Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix MFA for OAuth2 only accounts #8245

Merged
merged 1 commit into from
Jun 8, 2024
Merged

Fix MFA for OAuth2 only accounts #8245

merged 1 commit into from
Jun 8, 2024

Conversation

stnguyen90
Copy link
Contributor

What does this PR do?

Before this, users who only signed in with OAuth2 were not able to verify their sessions with MFA because their session already used an email factor and they couldn't use an additional email factor.

This commit changes the OAuth2 session to include 2 factors: email and oauth2. This second special factor is used to bypass MFA checks. It is fine to bypass MFA checks because OAuth2 is supposed to handle the entire authentication process, verifying who the user is and we, as the resource provider, only need to trust the OAuth2 provider.

Fixes #8211

Test Plan

Enabled MFA and confirmed I was able to log in via GitHub only.

Screen.Recording.2024-06-07.at.4.39.31.PM.mov

Related PRs and Issues

Checklist

  • Have you read the Contributing Guidelines on issues?
  • If the PR includes a change to an API's metadata (desc, label, params, etc.), does it also include updated API specs and example docs?

@stnguyen90
fix(auth): fix MFA verification for OAuth2 sessions
a09a09a 
Before this, users who only signed in with OAuth2 were not able to
verify their sessions with MFA because their session already used an
email factor and they couldn't use an additional email factor.

This commit changes the OAuth2 session to include 2 factors: email and
oauth2. This second special factor is used to bypass MFA checks. It is
fine to bypass MFA checks because OAuth2 is supposed to handle the
entire authentication process, verifying who the user is and we, as the
resource provider, only need to trust the OAuth2 provider.
@stnguyen90 stnguyen90 marked this pull request as ready for review June 8, 2024 00:33
@stnguyen90 stnguyen90 linked an issue Jun 8, 2024 that may be closed by this pull request
🐛 Bug Report: Unable to verify identity #8211
Closed
2 tasks
@stnguyen90 stnguyen90 merged commit 4a168f6 into 1.5.x Jun 8, 2024
23 checks passed
@stnguyen90 stnguyen90 deleted the fix-oauth2-mfa branch June 8, 2024 01:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TorstenDittmann TorstenDittmann TorstenDittmann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

🐛 Bug Report: Unable to verify identity
2 participants
@stnguyen90 @TorstenDittmann