Skip to content

Add Multi-factor Authentication Support #17775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 9 commits into from
Closed

Add Multi-factor Authentication Support #17775

wants to merge 9 commits into from

Conversation

jzheaux
Copy link
Contributor

@jzheaux jzheaux commented Aug 19, 2025
edited
Loading

Related to spring-projects/spring-security-samples#351

Implement N authentication factors and they will be required in the order that they are declared:

http
    .authorizeHttpRequests((authorize) -> authorize.anyRequest()
        .access(allOf(hasAuthority("FACTOR_PASSWORD"), hasAuthority("FACTOR_OTT")))
    )
    .formLogin(Customizer.withDefaults())
    .oneTimeTokenLogin(Customizer.withDefaults())
    // ...

This will ask for a username/password first and a one-time token second. Thereafter, the user will be considered sufficiently authenticated.

Note that you can also publish an AuthorizationManagerFactory<Object> bean that checks for FACTOR_PASSWORD and FACTOR_OTT; however, this has not been added to this PR.

You can also specify a custom action to perform when a given factor is missing:

http
    .authorizeHttpRequests((authorize) -> authorize.anyRequest()
        .access(allOf(hasAuthority("FACTOR_PASSWORD"), hasAuthority("FACTOR_WEBAUTHN")))
    )
    .formLogin(Customizer.withDefaults())
    .webauthn((webauthn) -> ...)
    .exceptionHandling((exceptions) -> exceptions
        .defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint("/webauthn"), "FACTOR_WEBAUTHN")
    )
    // ...

Note that authentication factors already integrate with defaultAuthenticationEntryPointFor in this PR. The above is needed for WebAuthn since it doesn't expose a custom entry point page in its DSL.

@jzheaux jzheaux mentioned this pull request Aug 19, 2025
Draft
@jzheaux jzheaux force-pushed the mfa branch 3 times, most recently from a399b9f to a69e16f Compare September 9, 2025 23:08
rwinch
rwinch requested changes Sep 11, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @jzheaux! I've provided feedback inline.

rwinch
rwinch requested changes Sep 16, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've provided some additional feedback based upon your changes

@jzheaux jzheaux force-pushed the mfa branch 2 times, most recently from c123bb6 to cd4c9d0 Compare September 17, 2025 23:57
rwinch
rwinch requested changes Sep 18, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates. I've provided some additional feedback inline

@jzheaux jzheaux force-pushed the mfa branch 3 times, most recently from afaf6fc to 4283aeb Compare September 19, 2025 23:54
@jzheaux jzheaux self-assigned this Sep 22, 2025
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Sep 22, 2025
@jzheaux jzheaux added this to the 7.0.0-RC1 milestone Sep 22, 2025
@jzheaux
Add Initial Documentation
e3fed3e 
Issue spring-projectsgh-17934
@jzheaux
Support Showing One Part of Login Page
209ebd2 
Closes spring-projectsgh-17901
@jzheaux
Prepopulate Username When Known
1faea57 
Closes spring-projectsgh-17935
@jzheaux
Polish Default Login Page
835c8e1 
Issue spring-projectsgh-17901
@jzheaux
Response to Additional Feedback
5da2cdb 
- Moved request attribute to WebAttributes
- Renamed ExceptionHandlingConfigurer methods
- Removed varargs from DelegatingMissingAuthorityAccessDeniedHandler
rwinch
rwinch requested changes Sep 22, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are very close now. I've provided feedback inline. In addition, can you please log a ticket to provide static constants for common factors?

@jzheaux jzheaux removed this from the 7.0.0-RC1 milestone Sep 24, 2025
@jzheaux
Copy link
Contributor Author

jzheaux commented Sep 24, 2025

Merged in 28aad88

@jzheaux jzheaux closed this Sep 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rwinch rwinch rwinch requested changes

Assignees

@jzheaux jzheaux

Labels

in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jzheaux @rwinch