fix(oidc): remove MFA requirement on ZITADEL API based on user auth methods (#8069)

# Which Problems Are Solved Request to the ZITADEL API currently require multi factor authentication if the user has set up any second factor. However, the login UI will only prompt the user to check factors that are allowed by the login policy. This can lead to situations, where the user has set up a factor (e.g. some OTP) which was not allowed by the policy, therefore will not have to verify the factor, the ZITADEL API however will require the check since the user has set it up. # How the Problems Are Solved The requirement for multi factor authentication based on the user's authentication methods is removed when accessing the ZITADEL APIs. Those requests will only require MFA in case the login policy does so because of `requireMFA` or `requireMFAForLocalUsers`. # Additional Changes None. # Additional Context - a customer reached out to support - discussed internally - relates #7822 - backport to 2.53.x
2025-08-11 21:07:31 +00:00 · 2024-06-12 14:24:17 +02:00
parent fb95f4a8a2
commit fb2b1610f9
5 changed files with 5 additions and 122 deletions
--- a/internal/query/user_auth_method_test.go
+++ b/internal/query/user_auth_method_test.go
@@ -11,7 +11,6 @@ import (

 	sq "github.com/Masterminds/squirrel"

-	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -58,29 +57,16 @@ var (
 		"method_type",
 		"idps_count",
 	}
-	prepareAuthMethodTypesRequiredStmt = `SELECT projections.users12_notifications.password_set,` +
-		` auth_method_types.method_types,` +
-		` user_idps_count.count,` +
-		` projections.users12.type,` +
+	prepareAuthMethodTypesRequiredStmt = `SELECT projections.users12.type,` +
 		` auth_methods_force_mfa.force_mfa,` +
 		` auth_methods_force_mfa.force_mfa_local_only` +
 		` FROM projections.users12` +
-		` LEFT JOIN projections.users12_notifications ON projections.users12.id = projections.users12_notifications.user_id AND projections.users12.instance_id = projections.users12_notifications.instance_id` +
-		` LEFT JOIN (SELECT array_agg(DISTINCT(auth_method_types.method_type)) as method_types, auth_method_types.user_id, auth_method_types.instance_id FROM projections.user_auth_methods4 AS auth_method_types` +
-		` WHERE auth_method_types.state = $1 GROUP BY auth_method_types.instance_id, auth_method_types.user_id) AS auth_method_types` +
-		` ON auth_method_types.user_id = projections.users12.id AND auth_method_types.instance_id = projections.users12.instance_id` +
-		` LEFT JOIN (SELECT user_idps_count.user_id, user_idps_count.instance_id, COUNT(user_idps_count.user_id) AS count FROM projections.idp_user_links3 AS user_idps_count` +
-		` GROUP BY user_idps_count.user_id, user_idps_count.instance_id) AS user_idps_count` +
-		` ON user_idps_count.user_id = projections.users12.id AND user_idps_count.instance_id = projections.users12.instance_id` +
 		` LEFT JOIN (SELECT auth_methods_force_mfa.force_mfa, auth_methods_force_mfa.force_mfa_local_only, auth_methods_force_mfa.instance_id, auth_methods_force_mfa.aggregate_id, auth_methods_force_mfa.is_default FROM projections.login_policies5 AS auth_methods_force_mfa) AS auth_methods_force_mfa` +
 		` ON (auth_methods_force_mfa.aggregate_id = projections.users12.instance_id OR auth_methods_force_mfa.aggregate_id = projections.users12.resource_owner) AND auth_methods_force_mfa.instance_id = projections.users12.instance_id` +
 		` ORDER BY auth_methods_force_mfa.is_default LIMIT 1
 `
 	prepareAuthMethodTypesRequiredCols = []string{
-		"password_set",
 		"type",
-		"method_types",
-		"idps_count",
 		"force_mfa",
 		"force_mfa_local_only",
 	}
@@ -356,9 +342,6 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 					prepareAuthMethodTypesRequiredCols,
 					[][]driver.Value{
 						{
-							true,
-							database.NumberArray[domain.UserAuthMethodType]{domain.UserAuthMethodTypePasswordless},
-							1,
 							domain.UserTypeHuman,
 							true,
 							true,
@@ -367,12 +350,7 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 				),
 			},
 			object: &UserAuthMethodRequirements{
-				UserType: domain.UserTypeHuman,
-				AuthMethods: []domain.UserAuthMethodType{
-					domain.UserAuthMethodTypePasswordless,
-					domain.UserAuthMethodTypePassword,
-					domain.UserAuthMethodTypeIDP,
-				},
+				UserType:          domain.UserTypeHuman,
 				ForceMFA:          true,
 				ForceMFALocalOnly: true,
 			},
@@ -391,9 +369,6 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 					prepareAuthMethodTypesRequiredCols,
 					[][]driver.Value{
 						{
-							true,
-							database.NumberArray[domain.UserAuthMethodType]{domain.UserAuthMethodTypePasswordless, domain.UserAuthMethodTypeTOTP},
-							1,
 							domain.UserTypeHuman,
 							true,
 							true,
@@ -403,13 +378,7 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 			},

 			object: &UserAuthMethodRequirements{
-				UserType: domain.UserTypeHuman,
-				AuthMethods: []domain.UserAuthMethodType{
-					domain.UserAuthMethodTypePasswordless,
-					domain.UserAuthMethodTypeTOTP,
-					domain.UserAuthMethodTypePassword,
-					domain.UserAuthMethodTypeIDP,
-				},
+				UserType:          domain.UserTypeHuman,
 				ForceMFA:          true,
 				ForceMFALocalOnly: true,
 			},