Disable 2FA options in Gitlab

Since this Gitlab instance only accepts logins via SSO from Keycloak there is no point in Gitlab prompting for (or even allowing) adding 2FA to Gitlab accounts. That's only going to confuse and confiscate things.

(I did this once for a Gitlab instance that uses LDAP signin only and just checked it, it's still disabled so I think it's still possible. I'll try to dig up what I did and report back.)

assigned to @alerque

Ug. It looks like my solution was an ugly patch to remove the relevant places this shows up in the UI from the output templates. I don't think I'd suggest doing that in this case.

There is a (3+ year old) feature request to add this upstream. There is also a mr which does add the feature, but it doesn't look like it ever got integrated. It was closed by a bot in the repository shuffle without ever being merged. Not quite the same featur, but a related option did get added in 12.3 (docs). That should probably be configured on this instance if it isn't already.

Is the GitLab 2FA used anywhere else besides login? I can see a use for it when it would ask for 2FA for certain actions, like deleting a repo or something (it's not asking for that, I checked).

There are a lot of feature requests open upstream for 2FA to be used as a confirmation for various actions, but to my knowledge it is not yet used anywhere besides initial login.

Upstream issue: https://gitlab.com/gitlab-org/gitlab/-/issues/16952

We should probably also look into if we can disable the password edit page, upstream issue: https://gitlab.com/gitlab-org/gitlab/-/issues/17298

@klausenbusk Passwords are a slightly different issue (although related) because they can be used for something Keycloak does not enable: namely authenticated git over HTTPS access to repositories. Unfortunately the current setup process where even Keycloak authenticated user accounts are prompted to setup a Gitlab password if they want to push/pull via https is actually useful in a way that enabling 2FA is no. It may be possible to setup user tokens to enable that feature and forgo passwords on Gitlab accounts, but I need to check on that. Last I checked it was not possible but that was quite a few major versions ago.

It may be possible to setup user tokens to enable that feature and forgo passwords on Gitlab accounts, but I need to check on that. Last I checked it was not possible but that was quite a few major versions ago.

It seems to be possible: https://gitlab.archlinux.org/profile/personal_access_tokens

mentioned in issue #39 (closed)

added hinthelp-wanted scopeenhancement labels

Status update: nothing to report. My old hacks involving patching it out of the UI are obsolete, and the upstream project still hasn't addressed this.

The issue is still valid: it would be really nice to disable this.