.. image:: https://img.shields.io/badge/license-LGPL--3-blue.png
:target: https://www.gnu.org/licenses/lgpl.html
:alt: License: LGPL-3
====================
MFA Support via TOTP
====================
This module adds support for MFA using TOTP (time-based, one-time passwords).
It allows users to enable/disable MFA and manage authentication apps/devices
via the "Change My Preferences" view and an associated wizard.
After logging in normally, users with MFA enabled are taken to a second screen
where they have to enter a password generated by one of their authentication
apps and are presented with the option to remember the current device. This
creates a secure, HTTP-only cookie that allows subsequent logins to bypass the
MFA step.
Installation
============
1. Install the PyOTP library using pip: ``pip install pyotp``
2. Follow the standard module install process
Configuration
=============
By default, the trusted device cookies introduced by this module have a
``Secure`` flag. This decreases the likelihood of cookie theft via
eavesdropping but may result in cookies not being set by certain browsers
unless your Odoo instance uses HTTPS. If necessary, you can disable this flag
by going to ``Settings > Parameters > System Parameters`` and changing the
``auth_totp.secure_cookie`` key to ``0``.
Usage
=====
If necessary, a user's trusted devices can be revoked by disabling and
re-enabling MFA for that user.
.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
:alt: Try me on Runbot
:target: https://runbot.odoo-community.org/runbot/251/11.0
Known Issues / Roadmap
======================
Known Issues
------------
* External calls to the Odoo XML-RPC API are blocked for users who enable MFA
since there is currently no way to perform MFA authentication as part of this
process. However, due to the way that Odoo handles authentication caching,
multi-threaded or multi-process servers will need to be restarted before the
block can take effect for users who have just enabled MFA.
Roadmap
-------
* Make the lifetime of the trusted device cookie configurable rather than fixed
at 30 days
* Add device fingerprinting to the trusted device cookie
* Add company-level settings for forcing all users to enable MFA and disabling
the trusted device option
* Monkey patch 1 is not needed anymore in Werkzeug==0.13 or upper
* Monkey patch 2 will work until werkzeug.contrib gets removed.
Bug Tracker
===========
Bugs are tracked on `GitHub Issues
<https://github.com/OCA/server-auth/issues>`_. In case of trouble, please
check there if your issue has already been reported. If you spotted it first,
help us smash it by providing detailed and welcomed feedback.
Credits
=======
Images
------
* Odoo Community Association: `Icon <https://odoo-community.org/logo.png>`_.
Contributors
------------
* Oleg Bulkin <obulkin@laslabs.com>
Do not contact contributors directly about support or help with technical issues.
Maintainer
----------
.. image:: https://odoo-community.org/logo.png
:alt: Odoo Community Association
:target: https://odoo-community.org
This module is maintained by the OCA.
OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.
To contribute to this module, please visit https://odoo-community.org.
Raw data
{
"_id": null,
"home_page": "https://github.com/OCA/server-auth",
"name": "odoo11-addon-auth-totp",
"maintainer": "",
"docs_url": null,
"requires_python": ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*",
"maintainer_email": "",
"keywords": "",
"author": "LasLabs, Odoo Community Association (OCA)",
"author_email": "support@odoo-community.org",
"download_url": "",
"platform": null,
"description": ".. image:: https://img.shields.io/badge/license-LGPL--3-blue.png\n :target: https://www.gnu.org/licenses/lgpl.html\n :alt: License: LGPL-3\n\n====================\nMFA Support via TOTP\n====================\n\nThis module adds support for MFA using TOTP (time-based, one-time passwords). \nIt allows users to enable/disable MFA and manage authentication apps/devices \nvia the \"Change My Preferences\" view and an associated wizard. \n\nAfter logging in normally, users with MFA enabled are taken to a second screen \nwhere they have to enter a password generated by one of their authentication \napps and are presented with the option to remember the current device. This \ncreates a secure, HTTP-only cookie that allows subsequent logins to bypass the \nMFA step.