Security Configuration
Crossbar API to configure authentication for an account.
About Security
Crossbar authenticator modules can have their own account’s version configuration to control some aspect of them like enabling/disabling the module or use multi factor authenticator for that specific module.
Note
This API endpoint is only configuring the authentication for a account, for configuring the system, you should use system_configs instead as super duper admin. System config category is crossbar.auth.
How Crossbar is looking for authentication configuration
Configuration is the merged result of the account’s configuration and all its parent’s account up to the first reseller, then the system config itself. So the account inherits parent and reseller account and system config.
Enable Multi Factor Authentication for a Crossbar auth module
If you want to use multi factor authentication for a module, set the multi_factor.enabled to true. You can control if the multi factor settings can be applied to the account’s children by multi_factor.include_subaccounts.
When setting configuration_id of the multi-factor, you have to set the Account ID which contains the that configuration.
Only a parent Account or the same Account can set configuration_id and account_id unless multi_factor.include_subaccounts is true and a descendant account can use its parent configuration_id.
See Multi Factor Authentication API documentation.
Lock account on multiple login failure
For security compliance, it is required to lock the user if it tries to login and it fails when specific amount of attempts are reached. Unfortunately currently there is no way to find out what user is trying to login in Crossbar.
As security per caution for the time being, Kazoo will lock the whole account. This is an opt-in feature, a sysadmin need to enable this feature using:
sup kapps_config set_boolean crossbar.auth lock_account_on_failed_attempts true
The mechanism is similar to Token Buckets but it has its own bucket configuration. The bucket is
configurable under crossbar_auth name in system_configs/token_buckets. The recommended
setting is:
sup kapps_config set_integer token_buckets crossbar_auth_bucket tokens_fill_rate 175
sup kapps_config set_integer token_buckets crossbar_auth_bucket max_bucket_tokens 175
sup kapps_config set_string token_buckets crossbar_auth_bucket tokens_fill_time hour
Token Cost for all auth is set to 35 by default (each auth module has its own token cost configurable).
So when max_bucket_tokens is 175, users can attempt to login for 5 times: 35 * 5 = 175. The fill time
is set to one hour so the account will be locked for that amount of time.
If the account is locked, a reseller or super duper admin can unlock the account using the API provided below.
Account Auth Configuration Schema
Schema
Schema for crossbar.auth account_config
| Key | Description | Type | Default | Required | Support Level |
|---|---|---|---|---|---|
auth_modules.cb_api_auth | crossbar authenticator module configuration | #/definitions/auth_module_config | false | ||
auth_modules.cb_auth | crossbar authenticator module configuration | #/definitions/auth_module_config | false | ||
auth_modules.cb_ip_auth | crossbar authenticator module configuration | #/definitions/auth_module_config | false | ||
auth_modules.cb_user_auth | crossbar authenticator module configuration | #/definitions/auth_module_config | false | ||
auth_modules | Default crossbar authentication modules configuration | object() | {"cb_user_auth":{"token_auth_expiry_s":3600,"log_successful_attempts":true,"log_failed_attempts":true,"enabled":true},"cb_ip_auth":{"token_auth_expiry_s":3600,"log_successful_attempts":false,"log_failed_attempts":true,"enabled":true},"cb_auth":{"token_auth_expiry_s":3600,"log_successful_attempts":false,"log_failed_attempts":true,"enabled":true},"cb_api_auth":{"token_auth_expiry_s":3600,"log_successful_attempts":false,"log_failed_attempts":true,"enabled":true}} | true |
auth_module_config
crossbar authenticator module configuration
| Key | Description | Type | Default | Required | Support Level |
|---|---|---|---|---|---|
enabled | whether or not this authenticator module is enabled | boolean() | false | ||
log_failed_attempts | should log failed logging attempts | boolean() | false | ||
log_successful_attempts | should log successful logging attempts | boolean() | false | ||
multi_factor.account_id | ID of the account that contains the multi factor configuration | string() | false | ||
multi_factor.configuration_id | document ID that contains the multi factor configuration | string() | false | ||
multi_factor.enabled | turn on/off multi factor authentications for this module | boolean() | false | ||
multi_factor.include_subaccounts | should this multi factor authentication settings be applied when used by sub-accounts | boolean() | false | ||
multi_factor | control multi factor authentications for this module | object() | false | ||
token_auth_expiry_s | expiration period of the JWT token (seconds) | integer() | false |
Get a List of Available Auth Module
List of all available auth module to be configured.
