New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two-Factor Authentication with OAuth #12562
Comments
This is a very interesting problem 🤔 If you don't have a password, you can't confirm the password to enable 2FA. However, we wouldn't want people to allow enabling 2FA without making sure that they're really the current user. I'm wondering if there's some sort of way to "re-login" through the auth provider to confirm, or whether it would be enough to just skip the password check when the stored password = null (@aidenfoxx thoughts?) |
@rijkvanzanten So we did discuss this issue around the time I was implementing modular auth, and there were a few issues that needed to be addressed at the time. Those were "How does one enable 2FA as an OAuth user?" and "How does one enter their 2FA code during SSO?". As a workaround for the first issue we left the ability for an OAuth user to set a regular Directus password against their account, and then they can use that to enable 2FA. The second issue you were planning to solve with a dedicated 2FA page when logging in. I believe that's implemented now, but I don't know if it works with the SSO flows? I think one solution would be when an SSO user tries to enable 2FA we say "You will be prompted to enable 2FA next time you log in" and then push them through the "require 2FA" flow that you can apply to user roles? |
That's a great idea! Single solution that works for every means of authenticating / registering |
I would say it's technically worse UX, but it feels more flexible and probably more maintainable if you apply it globally (as compared to having different 2FA flows for different drivers). |
I like it though, since it would work similar for both users with and without oauth. One other thing about 2FA though, would it be possible to have an inactive timeout setting (think auto app lock), whereby you an overlay locks the app and you would need to reenter the 2FA code to continue. Currently the only expiry logs you out completely, which you only realise once the dashboard fails to load. |
Linear: ENG-260 |
Preflight Checklist
Describe the Bug
When using OAuth to login, users are not able to enable 2FA due to the password prompt.
This stops users that have logged in with Auth0 without setting a password to setup 2FA
To Reproduce
Login using OAuth and try enabling 2FA
Errors Shown
No response
What version of Directus are you using?
9.8.0
What version of Node.js are you using?
16.4.0
What database are you using?
mysql 8
What browser are you using?
Chrome
What operating system are you using?
osx
How are you deploying Directus?
Locally & GCP
The text was updated successfully, but these errors were encountered: