Conceptually, when a user provides username or email during an authentication
session to authentication portal, the user provides "identity". Optionally, the
user could provide the "realm" to further assist in identifying the user. For
foo may exists in multiple realms, e.g.
Once the portal has the "identity" (
realm) of the user, the
portal determines the challenges the user must pass to get authentication.
The "challenge" or "checkpoint" could be one of these:
- Authenticating with a password (
- Authenticating with application authentication or hardware token (
The checkpoints represent authentication scheme for a user and is being stored in local authentication database. Additionally, a checkpoint can be applied by using "User Transforms".
The order of the checkpoints in the user transforms will determine the order in which the user will receive the challenges.
The portal constructs a list of one or more challenges from the above list. Then, redirects the user to "sandbox" where the user solves the challenges to authenticate.
If the user passes these challenges, the user gets authenticated and granted access.
Transformfunction in `aaasf/pkg/authn/transformer/transformer.go
When a user enters the authentication sandbox, the user gets presented one of the following views:
error: A user encountered an error during one of security challenges
terminate: A user have failed a number of security challenges and is required to restart the authentication process
mfa_app_auth: App Authenticator authentication screen
mfa_app_register: App Authenticator registration screen