this is off topic but not really
django auth will take care of the django login
a simple model (or add fields to django users auth model) will
accomodate the saving of the google authentication, tokens whatever you
need to add to a user.
however google (and microsoft is Oct 1st) no longer supports single auth
on imap/pop3
so if you are trying to access the emails via these services there is no
real way to do it easily.
everything is now oauth2 and required web interface access to authorize
a device none of which to my research provides anything useable in linux etc
see fetchmail (i used to use that to pop other peoples email and forward
to my customers )
this was mainly used to migrate from one email account to another
(gmail, aol, yahoo etc)
issue is there is no known easy way of saving the tokens etc that are
required for oauth2
even patchs for fetchmail still can not handle the token saves etc as
you need to read the html returned (python is starting to allow for some
of this)
at the end of the day each provider is using their own scheme
outlok & gmail have api's that handle the login ???
other providers are doing different things.
below is an excerpt from dovecot's mailing list as this has become a
hudge issue in the email community.
you can scan dovecot's mailing list for more info but this will give you
a start
excerpts below :
It IS possible to use 2FA on Dovecot, but it would be better if Dovecot
supported options by Plugins to control what supported 2FA options are
supported in the CAPABILITIES string. (Ongoing problem getting more
power in the handles of 3rd party plugins for Dovecot, politics.. )
HOWEVER, there are many ways if you 'roll your own' dovecot, eg can
apply patches to the build process. We do this.
Having said that, yes.. especially in North America this push by
insurance agents for 2FA, is driven by the RansomWare problems, and
gives an insurance company a way out..
The only problem is, having looked at several of these insurance
companies forms, it is almost as if a o365 sales person wrote the
requirements. And even IF you apply a 2FA, (eg a 2nd factor) you might
find that the insurance documents will not accept anything other than
what their legal department defined as 2FA..
The biggest problem, is not the use of 2FA, it is making 2FA transparent
and simple enough for end users to adopt. End users don't want to mess
with a second factor they have to add, or a hardware dongle, or giving
their cel# out..
And the industry has to come together, otherwise you will quickly find
out insurance companies ONLY accept 2FA from one or two closed source
companies..
Which is why once again, I wish that Dovecot would take a leadership
role in this, and allow more 3rd party plugins to be available to
address this business need.
(Oh, on the side, there ARE some ways you actually do 2FA transparently,
but of course the email client has to understand it. But while you can
do 'tricks' even in IMAP for 2FA, we need to think that the same method
should work for ALL communication channels which utilize the same
credentials, eg IMAP/SMTP/POP, even other things like caldav/carddav etc)
-- Michael --
On 2022-06-27 07:53, justina colmena ~biz wrote:
> I don't see why not.
>
> Dovecot and Postfix are entirely configurable to connect to and use
any desired authentication mechanism through certain basic interfaces.
>
> The main problem I have experienced with MFA is a continual battle
with extortion, "long cons," and thievery in law -- that the thieves are
able to obtain one of the necessary factors for authentication -- a
dongle or cell phone app or access to a cell phone number, or
surveillance intelligence on calls or texts, whatnot -- whether by force
or deception -- and then deny the targeted individual access to his or
her own account.
>
> Later on, after the victim has given up, the thieves are able to
obtain the other factors for authentication, and then proceed to
social-engineer a false account recovery using the victim's stolen I.D.
-- and then they often as not falsely report the victim to gullible or
complicit police forces as the thief.
>
> If the victim cannot be successfully accused of theft in court, the
"thieves in law" at work with inside help in government and law
enforcement communities are able to cast identity theft as a mental
illness akin to dissociative identity disorder -- to which the
government offers nothing but a mental health "recovery" plan which does
not include any actual recovery of the stolen assets in a person's name.
>
> * https://www.identitytheft.gov/
> * https://www.robodeidentidad.gov/
>
> Casting identity theft as a mental health issue further enables
thieves to take control of a victim's finances by possibly being
appointed as guardians or payees in court. For the same reasons of
legalized theft, extortion, and wrongful appropriation through state,
local, military and federal court systems, individuals with similar
names to known criminals are not allowed to hold significant assets in
their names or possess firearms or obtain employment in sensitive
positions in the United States.
>
> * https://en.wikipedia.org/wiki/Thief_in_law
>
> On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote:
>> I have a small client whose insurance company insists they have MFA
for their email to be covered under some kind of data protection policy.
Currently I have the client set up on a Debian box for the email server
coupled with roundcube for webmail. Most the users just use roundcube
but some also use their mobile devices to check email. Maybe one person
uses outlook. There's about 5 to 10 users total.
>> I know roundcube offers a MFA plugin. But I don't have the foggiest
idea how of an iPhone, Android device, or Outlook could all be set up to
work with MFA with a standard dovecot/postfix setup. Are there any
practical solutions for easily implementing MFA that could work across
multiple devices?
>>
Disclaimer: I work for Auth0 (now Okta)
On 7/3/22 9:40 AM, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
>
> It seems any kind of dual auth will need a security app running on
YOUR server saving toikens, logins etc etc
Not necessarily. With Auth0, the IDP runs on Auth0's server.
You are responsible for storing ID tokens, access tokens, and refresh
tokens in your app.
There are ways of doing this fairly securely, even with desktop apps or
mobile
devices, where you don't have a secure backend.
>
> this is what lead to microsoft, gmail etc having their own api which
will only work for them
If I understand this correctly, Google et al provide an MFA API for apps
that want to handle
auth themselves, instead of going the OIDC/OAuth2/SAML route. They also
provide standards
based protocols, like OIDC.
That's what I was hinting at above - adopting OIDC makes things easier
than trying to bolt
on security (via some MFA API).
