Add ability to force MFA on OIDC Logins #971
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements the ability to force users logging in through OIDC to have Multi-factor authentication enabled. It does this by looking at the
amr
claim provided by the IDP. This claim must contain themfa
value. Make sure that the IDP returns the amr claim correctly, otherwise authentication will fail.Two new env vars have been added:
If set to "true", the user will be forced to have multi-factor authentication enabled.
This is needed when GRIST_OIDC_SP_FORCE_MFA is set to true. Enter the URL where the user will be able to configure Multi-factor authentication on their account. This will be shown in the UI if the user does not have MFA enabled.
How to test:
Using Keycloak, it's fairly hard to add the
amr
claim, but Zitadel returns it by default. To test, create a new account on their cloud offering, hook it up to Grist and setGRIST_OIDC_SP_FORCE_MFA
totrue
.Log in without MFA enabled and get an error page.