\n\nInstallation\n============\n\n1. Install the PyOTP library using pip: ``pip install pyotp``\n2. Follow the standard module install process\n\nConfiguration\n=============\n\nBy default, the trusted device cookies introduced by this module have a \n``Secure`` flag. This decreases the likelihood of cookie theft via\neavesdropping but may result in cookies not being set by certain browsers\nunless your Odoo instance uses HTTPS. If necessary, you can disable this flag\nby going to ``Settings > Parameters > System Parameters`` and changing the\n``auth_totp.secure_cookie`` key to ``0``.\n\nUsage\n=====\n\nIf necessary, a user's trusted devices can be revoked by disabling and\nre-enabling MFA for that user.\n\n.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas\n :alt: Try me on Runbot\n :target: https://runbot.odoo-community.org/runbot/251/11.0\n\nKnown Issues / Roadmap\n======================\n\nKnown Issues\n------------\n\n* External calls to the Odoo XML-RPC API are blocked for users who enable MFA\n since there is currently no way to perform MFA authentication as part of this\n process. However, due to the way that Odoo handles authentication caching,\n multi-threaded or multi-process servers will need to be restarted before the\n block can take effect for users who have just enabled MFA.\n\nRoadmap\n-------\n\n* Make the lifetime of the trusted device cookie configurable rather than fixed\n at 30 days\n* Add device fingerprinting to the trusted device cookie\n* Add company-level settings for forcing all users to enable MFA and disabling \n the trusted device option\n* Monkey patch 1 is not needed anymore in Werkzeug==0.13 or upper\n* Monkey patch 2 will work until werkzeug.contrib gets removed.\n\nBug Tracker\n===========\n\nBugs are tracked on `GitHub Issues\n<https://github.com/OCA/server-auth/issues>`_. In case of trouble, please\ncheck there if your issue has already been reported. If you spotted it first,\nhelp us smash it by providing detailed and welcomed feedback.\n\nCredits\n=======\n\nImages\n------\n\n* Odoo Community Association: `Icon <https://odoo-community.org/logo.png>`_.\n\nContributors\n------------\n\n* Oleg Bulkin <obulkin@laslabs.com>\n\nDo not contact contributors directly about support or help with technical issues.\n\nMaintainer\n----------\n\n.. image:: https://odoo-community.org/logo.png\n :alt: Odoo Community Association\n :target: https://odoo-community.org\n\nThis module is maintained by the OCA.\n\nOCA, or the Odoo Community Association, is a nonprofit organization whose\nmission is to support the collaborative development of Odoo features and\npromote its widespread use.\n\nTo contribute to this module, please visit https://odoo-community.org.\n\n\n",
"bugtrack_url": null,
"license": "LGPL-3",
"summary": "Allows users to enable MFA and add optional trusted devices",
"version": "11.0.1.1.0.99.dev4",
"project_urls": {
"Homepage": "https://github.com/OCA/server-auth"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "2c2106f67d78fc6c1e9749087abe6f171d4df5a24c10a2440247068b91cf96b3",
"md5": "a9180fcd24017b9b9617d143d7b911d5",
"sha256": "e32ecebf53baad9487337199be47ca9cbf1244239afdeab0db61faf8710f0e8d"
},
"downloads": -1,
"filename": "odoo11_addon_auth_totp-11.0.1.1.0.99.dev4-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "a9180fcd24017b9b9617d143d7b911d5",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*",
"size": 181357,
"upload_time": "2023-05-26T05:05:55",
"upload_time_iso_8601": "2023-05-26T05:05:55.273977Z",
"url": "https://files.pythonhosted.org/packages/2c/21/06f67d78fc6c1e9749087abe6f171d4df5a24c10a2440247068b91cf96b3/odoo11_addon_auth_totp-11.0.1.1.0.99.dev4-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-05-26 05:05:55",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "OCA",
"github_project": "server-auth",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "cryptography",
"specs": []
},
{
"name": "email_validator",
"specs": []
},
{
"name": "lxml",
"specs": []
},
{
"name": "pyjwt",
"specs": []
},
{
"name": "pysaml2",
"specs": []
},
{
"name": "python-jose",
"specs": []
},
{
"name": "python-ldap",
"specs": []
},
{
"name": "zxcvbn",
"specs": []
}
],
"lcname": "odoo11-addon-auth-totp"
}
JSON
