Broken 2FA registration for omniauth providers
New users on our platform cannot activate 2FA because there's a new requirement for providing the user account password:
We use the openid_connect
omniauth provider and our users do not provide direct passwords to GitLab, all authentication is redirected to the external provider.
This seems to have been introduced yesterday by 14.3.1: https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/#missing-authentication-allows-disabling-of-two-factor-authentication
I also wonder whether this has broken 2FA registration for any auth provider that does not store their passwords internally inside GitLab? (e.g. ldap)
Maybe you have some insights about this @dblessing @ifarkas @reprazent?
/cc @petermarko @bufferoverflow @max-wittig @fh1ch @ercan.ucan