4. Authentication

Users are authenticated, and recieve roles depending on the authentication backend. Users are administered locally in an application specific table that can be managed using Invoke.

AUTH_METHOD

Three backends can be configured; local, ad or azure. Each is explored below.

Two factor authentication can be enabled on top of the normal authentication backends local and ad. Currently only DUO is supported and explored below.

4.1. First factor authentication backends

4.1.1. Local authentication

Local authentication makes QueryBuilder authenticate users against a table of locally configured users.

Users can be added and removed using Invoke. Note that a user role needs to be granted on a user for him to be able to access and edit a configured project.

4.1.2. AD authentication

Users logging into QueryBuilder can be authenticated and to some extent be authorised using an Active Directory. Prerequisites here a provisioned Project that contains an authgroup that matches one of the group memberships for the AD user. The user need not be further provisioned in the QueryBuilder.

AD_URL

An url of the form ‘ldap://ad:389’ that describes the location of the Active Directory. Note that in the query active directory mannerisms are used, so a normal ldap will not suffice.

AD_USER

AD administrator account. This account is used to retrieve user information after login, when the user password is no longer in context and available.

AD_PASSWORD

AD administrator password.

AD_BASE_DN

A base DN of the form ‘dc=mgrid,dc=net’ that is used as the root for all queries.

AD_USER_DOMAIN

A user domain that is added to all user names when they authenticate without a backslash or at sign in the username. Typical example MGRID\

4.1.3. Azure AD authentication

Users logging into QueryBuilder can be authenticated and to some extent be authorised using the Azure Active Directory. Prerequisites here a provisioned Project that contains an authgroup that matches one of the group memberships for the Azure AD user. The user need not be further provisioned in the QueryBuilder.

AZURE_CLIENT_ID

Identifier for the Azure client.

AZURE_CLIENT_SECRET

Secret for the Azure client.

AZURE_USER_AUTH_URL

The url for user authentication. This is where the user will be redirected to for logging in, e.g. https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/authorize

AZURE_REDIRECT_URI

The uri where the user is redirected to when the login was successful. Typical value is https://querybuilder/auth

AZURE_GRAPH_AUTH_URL

The url where QueryBuilder asks for an access_token to be able to fetch data from the Graph API, e.g. https://login.microsoftonline.com/mgrid.onmicrosoft.com

AZURE_GRAPH_API_URL

The url of the Graph API, e.g. https://graph.microsoft.com

AZURE_GRAPH_QUERY_URL

The url for asking group membership of a specific user, e.g. https://graph.microsoft.com/v1.0/myorganization/users/{user_id}/memberOf?$select=displayName. Ensure there is a {user_id} part which will be substituted with the actual user id.

AZURE_VERIFY_ID_TOKEN

Whether to verify the id_token received from the Azure login page. Default value is True.

AZURE_KEYS_URL

The url for fetching the public key the id_token is signed with, e.g. https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/discovery/v2.0/keys?p=B2C_1_signuplogin. This value only needs to be set when AZURE_VERIFY_ID_TOKEN is true.

AZURE_LOGOUT_URI

The uri where the user is redirected to when logout is clicked. Typical value is https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/logout

4.2. Second factor authentication backends

4.2.1. DUO

Users authenticating into QueryBuilder can be asked for a second authentication factor via DUO. They will then be contacted via mobile app or sms to provide further proof of identity.

DUO_ENABLED

Boolean; set to True to enable, False to disable.

DUO_IKEY

One of the keys needed to interact with the DUO servers.

DUO_SKEY

One of the keys needed to interact with the DUO servers.

DUO_APIHOSTNAME

Hostname of the DUO server to interact with, e.g. api-ffffffff.duosecurity.com.

4.3. Session management

PERMANENT_SESSION_LIFETIME

Sets the lifetime of the session cookie that is set for authenticated users in seconds. Defaults to 4 hours.