>
> this is also (mainly because of https authing the device) what makes
it hard to proxy oauth2 etc
This is definitely a pain point. You can either open up a browser from
the device, or on constrained
devices, use device flow (display a URL, user visits that URL on their
laptop, device grabs confirmation
from the IDP that they did). Neither one is completely elegant, but
opening a browser on a mobile
device is far less intrusive than you might think.
>
> 5.7. Authenticating using C.A.S.
> ...
>
> basically the reality is every server will have it's own token base
etc thus preventing any kind of a standard.
I'm not familiar with C.A.S. I don't have any clients that I know of
using it, so I can't comment on it.
But the JWT token spec is now common, and is a standard. Also the SAML spec.
I see more OIDC, but also a lot of SAML.
Happy IAM Sunday to you too!
j
It IS possible to use 2FA on Dovecot, but it would be better if Dovecot
supported options by Plugins to control what supported 2FA options are
supported in the CAPABILITIES string. (Ongoing problem getting more
power in the handles of 3rd party plugins for Dovecot, politics.. )
HOWEVER, there are many ways if you 'roll your own' dovecot, eg can
apply patches to the build process. We do this.
Having said that, yes.. especially in North America this push by
insurance agents for 2FA, is driven by the RansomWare problems, and
gives an insurance company a way out..
The only problem is, having looked at several of these insurance
companies forms, it is almost as if a o365 sales person wrote the
requirements. And even IF you apply a 2FA, (eg a 2nd factor) you might
find that the insurance documents will not accept anything other than
what their legal department defined as 2FA..
The biggest problem, is not the use of 2FA, it is making 2FA transparent
and simple enough for end users to adopt. End users don't want to mess
with a second factor they have to add, or a hardware dongle, or giving
their cel# out..
And the industry has to come together, otherwise you will quickly find
out insurance companies ONLY accept 2FA from one or two closed source
companies..
Which is why once again, I wish that Dovecot would take a leadership
role in this, and allow more 3rd party plugins to be available to
address this business need.
(Oh, on the side, there ARE some ways you actually do 2FA transparently,
but of course the email client has to understand it. But while you can
do 'tricks' even in IMAP for 2FA, we need to think that the same method
should work for ALL communication channels which utilize the same
credentials, eg IMAP/SMTP/POP, even other things like caldav/carddav etc)
-- Michael --
On 2022-06-27 07:53, justina colmena ~biz wrote:
> I don't see why not.
>
> Dovecot and Postfix are entirely configurable to connect to and use
any desired authentication mechanism through certain basic interfaces.
>
> The main problem I have experienced with MFA is a continual battle
with extortion, "long cons," and thievery in law -- that the thieves are
able to obtain one of the necessary factors for authentication -- a
dongle or cell phone app or access to a cell phone number, or
surveillance intelligence on calls or texts, whatnot -- whether by force
or deception -- and then deny the targeted individual access to his or
her own account.
>
> Later on, after the victim has given up, the thieves are able to
obtain the other factors for authentication, and then proceed to
social-engineer a false account recovery using the victim's stolen I.D.
-- and then they often as not falsely report the victim to gullible or
complicit police forces as the thief.
>
> If the victim cannot be successfully accused of theft in court, the
"thieves in law" at work with inside help in government and law
enforcement communities are able to cast identity theft as a mental
illness akin to dissociative identity disorder -- to which the
government offers nothing but a mental health "recovery" plan which does
not include any actual recovery of the stolen assets in a person's name.
>
> * https://www.identitytheft.gov/
> * https://www.robodeidentidad.gov/
>
> Casting identity theft as a mental health issue further enables
thieves to take control of a victim's finances by possibly being
appointed as guardians or payees in court. For the same reasons of
legalized theft, extortion, and wrongful appropriation through state,
local, military and federal court systems, individuals with similar
names to known criminals are not allowed to hold significant assets in
their names or possess firearms or obtain employment in sensitive
positions in the United States.
>
> * https://en.wikipedia.org/wiki/Thief_in_law
>
> On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote:
>> I have a small client whose insurance company insists they have MFA
for their email to be covered under some kind of data protection policy.
Currently I have the client set up on a Debian box for the email server
coupled with roundcube for webmail. Most the users just use roundcube
but some also use their mobile devices to check email. Maybe one person
uses outlook. There's about 5 to 10 users total.
>> I know roundcube offers a MFA plugin. But I don't have the foggiest
idea how of an iPhone, Android device, or Outlook could all be set up to
work with MFA with a standard dovecot/postfix setup. Are there any
practical solutions for easily implementing MFA that could work across
multiple devices?
>>
>
Happy Friday !!!
Thanks - paul
Paul Kudla
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca
On 7/7/2022 7:49 PM, Lakshyaraj Dash XI-D 25 wrote:
> Hi guys I want a solution from your side.
> I am having a cutom authentication in django. I want to have a login
> with google option that gets the user's email address and authenticates
> with django backend.
> Note that the username must not be the google username, it should be the
> username saved in the django model.
>
> Like my google username is CodeWithLaksh and the django username is
> rohan123, I want to display rohan123 instead of CodeWithLaksh. Hopr you
> all understand my problem. Please provide my a solution (*if any).
>
> Thanks and Regards
> Lakshyaraj Dash
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users+unsubscribe@googlegroups.com
> <mailto:django-users+unsubscribe@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/a6902c4d-fc45-42f3-ac54-55d3ab1b3f21n%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/a6902c4d-fc45-42f3-ac54-55d3ab1b3f21n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1dd30885-a68f-0f42-ff61-1ab6e26550d5%40scom.ca.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment