feat: allow to force MFA local only (#6234)

This PR adds an option to the LoginPolicy to "Force MFA for local users", so that users authenticated through an IDP must not configure (and verify) an MFA.
2025-08-11 21:27:42 +00:00 · 2023-07-20 06:06:16 +02:00
parent 1c3a15ff57
commit fed15574f6
49 changed files with 488 additions and 94 deletions
--- a/internal/domain/user.go
+++ b/internal/domain/user.go
@@ -85,6 +85,16 @@ func HasMFA(methods []UserAuthMethodType) bool {
 	return factors > 1
 }

+// RequiresMFA checks whether the user requires to authenticate with multiple auth factors based on the LoginPolicy and the authentication type.
+// Internal authentication will require MFA if either option is activated.
+// External authentication will only require MFA if it's forced generally and not local only.
+func RequiresMFA(forceMFA, forceMFALocalOnly, isInternalLogin bool) bool {
+	if isInternalLogin {
+		return forceMFA || forceMFALocalOnly
+	}
+	return forceMFA && !forceMFALocalOnly
+}
+
 type PersonalAccessTokenState int32

 const (