OaAuthMethodStandard extend for second Password

[name024]

We are using the "OaAuthMethodStandard" for authentication in WinCC OA 3.18 Patch16. Now we want to extend the Standard Authentication so every user can have two Passwords. The second password come from a Company-Identification-Card reader.

First it seams to be a simple job. Let the user input the name and let the card reader input the UID in the password field.

for login (if the UID is correct) simply call:

Code: Select all

m_loginFrameworkController.startLogin();

For using the default Login-Button, I extend the “OaAuthMethodStandard”-Class, so the second password is checked correctly in the methods “isUserVerified()” and “checkUserPassword()”

In QuickTest everything works fine. But on ULC UX it doesn´t. After some debugging, I figure out:

• The QuickTest is always started with the user, which started the gedi (in my case “root”)
• The UlcUx is always started with the default user.
• The start-login Button calls “m_loginFrameworkController.startLogin();“ which calls “m_ui.setUiUser()” (class “OaAuthUI”), which contain the statement “return setUserId(m_user.getId(), m_user.getPassword());”. This statement fails. The statement is called with the card-UID as password.

The main problem is, that “setUserId()” check the password against the default user management. It´s seems not to be using the customized class “OaAuthMethodStandard” for the password check.
I´ve try to find a solution / workaround for this problem, but didn´t find a good one … here one of my thoughts:

• Read the user PW from the DPE. Use the PW for setUserId()-Method. => not working because OA save the user password as PBKDF2 Hash. These Hashes are not revertable to the cleartext password (or I couldn´t find a solution for this in the web).
• Login as root in control, before login as the target user. This needs to hardcode the root password in the login panel. Shitty solution.
• Login as an “Login-Helper-User” which is allowed to use the “setUserId()” statement without a password, but not allowed to do a login to the UI. Not working, because only root is allowed to do so.
• Debug the statement “setUserId()” an look whats happening. Not working, because WinCC OA Debugger jumps over the statement. (WinCC OA standard command)
• try to write a own “OaAuthMethodUserdefined” class. Not working, same problem with “setUserId”.

Has anyone a working solution or tips to get this work?

[kilianvp]

Yes encrypt the user Password with aes256Encrypt and store it.
Link the Userid, encrypted password and UID together.
If someone use the card you can use aes256Decrypt and use setUserId with the password to login.

//Edit
If the user is using the card for Windows login, it is better to use SSO.

[gschijndel]

I would not call the card id a password, but an external id.

The card id is already linked to the user id, so I do not see why the user has to enter its user name.

It does not sound like a secure solution, so I would suggest to make a 2FA from it.
The user has to enter the password and present the card.

[name024]

Not every client station has a card reader. The goal is a fast login via company-card. The card isn´t used for SSO. Also, some clients are not in the company domain, so SSO isn´t really an option.

I think kilianvp solution is the way to go, even if I must duplicate the PW data (one time in WinCC OA standard and one time as revertible AES).

Thanks everyone for reply / feedback.