Skip to content

neverpanic/simpleid-yubikey

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 

Repository files navigation

SimpleID Yubikey Authentication

This is a third-party extension for the SimpleID OpenID provider written in PHP that adds the possibility to authenticate using a Yubico Yubikey.

Installation

  1. Copy extensions/yubikey into the extensions folder below the webroot of your SimpleID installation.
  2. Edit config.php and add the Yubikey extension to the comma-separated list of extensions in the SIMPLEID_EXTENSIONS constant.
  3. Edit your identities and add the required information for Yubikey authentication. See the configuration section for all possible values and their meaning.

Identity Configuration

The following variables from identity pages have an effect on the Yubikey authentication store:

  • auth_method: This option controls whether a user can authenticate using a Yubikey or using the default password-based method. Since this extension hides the username field, you will probably want to set this to YUBIKEY for all your users. Note that Yubikey authentication will only be attempted with accounts that have auth_method set to YUBIKEY. Choosing Yubikey authentication requires a few keys in the yubikey section.

The following options in the [yubikey] identity file section control the authentication using Yubikeys:

  • client_id: The API key ID for the Yubikey validation server you want to use. For the official yubico.com infrastructure, you can get such a key at https://upgrade.yubico.com/getapikey/. If you run your own validation server, you probably know how to get this. Mandatory.
  • client_key: The API key corresponding to the API key ID. This is a short, base64-encoded string you usually get from whoever runs the validation server you use. Mandatory.
  • use_https: A boolean indicating whether the connection to the API server should use HTTPS. You should really set this to a value that will evaluate to true in PHP. Mandatory.
  • key_id[]: The IDs of the Yubikeys that should be able to log-in using the given identity. You can get this by stripping the last 32 characters from the output generated by your Yubikey. Mandatory.
  • URLs: Array-field that allows you to specify partial URLs to your own Yubikey validation servers. Do not specify the protocol (since that's controlled by the use_https option) and always use array brackets to add a value. Optional. Example: URLs[]=yubikey.yourdomain.tld:port/wsapi/2.0/verify.

An example identity file might look like this:

identity="https://my.example.com"
pass="unused"
auth_method="YUBIKEY"

[yubikey]
client_id="1"
client_key="AaAaAaAaAaAaAaAaAaAaAaAaAaA="
use_https=1
key_id[]="hdvbhdvbillt"
key_id[]="hdvbhdvvvqll"
URLs[]="yubikey1.example.com/wsapi/2.0/verify"
URLs[]="yubikey2.example.com/wsapi/2.0/verify"
URLs[]="yubikey3.example.com:8443/wsapi/2.0/verify"

Changelog

1.0

Support multiple Yubikeys per account. (#2)