Skip to content

Fix 2FA setup for LDAP users

Andy Schoenen requested to merge 343061-remove-2fa-password-requirement-when-password-auth-disabled into master

What does this MR do and why?

#343061 (closed) describes a bug that LDAP and other OAuth users are not able to set up two-factor authentication if they previously had a password and password authentication was disabled for the application. This MR fixes it by not requiring a password when password auth is disabled for web.

Screenshots or screen recordings

Password auth enabled Password auth disabled
Screenshot_2021-11-02_at_12.32.39 Screenshot_2021-11-02_at_12.32.09

How to set up and validate locally

  1. Log in as admin.
  2. Go to /admin/application_settings/general#js-signin-settings.
  3. Disable the checkbox Allow password authentication for the web interface.
  4. Click Save changes.
  5. Go to /-/profile/two_factor_auth.
  6. Observe that the Current password field is no longer there.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #343061 (closed)

Edited by Andy Schoenen

Merge request reports