Verdaccio registry login is not working with MFA enabled user in AAD

[kirankucharkanti]

Hi I have configured verdaccio in app service and integrated with AAD. Now issue is MFA enabled users are not able to login. And MFA not enabled users are able to login to verdaccio registry.

Below is the log:

error--- Error authentication in Azure >> Error: Failed requesting Azure AD access token: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.

And below is the config file:

# It allows all users to do anything, so don't use it on production systems.
#
# Do not configure host and port under `listen` in this file
# as it will be ignored when using docker.
# see https://verdaccio.org/docs/en/docker#docker-and-custom-port-configuration
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: /verdaccio/storage/data
# path to a directory with plugins to include
plugins: /verdaccio/plugins

web:
  # WebUI is enabled as default, if you want disable it, just uncomment this line
  #enable: false
  title: Verdaccio
  # comment out to disable gravatar support
  # gravatar: false
  # by default packages are ordercer ascendant (asc|desc)
  # sort_packages: asc

auth:
  #htpasswd:
   # file: /verdaccio/storage/htpasswd
    # Maximum amount of users allowed to register, defaults to "+infinity".
    # You can set this to -1 to disable registration.
    # max_users: 1000
  azure-ad-login:
    # REQUIRED, Azure application tenant
    tenant: "***************************"
    # REQUIRED, Azure client_id
    client_id: "***************************"
    # REQUIRED, Azure application client_secret
    client_secret: "********************************"
    # OPTIONAL, default email domain for accounts, example: organization.com
    organization_domain: "abc.com"
    # OPTIONAL, custom azure scope for users
    # Standard scope: user.read openid profile offline_access
    # Other permissions added here will be added to the end of the standard one
    scope: ""
    # OPTIONAL, users of these groups will be allowed to authenticate
    # This requires the App to have GroupMember.Read.All permission:
    # https://docs.microsoft.com/en-us/graph/api/user-getmembergroups?view=graph-rest-1.0&tabs=http

    #allow_groups:
    #  - "Developer"        

security:
  api:
    jwt:
      sign:
        expiresIn: 60d
        notBefore: 1
  web:
    sign:
      expiresIn: 7d
      notBefore: 1

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    # scoped packages
    access: $authenticated
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $authenticated

    # allow all known users to publish/publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated
    unpublish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

middlewares:
  audit:
    enabled: true

# log settings
logs:
  - { type: stdout, format: pretty, level: http }
  #- {type: file, path: verdaccio.log, level: info}

[IhToN]

Hello @kirankucharkanti, unfortunately this plugin does not work with 2FA as Verdaccio itself is restricted to a simple "user/password" login.

There is a conversation within verdaccio regarding 2FA support but looks like it's a feature long to be included: https://github.com/verdaccio/verdaccio/discussions/913

[kirankucharkanti]

Thanks for the update @IhToN, Can we know when the 2FA feature will be included in verdaccio?

[IhToN]

Not from my side as I'm not an active developer on the main project, but it could be a good idea to ask on the discussion I've linked, maybe juanpicado or another member of the community can thing on a viable solution.