access.

Features

The Quarkus MFA extension is similar to the built-in form based authentication mechanism and it provides the following features:

• An encrypted cookie is used to track authentication state, similar to the form based authentication mechanism
• A JWE JWT, similar to the OIDC ID Token except encrypted, is saved as a cookie and is used to track authentication state.
• As a user proceeds through the authentication flow the authentication context JWE is eventally upgraded to an authenticated session cookie, similar to the OIDC extension.
• Time Based One-Time Password (TOTP) support
• Plugable Identity Store implementations allow interactions with back-end Cloud database user stores
• Account Lock
• Password Reset
• TOTP QR Code Key Registration
• TOTP Passcode Validation
• Application provided login and log out presentation pages
• MVC presentation support allowing views to be rendered based on the login state
• Single Page Application (SPA) Support
  • The authentication action controller supports both HTML form encoding and JSON
  • SPAs can perform a GET request to obtain details about the current authentication state
  • Based on authentication state SPAs can post login attempts, password resets, or TOTP passcode validation requests and respond accordingly based on the result.
  • The authentication context cookie gets updated identically to the forms based login mechanism

Installation

1. Add the extension to the Quarkus web application's Maven pom.xml

2. Create an MFA Identity Store implementation. This TestMfaIdentityStore.java example can be used as a reference.

3. Create login views or use SPA javascript to perform authentication actions. Please examine the HTML Forms and SPA examples in the example web application.