How to use the apache2 authentication plugin (over wsgi)

I have read a lot of guides but don’t find a answer to my question, maybe someone can help.

My privacyIDEA installation is up and running (apache2+mysql).

Now I want to protect a “external webapplication” by 2FA with privacyIDEA.

So I have configured a new apache2 location with WSGIAuthUserScript directive pointing to /usr/share/pyshared/

  <Location /secured>
             ProxyPreserveHost On
             AuthType Basic
             AuthName "Protected Area"
             AuthBasicProvider wsgi
             WSGIAuthUserScript /usr/share/pyshared/
             Require valid-user
        ProxyPass https://my_protected_webapplication:8443/
        ProxyPassReverse https://my_protected_webapplication:8443/

It would be great to realize this now:

  1. a user browse to /secured with his webbrowser
  2. he got a http basic auth prompt and enter this username@realm and PIN (authentication step 1)
  3. privacyIDEA check this and start the second authentication by email-token
  4. privacyIDEA send out a OTP token by email
  5. the user check his inbox and enter the second PIN (authenication step 2)
  6. privacyIDEA check again and if correct, it send “success” to the apache2 auth_basic module
  7. apache2 let the user pass and allow communitcaion to configured backend application by using ProxyPass (mod_proxy)

This is working so far:

    • success
    • success
    • success
    • success; privacyIDEA send a token to users email-adress
    • failed

After step 4, the apache2 http basic login prompt appears again in users browser (is it possible to redirect to a nice webui to enter the second email OTP PIN?). If I enter username@realm again with OTP PIN from the email, the authentication fails.
What I have to enter in the second step (after the username/password prompt appears again to valide mail token pin)?

Is this setup possible at general?

Hello @sflCaZ,
welcome to privacyIDEA world.

To my knowledge this is not possible. The basic auth can not keep a state between the two authentication steps.
In the second step, the “application” (basic auth) would have to send a “transaction_id” from the first step to prove, that the user already provided the correct PIN in the first step. (This is what we call challenge response)

The only way you could use crappy email token with your scenario is, that the user enters PIN + OTP (from the email) in the second step.
I personally recommend either

  1. use a “single shot” token (a non-challenge-response) like HOTP or
  2. add 2FA in the correct way into your application
  3. use a remote gateway that suppors challenge response on RADIUS level