feat: allow to force MFA local only (#6234)

This PR adds an option to the LoginPolicy to "Force MFA for local users", so that users authenticated through an IDP must not configure (and verify) an MFA.
2025-08-11 19:17:32 +00:00 · 2023-07-20 06:06:16 +02:00
parent 1c3a15ff57
commit fed15574f6
49 changed files with 488 additions and 94 deletions
--- a/internal/repository/policy/login.go
+++ b/internal/repository/policy/login.go
@@ -24,6 +24,7 @@ type LoginPolicyAddedEvent struct {
 	AllowRegister              bool                    `json:"allowRegister,omitempty"`
 	AllowExternalIDP           bool                    `json:"allowExternalIdp,omitempty"`
 	ForceMFA                   bool                    `json:"forceMFA,omitempty"`
+	ForceMFALocalOnly          bool                    `json:"forceMFALocalOnly,omitempty"`
 	HidePasswordReset          bool                    `json:"hidePasswordReset,omitempty"`
 	IgnoreUnknownUsernames     bool                    `json:"ignoreUnknownUsernames,omitempty"`
 	AllowDomainDiscovery       bool                    `json:"allowDomainDiscovery,omitempty"`
@@ -52,6 +53,7 @@ func NewLoginPolicyAddedEvent(
 	allowRegister,
 	allowExternalIDP,
 	forceMFA,
+	forceMFALocalOnly,
 	hidePasswordReset,
 	ignoreUnknownUsernames,
 	allowDomainDiscovery,
@@ -71,6 +73,7 @@ func NewLoginPolicyAddedEvent(
 		AllowRegister:              allowRegister,
 		AllowUserNamePassword:      allowUserNamePassword,
 		ForceMFA:                   forceMFA,
+		ForceMFALocalOnly:          forceMFALocalOnly,
 		PasswordlessType:           passwordlessType,
 		HidePasswordReset:          hidePasswordReset,
 		IgnoreUnknownUsernames:     ignoreUnknownUsernames,
@@ -106,6 +109,7 @@ type LoginPolicyChangedEvent struct {
 	AllowRegister              *bool                    `json:"allowRegister,omitempty"`
 	AllowExternalIDP           *bool                    `json:"allowExternalIdp,omitempty"`
 	ForceMFA                   *bool                    `json:"forceMFA,omitempty"`
+	ForceMFALocalOnly          *bool                    `json:"forceMFALocalOnly,omitempty"`
 	HidePasswordReset          *bool                    `json:"hidePasswordReset,omitempty"`
 	IgnoreUnknownUsernames     *bool                    `json:"ignoreUnknownUsernames,omitempty"`
 	AllowDomainDiscovery       *bool                    `json:"allowDomainDiscovery,omitempty"`
@@ -170,6 +174,12 @@ func ChangeForceMFA(forceMFA bool) func(*LoginPolicyChangedEvent) {
 	}
 }

+func ChangeForceMFALocalOnly(forceMFALocalOnly bool) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.ForceMFALocalOnly = &forceMFALocalOnly
+	}
+}
+
 func ChangePasswordlessType(passwordlessType domain.PasswordlessType) func(*LoginPolicyChangedEvent) {
 	return func(e *LoginPolicyChangedEvent) {
 		e.PasswordlessType = &passwordlessType