Skip to content

Broken 2FA registration for omniauth providers

New users on our platform cannot activate 2FA because there's a new requirement for providing the user account password:

Setup2FA

We use the openid_connect omniauth provider and our users do not provide direct passwords to GitLab, all authentication is redirected to the external provider.

This seems to have been introduced yesterday by 14.3.1: https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/#missing-authentication-allows-disabling-of-two-factor-authentication

I also wonder whether this has broken 2FA registration for any auth provider that does not store their passwords internally inside GitLab? (e.g. ldap) 🤔

Maybe you have some insights about this @dblessing @ifarkas @reprazent?

/cc @petermarko @bufferoverflow @max-wittig @fh1ch @ercan.ucan

Edited by Diego Louzán