Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two-Factor Authentication with OAuth #12562

Open
3 tasks done
u12206050 opened this issue Apr 4, 2022 · 6 comments
Open
3 tasks done

Two-Factor Authentication with OAuth #12562

u12206050 opened this issue Apr 4, 2022 · 6 comments
Labels

Comments

@u12206050
Copy link
Contributor

Preflight Checklist

Describe the Bug

When using OAuth to login, users are not able to enable 2FA due to the password prompt.
Screenshot 2022-04-04 at 13 49 33

This stops users that have logged in with Auth0 without setting a password to setup 2FA

To Reproduce

Login using OAuth and try enabling 2FA

Errors Shown

No response

What version of Directus are you using?

9.8.0

What version of Node.js are you using?

16.4.0

What database are you using?

mysql 8

What browser are you using?

Chrome

What operating system are you using?

osx

How are you deploying Directus?

Locally & GCP

@rijkvanzanten
Copy link
Member

This is a very interesting problem 🤔 If you don't have a password, you can't confirm the password to enable 2FA. However, we wouldn't want people to allow enabling 2FA without making sure that they're really the current user. I'm wondering if there's some sort of way to "re-login" through the auth provider to confirm, or whether it would be enough to just skip the password check when the stored password = null (@aidenfoxx thoughts?)

@aidenfoxx
Copy link
Contributor

@rijkvanzanten So we did discuss this issue around the time I was implementing modular auth, and there were a few issues that needed to be addressed at the time. Those were "How does one enable 2FA as an OAuth user?" and "How does one enter their 2FA code during SSO?".

As a workaround for the first issue we left the ability for an OAuth user to set a regular Directus password against their account, and then they can use that to enable 2FA.

The second issue you were planning to solve with a dedicated 2FA page when logging in. I believe that's implemented now, but I don't know if it works with the SSO flows?

I think one solution would be when an SSO user tries to enable 2FA we say "You will be prompted to enable 2FA next time you log in" and then push them through the "require 2FA" flow that you can apply to user roles?

@rijkvanzanten
Copy link
Member

I think one solution would be when an SSO user tries to enable 2FA we say "You will be prompted to enable 2FA next time you log in" and then push them through the "require 2FA" flow that you can apply to user roles?

That's a great idea! Single solution that works for every means of authenticating / registering

@aidenfoxx
Copy link
Contributor

aidenfoxx commented Apr 4, 2022

I would say it's technically worse UX, but it feels more flexible and probably more maintainable if you apply it globally (as compared to having different 2FA flows for different drivers).

@u12206050
Copy link
Contributor Author

I like it though, since it would work similar for both users with and without oauth.

One other thing about 2FA though, would it be possible to have an inactive timeout setting (think auto app lock), whereby you an overlay locks the app and you would need to reenter the 2FA code to continue.

Currently the only expiry logs you out completely, which you only realise once the dashboard fails to load.

@licitdev licitdev mentioned this issue Nov 1, 2022
15 tasks
@rijkvanzanten
Copy link
Member

Linear: ENG-260

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: 📋 Backlog
Development

No branches or pull requests

3 participants