tf/keycloak: add "Configure OTP" to default actions
When signing into GitLab, opting to create a new keycloak account results in being able to sign into GitLab without setting up OTP.
Since any subsequent login will require configuring OTP, it seems well advised to prompt for it as part of the registration process.
Merge request reports
Activity
requested review from @svenstaro, @anthraxx, @klausenbusk, and @jelle
assigned to @foutrelis
unassigned @foutrelis
Just occurred to me... does this ruin WebAuthn?
Edit: Seems that before this MR you can set up WebAuthn without having regular OTP configured. But this is only right after registering and confirming your email (you are automatically logged in without 2FA). Following logins force setting up OTP so you can't configure just WebAuthn. This MR makes it so OTP setup is required right after registering (and before being able to sign into GitLab).
Would be nice to know why the one-time no-2FA login happens though.
Edited by Evangelos Foutras
Resolved by Evangelos FoutrasIs this already live? please don't fiddle with the live systems auth flow like this, if it is live please revert it and keep registration closed.
As said this has more pitfalls as one would assume, lets test proposals in staging with at least 2-3 people mostly who already excessively tested this like @svenstaro and @anthraxx
- Last reply by Evangelos Foutras
@anthraxx We can't keep registrations closed indefinitely. Please either approve this MR which adds
configure_otpas a required action or propose a better alternative. The end goal is to avoid having people go from sign-up -> email confirmation -> logged into gitlab. I'm not sure how much of a deterrent configuring OTP will be to spammers, but it's worth a try.- Resolved by Evangelos Foutras
I'm generally approving this idea but it needs testing to see whether we can somehow trick this. I did this with @anthraxx once before and we need to do it again and try to break it. Last time we broke it quite severely without even trying too hard. Keycloak is a fickle beast.
- Last reply by Kristian Klausen
added 153 commits
-
68f8a346...b70fc3cf - 152 commits from branch
master - 55f20a14 - tf/keycloak: add "Configure OTP" to default actions
-
68f8a346...b70fc3cf - 152 commits from branch
mentioned in commit d6722ad8
