feat: allow to force MFA local only (#6234)

This PR adds an option to the LoginPolicy to "Force MFA for local users", so that users authenticated through an IDP must not configure (and verify) an MFA.
2025-08-12 07:57:32 +00:00 · 2023-07-20 06:06:16 +02:00
parent 1c3a15ff57
commit fed15574f6
49 changed files with 488 additions and 94 deletions
--- a/internal/api/grpc/admin/export.go
+++ b/internal/api/grpc/admin/export.go
@@ -430,6 +430,7 @@ func (s *Server) getLoginPolicy(ctx context.Context, orgID string, orgIDPs []str
 			AllowRegister:              queriedLogin.AllowRegister,
 			AllowExternalIdp:           queriedLogin.AllowExternalIDPs,
 			ForceMfa:                   queriedLogin.ForceMFA,
+			ForceMfaLocalOnly:          queriedLogin.ForceMFALocalOnly,
 			PasswordlessType:           policy_pb.PasswordlessType(queriedLogin.PasswordlessType),
 			HidePasswordReset:          queriedLogin.HidePasswordReset,
 			IgnoreUnknownUsernames:     queriedLogin.IgnoreUnknownUsernames,
--- a/internal/api/grpc/admin/login_policy_converter.go
+++ b/internal/api/grpc/admin/login_policy_converter.go
@@ -14,6 +14,7 @@ func updateLoginPolicyToCommand(p *admin_pb.UpdateLoginPolicyRequest) *command.C
 		AllowRegister:              p.AllowRegister,
 		AllowExternalIDP:           p.AllowExternalIdp,
 		ForceMFA:                   p.ForceMfa,
+		ForceMFALocalOnly:          p.ForceMfaLocalOnly,
 		PasswordlessType:           policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
 		HidePasswordReset:          p.HidePasswordReset,
 		IgnoreUnknownUsernames:     p.IgnoreUnknownUsernames,
--- a/internal/api/grpc/management/policy_login_converter.go
+++ b/internal/api/grpc/management/policy_login_converter.go
@@ -15,6 +15,7 @@ func AddLoginPolicyToCommand(p *mgmt_pb.AddCustomLoginPolicyRequest) *command.Ad
 		AllowRegister:              p.AllowRegister,
 		AllowExternalIDP:           p.AllowExternalIdp,
 		ForceMFA:                   p.ForceMfa,
+		ForceMFALocalOnly:          p.ForceMfaLocalOnly,
 		PasswordlessType:           policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
 		HidePasswordReset:          p.HidePasswordReset,
 		IgnoreUnknownUsernames:     p.IgnoreUnknownUsernames,
@@ -49,6 +50,7 @@ func updateLoginPolicyToCommand(p *mgmt_pb.UpdateCustomLoginPolicyRequest) *comm
 		AllowRegister:              p.AllowRegister,
 		AllowExternalIDP:           p.AllowExternalIdp,
 		ForceMFA:                   p.ForceMfa,
+		ForceMFALocalOnly:          p.ForceMfaLocalOnly,
 		PasswordlessType:           policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
 		HidePasswordReset:          p.HidePasswordReset,
 		IgnoreUnknownUsernames:     p.IgnoreUnknownUsernames,
--- a/internal/api/grpc/policy/login_policy.go
+++ b/internal/api/grpc/policy/login_policy.go
@@ -18,6 +18,7 @@ func ModelLoginPolicyToPb(policy *query.LoginPolicy) *policy_pb.LoginPolicy {
 		AllowRegister:              policy.AllowRegister,
 		AllowExternalIdp:           policy.AllowExternalIDPs,
 		ForceMfa:                   policy.ForceMFA,
+		ForceMfaLocalOnly:          policy.ForceMFALocalOnly,
 		PasswordlessType:           ModelPasswordlessTypeToPb(policy.PasswordlessType),
 		HidePasswordReset:          policy.HidePasswordReset,
 		IgnoreUnknownUsernames:     policy.IgnoreUnknownUsernames,
--- a/internal/api/grpc/settings/v2/settings_converter.go
+++ b/internal/api/grpc/settings/v2/settings_converter.go
@@ -8,7 +8,6 @@ import (
 	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2alpha"
 )

-// TODO: ?
 func loginSettingsToPb(current *query.LoginPolicy) *settings.LoginSettings {
 	multi := make([]settings.MultiFactorType, len(current.MultiFactors))
 	for i, typ := range current.MultiFactors {
@@ -24,6 +23,7 @@ func loginSettingsToPb(current *query.LoginPolicy) *settings.LoginSettings {
 		AllowRegister:              current.AllowRegister,
 		AllowExternalIdp:           current.AllowExternalIDPs,
 		ForceMfa:                   current.ForceMFA,
+		ForceMfaLocalOnly:          current.ForceMFALocalOnly,
 		PasskeysType:               passkeysTypeToPb(current.PasswordlessType),
 		HidePasswordReset:          current.HidePasswordReset,
 		IgnoreUnknownUsernames:     current.IgnoreUnknownUsernames,
--- a/internal/api/grpc/settings/v2/settings_converter_test.go
+++ b/internal/api/grpc/settings/v2/settings_converter_test.go
@@ -25,6 +25,7 @@ func Test_loginSettingsToPb(t *testing.T) {
 		AllowRegister:              true,
 		AllowExternalIDPs:          true,
 		ForceMFA:                   true,
+		ForceMFALocalOnly:          true,
 		PasswordlessType:           domain.PasswordlessTypeAllowed,
 		HidePasswordReset:          true,
 		IgnoreUnknownUsernames:     true,
@@ -52,6 +53,7 @@ func Test_loginSettingsToPb(t *testing.T) {
 		AllowRegister:              true,
 		AllowExternalIdp:           true,
 		ForceMfa:                   true,
+		ForceMfaLocalOnly:          true,
 		PasskeysType:               settings.PasskeysType_PASSKEYS_TYPE_ALLOWED,
 		HidePasswordReset:          true,
 		IgnoreUnknownUsernames:     true,