2FA

Hello,
I run through all the tutorials and docs in Hilla and it looks quite nice. I was wondering if there are any guidelines on implementing 2FA with TOTP using JWT. Also, if it is something that the “LoginOverlay” component would be helpful at.

Thanks.

Hi, I couldn’t find any new TOTP guidelines/examples specifically for Vaadin/Hilla.
But most logic anyway would be on BE side with Spring .
Something similar to https://www.baeldung.com/spring-security-two-factor-authentication-with-soft-token could be a good starting point.

Thanks for the answer @joint-pug . I ended up in that tutorial as well. I looked into the oficial guides from spring security to compare too, and I most of these references use normal sessions. I was wondering if there was something for JWT, to mix with the tutorial in the Hilla website. Basically the steps seem to store the first step (username and password (not stored)) confirmation in the session and only after the TOTP token is sent, they fully authorise the user.

Instead of implementing 2FA on your own, you could use Hilla together with an Authorization Server like Keycloak or auth0. In Terms of OAuth you could implement something like the Authorization Code Flow. This way a user will be redirected to the Authorization Server and it’s the responsibility of the Authorization Server to authenticate a user. The way the authentication is done, is part of the configuration of the Authorization Server. Which means you could configure the Authorization Server to use 2FA. Hilla does not know anything about the concrete authentication mechanism, because it’s the responsibility of the Authorization Server.

Thanks @kismet-alpaca . That seems to be way we shall follow here to not reinvent the wheel.