Skip to content

Add Multi-factor Authentication Support#17775

Closed
jzheaux wants to merge 9 commits intospring-projects:mainfrom
jzheaux:mfa
Closed

Add Multi-factor Authentication Support#17775
jzheaux wants to merge 9 commits intospring-projects:mainfrom
jzheaux:mfa

Conversation

@jzheaux
Copy link
Contributor

@jzheaux jzheaux commented Aug 19, 2025
edited
Loading

Related to spring-projects/spring-security-samples#351

Implement N authentication factors and they will be required in the order that they are declared:

http
    .authorizeHttpRequests((authorize) -> authorize.anyRequest()
        .access(allOf(hasAuthority("FACTOR_PASSWORD"), hasAuthority("FACTOR_OTT")))
    )
    .formLogin(Customizer.withDefaults())
    .oneTimeTokenLogin(Customizer.withDefaults())
    // ...

This will ask for a username/password first and a one-time token second. Thereafter, the user will be considered sufficiently authenticated.

Note that you can also publish an AuthorizationManagerFactory<Object> bean that checks for FACTOR_PASSWORD and FACTOR_OTT; however, this has not been added to this PR.

You can also specify a custom action to perform when a given factor is missing:

http
    .authorizeHttpRequests((authorize) -> authorize.anyRequest()
        .access(allOf(hasAuthority("FACTOR_PASSWORD"), hasAuthority("FACTOR_WEBAUTHN")))
    )
    .formLogin(Customizer.withDefaults())
    .webauthn((webauthn) -> ...)
    .exceptionHandling((exceptions) -> exceptions
        .defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint("/webauthn"), "FACTOR_WEBAUTHN")
    )
    // ...

Note that authentication factors already integrate with defaultAuthenticationEntryPointFor in this PR. The above is needed for WebAuthn since it doesn't expose a custom entry point page in its DSL.

@jzheaux jzheaux mentioned this pull request Aug 19, 2025
Draft
@jzheaux jzheaux force-pushed the mfa branch 3 times, most recently from a399b9f to a69e16f Compare September 9, 2025 23:08
rwinch
rwinch requested changes Sep 11, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @jzheaux! I've provided feedback inline.

rwinch
rwinch requested changes Sep 16, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've provided some additional feedback based upon your changes

@jzheaux jzheaux force-pushed the mfa branch 2 times, most recently from c123bb6 to cd4c9d0 Compare September 17, 2025 23:57
rwinch
rwinch requested changes Sep 18, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates. I've provided some additional feedback inline

@jzheaux jzheaux force-pushed the mfa branch 3 times, most recently from afaf6fc to 4283aeb Compare September 19, 2025 23:54
@jzheaux jzheaux self-assigned this Sep 22, 2025
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Sep 22, 2025
@jzheaux jzheaux added this to the 7.0.0-RC1 milestone Sep 22, 2025
@jzheaux
Add Initial Documentation
e3fed3e 
Issue spring-projectsgh-17934
@jzheaux
Support Showing One Part of Login Page
209ebd2 
Closes spring-projectsgh-17901
@jzheaux
Prepopulate Username When Known
1faea57 
Closes spring-projectsgh-17935
@jzheaux
Polish Default Login Page
835c8e1 
Issue spring-projectsgh-17901
@jzheaux
Response to Additional Feedback
5da2cdb 
- Moved request attribute to WebAttributes
- Renamed ExceptionHandlingConfigurer methods
- Removed varargs from DelegatingMissingAuthorityAccessDeniedHandler
rwinch
rwinch requested changes Sep 22, 2025
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are very close now. I've provided feedback inline. In addition, can you please log a ticket to provide static constants for common factors?

@jzheaux jzheaux removed this from the 7.0.0-RC1 milestone Sep 24, 2025
@jzheaux
Copy link
Contributor Author

jzheaux commented Sep 24, 2025

Merged in 28aad88

@jzheaux jzheaux closed this Sep 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rwinch rwinch rwinch requested changes

Assignees

@jzheaux jzheaux

Labels

in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jzheaux @rwinch