Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7858

Define new SASL mechanisms to be able to authenticate a connection from the JWT bearer token, or have Yubikey second factor authentication



    • New Feature
    • Status: Dev backlog
    • Major
    • Resolution: Unresolved
    • 7.0.1
    • None
    • rest, security
    • None


      Customer is looking to incorporate the use of JWT Bearer tokens and Yubikey or equivalent for user authentications.

      The customer has provided the following additional details:

      JWT Bearer tokens

      We have OAuth2 token coming in from Service (SASL OAUTHBEARER RFC 7628). OAuth2 tokens are implemented as JWT (RFC 7523).

      OAuth2 Client has access token and LDAP is the resource server.

      Client identity is the DN of the client app in LDAP represented by sub (OAuth2) or client_id (OIDC) claims .

      Token validation allows bearer of the token to bind as DN represented as sub claim.

      Validations can include:

      1. JWT token validation based on alg, k5* headers, signature validation and Key and issuer validation
      2. Audience validation to include ldap server logical name (or fqdn). The `aud` claim must contain LDAP server logical name
      3. Optional equivalent of X.509 OID (Client authentication). OID allow network identifier of the caller (e.g. IP seen in the connect request) to be validated. In JWT this an be a `instance` or `ip` claim. This adds aditional security similar to X.509 (NIST 800-52). With this both X.509 and JWT based models will be identical.


      I am looking for 2 FA support on LDAP, need not be YubiKey we are open to other options as well. Idea is to use both password file and dynamic token generated by 2nd factor (Ping, YubiKey, etc).

      e.g., if LDAP BIND send the PIN and Dynamic token part (PIN+Dynamic part), this can be validated against PIN=>passwd and Dynamic Part=>2nd factor provider. That can allow apps to honor both LDAP Password and Dynamic token (e.g. YubiKey).




            Unassigned Unassigned
            tina.roper Tina Roper
            0 Vote for this issue
            3 Start watching this issue