Draft: MR approval option "Require user password to approve" should ask for MFA
requested to merge 223765-mr-approval-option-require-user-password-to-approve-should-ask-for-mfa into master
What does this MR do?
This MR adds support for users who authenticate via MFA to re-authenticate through their provider when approving merge requests
See CFR Part 11 compliance for digitally signed change requests. Specifically, this.
This is a requirement to use GitLab for documentation control in GXP software.
- Check if current user has
allow_password_authentication_for_web?enabled- If so, when the approval modal displays it will allow the user to enter a password
- Check if current user has
enabled_button_based_providers- If so, when the approval modal displays it will allow the user to authenticate with any of the providers listed
- When the user selects a provider to authenticate with,
POST users/auth/{provider}with the MR attached as a query parameter- Use the existence of the query parameter to route to the merge request approval endpoint after the {provider}#callback succeeds
- Once the
POST {group}/{project}/merge_requests/{merge_request_id}/approvalssucceeds, re-route the user back to the merge request page with the approval updated
UX
Related issues
gitlab-org/gitlab#223765 (comment 685647462)
Unanswered questions
- Can we use the users existing log in flow to force authentication directly?
- How to pick up the query parameter from the
/users/auth/{provider}endpoint on thePOST /users/auth/{provider}/callbackto be used after successful authentication? - Can we force the authentication in another window so the MR flow stays in tact?
Edited by Erin Blake