Multi-Factor Authentication

Configuring MFA

Configuring MFA right now has to be done entirely by an admin, for how to do that, see Multi-Factor Authentication.

Using MFA

Multi-Factor Authentication with Keystone can be used in two ways, either you treat it like current single method authentication and provide all the details upfront, or you doing it as a multi-step process with auth receipts.

Single step

In the single step approach you would supply all the required authentication methods in your request for a token.

Here is an example using 2 factors (password and totp):

{"auth":{
"identity":{
"methods":[
"password",
"totp"
],
"totp":{
"user":{
"id":"2ed179c6af12496cafa1d279cb51a78f",
"passcode":"012345"
}
},
"password":{
"user":{
"id":"2ed179c6af12496cafa1d279cb51a78f",
"password":"super sekret pa55word"
}
}
}
}
}

If all the supplied auth methods are valid, Keystone will return a token.

Multi-Step

In the multi-step approach you can supply any one method from the auth rules:

Again we do a 2 factor example, starting with password:

{"auth":{
"identity":{
"methods":[
"password"
],
"password":{
"user":{
"id":"2ed179c6af12496cafa1d279cb51a78f",
"password":"super sekret pa55word"
}
}
}
}
}

Provided the method is valid, Keystone will still return a 401, but will in the response header Openstack-Auth-Receipt return a receipt of valid auth method for reuse later.

The response body will also contain information about the auth receipt, and what auth methods may be missing:

{
"receipt":{
"expires_at":"2018年07月05日T08:39:23.000000Z",
"issued_at":"2018年07月05日T08:34:23.000000Z",
"methods":[
"password"
],
"user":{
"domain":{
"id":"default",
"name":"Default"
},
"id":"ee4dfb6e5540447cb3741905149d9b6e",
"name":"admin"
}
},
"required_auth_methods":[
["totp","password"]
]
}

Now you can continue authenticating by supplying the missing auth methods, and supplying the header Openstack-Auth-Receipt as gotten from the previous response:

{"auth":{
"identity":{
"methods":[
"totp"
],
"totp":{
"user":{
"id":"2ed179c6af12496cafa1d279cb51a78f",
"passcode":"012345"
}
}
}
}
}

Provided the auth methods are valid, Keystone will now supply a token. If not you can try again until the auth receipt expires (e.g in case of TOTP timeout).