Merge pull request #1 from apache/humbedooh/2fa-guess Guesstimate 2FA status for OIDC logins

commit: 541d46ce08b5ff49c5dd464c4f6df83cb715a2a1 [log] [tgz]
author: fluxo <clambertus@users.noreply.github.com> Mon Mar 04 11:16:54 2024 -0800
committer: GitHub <noreply@github.com> Mon Mar 04 11:16:54 2024 -0800
tree: 229ef7c92af341457c0aff5814a322ce6cdfbe23
parent: e1e1d9a55d7b80fc2662ebec7e9c32271d466ac3 [diff]
parent: cc0b9126d2b8fe13dcca5bd4a114fa54670acb60 [diff]
diff --git a/app/endpoints/oauth.py b/app/endpoints/oauth.py
index 9177669..49466c9 100644
--- a/app/endpoints/oauth.py
+++ b/app/endpoints/oauth.py

@@ -152,6 +152,12 @@
             details = await committer.verify()
             if details:
                 details["provider"] = "oidc"  # Distinguish between old oauth and OIDC-backed (2FA etc)
+                # Some services require 2FA. Our OIDC workflows will always use 2FA if set up, though they may skip
+                # it if not set up by the user. There is no way for the oauth backend to know if 2FA is enabled 
+                # in the workflow, but since these apps need to know, we have to make an educated guess.
+                # Currently, no in-production app make use of the 2FA requirement, but we do have services in 
+                # development that do.
+                details["mfa"] = True  # TODO: Discuss (100%) enforcement of 2FA on keycloak
                 states[oidc_state]["credentials"] = details
                 states[oidc_state]["timestamp"] = time.time()  # Set so we can check expiry of state
                 url = make_redirect_url(states[oidc_state]["redirect_uri"], code=oidc_state)
commit	541d46ce08b5ff49c5dd464c4f6df83cb715a2a1	[log] [tgz]
author	fluxo <clambertus@users.noreply.github.com>	Mon Mar 04 11:16:54 2024 -0800
committer	GitHub <noreply@github.com>	Mon Mar 04 11:16:54 2024 -0800
tree	229ef7c92af341457c0aff5814a322ce6cdfbe23
parent	e1e1d9a55d7b80fc2662ebec7e9c32271d466ac3 [diff]
parent	cc0b9126d2b8fe13dcca5bd4a114fa54670acb60 [diff]