Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support for migrating totp #197

Merged
merged 6 commits into from
Sep 26, 2024

Conversation

Jonbeckas
Copy link

This PR adds the support for a totps attribute in LegacyUser, that allows to migrate multiple Totp devices, that have a base32 encoded secret and are based on SHA1

@daniel-frak
Copy link
Owner

Hi! Sorry it's taking me so long to look at this one. I'll try to take a closer look around this weekend.

In the meantime, could you document how this TOTP migration works in the README.md, if any additional configuration is required etc.?

@Jonbeckas
Copy link
Author

Sorry, I just read your message. Let me now if you need more documentation.

@daniel-frak
Copy link
Owner

daniel-frak commented Sep 20, 2024

...And so the weekend came and went. Sorry for the delay, again.

Could you add the information you provided in the PR description to the README.md:

  • that this plugin supports migration of multiple Totp devices
  • that the devices must have a base32 encoded secret and be based on SHA1

It could even be get its own subheader for TOTP migration. I'm not well-versed in TOTP, but I assume both of these are important.

I'll merge this MR regardless, but, if you have some time, it would be cool if you could reformat the code, as there's currently no auto-formatter configured for this project. Some examples:

Last, but not least, a suggestion. This line of code makes me think that the "devices must have a base32 encoded secret and be based on SHA1" requirement could be removed by making the otpModel configurable via the UI:

https://github.com/daniel-frak/keycloak-user-migration/pull/197/files#diff-9ec471ee9ea5062b096c9f6cfd6213c56bd97761d2f51d18504c04399764892aR99

I understand if you don't feel like doing it, but at least for future reference, am I correct in that assumption?

@Jonbeckas
Copy link
Author

Thank you.
Based on the Keycloak code it should be possible to use "HmacSha1", "HmacSHA256", "HmacSHA512" based totp, with a secret either encoded in BASE32 or UTF-8, with any number of return digets and any period.
I don't know if it is better to configure the type of totp algorithm in the config or dynamicly within the dto from the legacy system.
What do you think?

@daniel-frak
Copy link
Owner

Good question!
Now that I think about it, it might be more flexible to allow TOTP configuration from the legacy system, as that way it could be done per-user (should there be a need like that).

Would you like to do it as part of this MR, or should I merge this in?

@Jonbeckas
Copy link
Author

I added the configurability now. If your fine with it and the documentation you could merge it.

README.md Outdated
"totps": [
{
"name": "string",
"secret": "string"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of the properties are missing here.

README.md Outdated
"encoding": "BASE32"
}
```
name should be the name of the totp device, while secret is the secret, that could be encoded in "BASE32" or as the utf8 bytes.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using backticks for the properties would increase readability. E.g.,:

"name should be the name of the totp device (...)".

totp.setName(expectedValue);
assertEquals(expectedValue, totp.getName());
}

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double newline

README.md Outdated
"encoding": "BASE32"
}
```
name should be the name of the totp device, while secret is the secret, that could be encoded in "BASE32" or as the utf8 bytes.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grammar nitpick: the utf8 bytesUTF-8 bytes (removed the, uppercased and kebab-cased UTF-8).
Ditto about the utf8 bytes below.

README.md Outdated
"encoding": "BASE32"
}
```
name should be the name of the totp device, while secret is the secret, that could be encoded in "BASE32" or as the utf8 bytes.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if I understand it correctly, but wouldn't UTF-8 plaintext be easier to understand than UTF-8 bytes?

@daniel-frak
Copy link
Owner

Great! I added a few nitpicks (mostly about documentation) and I see that Sonar found something, as well.

After that's addressed, I'll gladly merge it in :)

@Jonbeckas
Copy link
Author

I think i fixed everything

Copy link

sonarcloud bot commented Sep 26, 2024

@daniel-frak
Copy link
Owner

Great, thanks for the contribution!

@daniel-frak daniel-frak merged commit 374a4f5 into daniel-frak:master Sep 26, 2024
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants