feat: mfa policy (#913)

* feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy * feat: add mfa to login policy on org * feat: add mfa to login policy on org * feat: append events on policy views * feat: iam login policy mfa definition * feat: login policies on orgs * feat: configured mfas in login process * feat: configured mfas in login process * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: rename software and hardware mfas * fix: pr requests * fix user mfa * fix: test * fix: oidc version * fix: oidc version * fix: proto gen Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Max Peintner <max@caos.ch>
2025-11-16 07:03:58 +00:00 · 2020-11-04 11:26:10 +01:00
parent 51417be35d
commit 202aae4954
76 changed files with 12913 additions and 5614 deletions
--- a/pkg/grpc/admin/proto/admin.proto
+++ b/pkg/grpc/admin/proto/admin.proto
@@ -416,6 +416,68 @@ service AdminService {
        };
    }

+    rpc GetDefaultLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) {
+        option (google.api.http) = {
+            get: "/policies/login/secondfactors/_search"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddSecondFactorToDefaultLoginPolicy(SecondFactor) returns (SecondFactor) {
+        option (google.api.http) = {
+            post: "/policies/login/secondfactors"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveSecondFactorFromDefaultLoginPolicy(SecondFactor) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            delete: "/policies/login/secondfactors/{second_factor}"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetDefaultLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) {
+        option (google.api.http) = {
+            get: "/policies/login/multifactors/_search"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddMultiFactorToDefaultLoginPolicy(MultiFactor) returns (MultiFactor) {
+        option (google.api.http) = {
+            post: "/policies/login/multifactors"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveMultiFactorFromDefaultLoginPolicy(MultiFactor) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            delete: "/policies/login/multifactors/{multi_factor}"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
    rpc GetDefaultPasswordComplexityPolicy(google.protobuf.Empty) returns (DefaultPasswordComplexityPolicyView) {
        option (google.api.http) = {
            get: "/policies/password/complexity"
@@ -949,12 +1011,14 @@ message DefaultLoginPolicy {
    bool allow_external_idp = 3;
    google.protobuf.Timestamp creation_date = 4;
    google.protobuf.Timestamp change_date = 5;
+    bool force_mfa = 6;
 }

 message DefaultLoginPolicyRequest {
    bool allow_username_password = 1;
    bool allow_register = 2;
    bool allow_external_idp = 3;
+    bool force_mfa = 4;
 }

 message IdpProviderID {
@@ -967,6 +1031,7 @@ message DefaultLoginPolicyView {
    bool allow_external_idp = 3;
    google.protobuf.Timestamp creation_date = 4;
    google.protobuf.Timestamp change_date = 5;
+    bool force_mfa = 6;
 }

 message IdpProviderView {
@@ -995,6 +1060,33 @@ message IdpProviderSearchRequest {
    uint64 limit = 2;
 }

+message SecondFactorsResult {
+    repeated SecondFactorType second_factors = 1;
+}
+
+message SecondFactor {
+    SecondFactorType second_factor = 1;
+}
+
+enum SecondFactorType {
+    SECONDFACTORTYPE_UNSPECIFIED = 0;
+    SECONDFACTORTYPE_OTP = 1;
+    SECONDFACTORTYPE_U2F = 2;
+}
+
+message MultiFactorsResult {
+    repeated MultiFactorType multi_factors = 1;
+}
+
+message MultiFactor {
+    MultiFactorType multi_factor = 1;
+}
+
+enum MultiFactorType {
+    MULTIFACTORTYPE_UNSPECIFIED = 0;
+    MULTIFACTORTYPE_U2F_WITH_PIN = 1;
+}
+
 message DefaultPasswordComplexityPolicy {
    uint64 min_length = 1;
    bool has_uppercase = 2;