2FA on REST API with JWT

Question

Question

Geoff Lawson · Jul 25, 2023

I successfully setup a REST web application with JWT enabled, which is fantastic. My next configuration 'challenge' is to add 2FA to this REST app. First question first - is this possible with the OpenAPI generated /login? The end goal is to build out a SPA (React) using /login for the JWT and adding the Auth bearer token for api calls. I'd like to prevent the token generation until the 2FA is satisfied - or generate the token, but test if the 2FA is satisfied before allowing calls forward. Hope that's clear.

Discussion (5)1

Log in or sign up to continue

Heloisa Paiva · Aug 7, 2023

Oh I see... I'm still studying the case, but here is an idea:

Instead of having the client access directly the /login, you can put a layer between them. The client access your layer, that forwards the request to the /login, receives the response but only sends it after the 2FA. Does it work for you?

Also, idk if you have checked it out already, but this link might help:
https://docs.intersystems.com/iris20232/csp/docbook/DocBook.UI.Page.cls?...

0 0

score 1 · Answer 1 · 2023-08-04T14:44:58-04:00

It seems to me that you can achieve that by adding a business process that receives the login attempt, calls a business operation requesting for the 2FA, and waits for its response. Once it gets it correctly, the BP can return the token.
Does that help or you need something more specific?

score 0 · Answer 2 · 2023-08-07T11:34:12-04:00

Thanks. I really want to leverage the 'built in' /login, how do I add in a BP in front of it? I'm really trying to avoid 'rolling our own' authentication logic.

score 1 · Answer 3 · 2023-08-10T11:03:28-04:00

Thank you @Heloisa Paiva. Your idea of BP in front of a call to login should work out fine. I'm marking this as 'resolved' and will post the actual outcome once we've had a chance to implement it.

score 0 · Answer 4 · 2023-08-10T14:35:03-04:00

Great to hear that! I hope it works out. Feel free to contact me if you have any problems so I can try to help you.