GET /v2/security
curl -v -X GET \
-H "X-Auth-Token: {AUTH_TOKEN}" \
http://{SERVER}:8000/v2/security
Responses
{
"data": {
"available_auth_modules": [
"cb_api_auth",
"cb_auth",
"cb_ip_auth",
"cb_user_auth"
]
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Fetch All Configurations
Get all configured authenticator module on the account alongside the default settings of merged result of account itself and its parents, reseller and system.
GET /v2/accounts/{ACCOUNT_ID}/security
curl -v -X GET \
-H "X-Auth-Token: {AUTH_TOKEN}" \
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security
Responses
{
"data": {
"account": {},
"inherited_config": {
"auth_modules": {
"cb_user_auth": {
"enabled": true,
"token_auth_expiry_s": 3600,
"log_failed_attempts": true,
"log_successful_attempts": true,
"multi_factor": {
"enabled": false,
"_read_only": {
"name": "Default System Provider",
"provider_name": "duo"
}
}
},
"cb_api_auth": {
"enabled": true,
"token_auth_expiry_s": 3600,
"log_failed_attempts": true,
"log_successful_attempts": true
},
"cb_auth": {
"enabled": true,
"token_auth_expiry_s": 3600,
"log_failed_attempts": true,
"log_successful_attempts": true
},
"cb_ip_auth": {
"enabled": true,
"token_auth_expiry_s": 3600,
"log_failed_attempts": true,
"log_successful_attempts": true
}
}
}
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Change
Customize modules config for the account. Set what settings you want here, crossbar always get the merged config from account and hierarchy.
POST /v2/accounts/{ACCOUNT_ID}/security
curl -v -X POST \
-H "X-Auth-Token: {AUTH_TOKEN}" \
-d '{ "data": { "auth_modules" :{ "cb_user_auth": { "token_auth_expiry_s": 604800 }, "cb_api_auth": { "enabled": false } } } }'
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security
Response
{
"data": {
"auth_modules": {
"cb_user_auth": {
"token_auth_expiry_s": 604800
},
"cb_api_auth": {
"enabled": false
}
},
"id": "configs_crossbar.auth"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Patch
Patch field(s) of config for the account customization.
PATCH /v2/accounts/{ACCOUNT_ID}/security
curl -v -X PATCH \
-H "X-Auth-Token: {AUTH_TOKEN}" \
-d '{ "data": { "auth_modules" :{ "cb_api_auth": { "enabled": true } } } }'
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security
Responses
{
"data": {
"auth_modules": {
"cb_user_auth": {
"token_auth_expiry_s": 604800
},
"cb_api_auth": {
"enabled": false
}
},
"id": "configs_crossbar.auth"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Remove
Delete account’s auth config.
DELETE /v2/accounts/{ACCOUNT_ID}/security
curl -v -X DELETE \
-H "X-Auth-Token: {AUTH_TOKEN}" \
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security
Responses
{
"data": {
"auth_modules": {
"cb_user_auth": {
"token_auth_expiry_s": 604800
},
"cb_api_auth": {
"enabled": false
}
},
"id": "configs_crossbar.auth"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Set Multi Factor Configuration for a Authentication Module
POST /v2/accounts/{ACCOUNT_ID}/security
curl -v -X POST \
-H "X-Auth-Token: {AUTH_TOKEN}" \
-d '{ "data": { "auth_modules" :{ "cb_user_auth": { "multi_factor": { "enabled": true, "configuration_id": "c757665dca55edba2395df3ca6423f4f", "account_id": "a391d64a083b99232f6d2633c47432e3" } } } } }'
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security
Responses
{
"data": {
"auth_modules": {
"cb_user_auth": {
"multi_factor": {
"enabled": true,
"configuration_id": "c757665dca55edba2395df3ca6423f4f",
"account_id": "a391d64a083b99232f6d2633c47432e3",
"_read_only": {
"name": "a nice day",
"provider_name": "duo"
}
}
}
}
},
"id": "configs_crossbar.auth"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Check if account is locked due multiple failed login attempts
A reseller of an account can check if one of their sub-accounts are locked because of multiple failed login attempts or not.
