Extra care has to be taken to avoid running into cached results, which
can happen if we bypass 2fa for a "config" scope check first.
Details
Details
- Reviewers
machniak - Group Reviewers
Restricted Project - Commits
- rK5a0a0fc71590: Prevent access over username & password when a second factor is configured
Diff Detail
Diff Detail
- Repository
- rK kolab
- Branch
- dev/mollekopf
- Lint
Lint Skipped - Unit
No Test Coverage - Build Status
Buildable 57507 Build 20154: arc lint + arc unit
Event Timeline
Comment Actions
This is what prevents external clients from bypassing 2fa now, without attempting to make 2fa work for username+password. We still allow "config" scope tokens to bypass 2fa, which is operationally easier than a separate shared secret.