Diffusion kolab a80808b33a66

MFA via CompanionApp

Authored by Christian Mollekopf <mollekopf@apheleia-it.ch> on Nov 3 2022, 12:22 PM.


MFA via CompanionApp

  • API is protected by either api (full access), or mfa scopes
  • The second factor only interacts via the mfa scope
  • Each companion app get's it's own oauth_client, which enforces the allowed scope via the new allowed_scopes column + the TokenObserver.
  • MFA is not checked for MFA device interactions. This is to allow pairing & using a new device if an existing one was e.g. lost.
  • The QR-Code is now printable and includes the generated oauth_client secret. Together with the relaxation of mfa-checking for the mfa scope, this allows to create & print recovery qr-codes.

Further changes:

  • The companion app is now offered for direct download via configurable download link.
  • The companion app primary key is now a uuid (in binary form), since it's exposed in the api.


  • The companion app table is truncated on migration because nothing is currently relying on it and no important data is lost.

Builds on D3698

Differential Revision: https://git.kolab.org/D3932


Christian Mollekopf <mollekopf@apheleia-it.ch>Nov 16 2022, 12:35 PM
mollekopfNov 16 2022, 12:35 PM
Differential Revision
D3932: MFA via CompanionApp
rK47434dedd388: Support an empty response on no change from the server
This commit has been deleted in the repository: it is no longer reachable from any branch, tag, or ref.

Event Timeline

Christian Mollekopf <mollekopf@apheleia-it.ch> committed rKa80808b33a66: MFA via CompanionApp (authored by Christian Mollekopf <mollekopf@apheleia-it.ch>).Nov 16 2022, 12:35 PM