{ACCOUNT_ID} is the account ID to check its lock status.
GET /v2/accounts/{ACCOUNT_ID}/security/login_lock
Example request:
curl -v -X GET \
-H "X-Auth-Token: {AUTH_TOKEN}" \
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security/login_lock
Example response if the account is locked:
{
"data": {
"status": "account is locked"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Example response if the account is not locked:
{
"data": {
"status": "account is not locked"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Unlock an account
A reseller can unlock theur sub-accounts if the account is locked due multiple failed login attempts.
{ACCOUNT_ID} is the account ID to unlock.
DELETE /v2/accounts/{ACCOUNT_ID}/security/login_lock
curl -v -X DELETE \
-H "X-Auth-Token: {AUTH_TOKEN}" \
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security/login_lock
Example response if the account unlocked successfully:
{
"data": {
"status": "account is unlocked"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Example response if the account is not locked:
{
"data": {
"status": "account was not locked"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Fetch
Get a List of All Login Attempts
GET /v2/accounts/{ACCOUNT_ID}/security/attempts
curl -v -X GET \
-H "X-Auth-Token: {AUTH_TOKEN}" \
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security/attempts
Responses
{
"page_size": 1,
"data": [
{
"id": "201707-5e9c6dc29efb34d87c0a06e8f613b1fd",
"auth_type": "jwt_auth_token",
"auth_module": "cb_user_auth",
"status": "success",
"message": "authentication resulted in token creation",
"timestamp": 63667032239,
"client_ip": "10.1.0.2"
}
],
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}
Get a Login Attempt Details
GET /v2/accounts/{ACCOUNT_ID}/security/attempts/{ATTEMPT_ID}
curl -v -X GET \
-H "X-Auth-Token: {AUTH_TOKEN}" \
http://{SERVER}:8000/v2/accounts/{ACCOUNT_ID}/security/attempts/201707-5e9c6dc29efb34d87c0a06e8f613b1fd
Responses
{
"data": {
"auth_type": "jwt_auth_token",
"status": "success",
"auth_module": "cb_user_auth",
"message": "authentication resulted in token creation",
"client_headers": {
"host": "10.1.0.2:8000",
"connection": "keep-alive",
"content-length": "82",
"accept": "application/json, text/javascript, */*; q=0.01",
"x-auth-token": "undefined",
"user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.61 Safari/537.36",
"origin": "http://127.0.0.1:3000",
"content-type": "application/json",
"dnt": "1",
"referer": "http://127.0.0.1:3000/",
"accept-encoding": "gzip, deflate",
"accept-language": "en-US,en;q=0.8"
},
"client_ip": "10.1.0.2",
"crossbar_request_id": "a6edc00018ebd9c7c991fbddf3677fcb",
"timestamp": 63667032239,
"metadata": {
"owner_id": "0528dc7bbbf94bcc5df7d74d808a4ec0",
"account_id": "6134cc9aa43ffaee3e3f0c9a84113d6e"
},
"id": "201707-5e9c6dc29efb34d87c0a06e8f613b1fd"
},
"timestamp": "{TIMESTAMP}",
"version": "{VERSION}",
"node": "{NODE_HASH}",
"request_id": "{REQUEST_ID}",
"status": "success",
"auth_token": "{AUTH_TOKEN}"
}