<html><body><p>Hey Andrew,<br><br>You mentioned it in one of your blog posts (<a href="http://bogott.net/unspecified/?p=2344">http://bogott.net/unspecified/?p=2344</a>) the Keystone team recently added TOTP auth support for users that exist in an SQL backend. You can read the initial specification here: <a href="http://specs.openstack.org/openstack/keystone-specs/specs/mitaka/totp-auth.html">http://specs.openstack.org/openstack/keystone-specs/specs/mitaka/totp-auth.html</a> and the documentation: <a href="http://docs.openstack.org/developer/keystone/auth-totp.html">http://docs.openstack.org/developer/keystone/auth-totp.html</a><br><br>TOTP auth will be available in Mitaka and we plan on building on it for the Newton release for better 2FA. I assume some of the work you did and our current TOTP auth likely overlaps, the horizon support may still be very useful.<br><br>stevemar<br><br><img width="16" height="16" src="cid:1__=8FBBF5FCDFA7D8108f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Andrew Bogott ---2016/03/07 03:28:44 AM---For future googlers: We wrote an hotp keystone plugin and I"><font color="#424282">Andrew Bogott ---2016/03/07 03:28:44 AM---For future googlers: We wrote an hotp keystone plugin and I hacked up support for a third</font><br><br><font size="2" color="#5F5F5F">From: </font><font size="2">Andrew Bogott <abogott@wikimedia.org></font><br><font size="2" color="#5F5F5F">To: </font><font size="2">openstack@lists.openstack.org</font><br><font size="2" color="#5F5F5F">Date: </font><font size="2">2016/03/07 03:28 AM</font><br><font size="2" color="#5F5F5F">Subject: </font><font size="2">Re: [Openstack] Horizon with 2fa?</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br><tt>For future googlers:<br><br>We wrote an hotp keystone plugin and I hacked up support for a third <br>field in the Horizon login screen.<br><br>Details and code for the keystone plugin are here: <br></tt><tt><a href="http://bogott.net/unspecified/?p=2344">http://bogott.net/unspecified/?p=2344</a></tt><tt><br>And, for the Horizon interface changes, here: <br></tt><tt><a href="http://bogott.net/unspecified/?p=2356">http://bogott.net/unspecified/?p=2356</a></tt><tt><br><br>All are welcome to reuse our code; I'm also happy to hear from anyone <br>about how I should have done it instead.<br><br>-Andrew<br><br><br><br>On 2/29/16 10:23 AM, Andrew Bogott wrote:<br>> I require two-factor authentication for users who have permissions <br>> to create and delete instances in Nova. Since we're in the process of <br>> migrating from our custom webUI to Horizon, I need to add an <br>> additional field (totp token) to the Horizon login screen and get that <br>> value passed to keystone.<br>><br>> It should be a fairly straightforward hack -- but, before I dive <br>> in, I'm thinking that surely I'm not the first person to need this. <br>> Can anyone who has already implemented 2fa in Horizon give me a few <br>> pointers, or tell me what approach you took?<br>><br>> Thanks!<br>><br>> -Andrew<br><br><br>_______________________________________________<br>Mailing list: </tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></tt><tt><br>Post to : openstack@lists.openstack.org<br>Unsubscribe : </tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></tt><tt><br><br></tt><br><br><BR>
</body></html>