directus / directus

The flexible backend for all your projects 🐰 Turn your DB into a headless CMS, admin panels, or apps with a custom UI, instant APIs, auth & more.
https://directus.io
Other
28k stars 3.9k forks source link

Two factor authentication asks for password when using google provider #19330

Open ivan-janssens-de-varebeke-lemon opened 1 year ago

ivan-janssens-de-varebeke-lemon commented 1 year ago

Describe the Bug

I am using the latest dockerimage (imageSHA: sha256:6b9870f770b3b48c9bd2edd8e274e988c2672abe01b2a8578c5e94cb922103b0)

I configured google as SSO provider. When I log into the account as a google user, I have the option to add a two-factor authentication. Firstly this seems weird to keep enabled in a SSO flow. Secondly when I try to enable it, Directus asks for my password to enable 2FA, but I don't have one as it is SSO. If I then scroll to the top of the profile page and fill in a password at the top and then create a 2FA for my account. I can create one. If I then log out and try to log back in with google, it fails mentioning Wrong one-time password (see screenshot). And I can not log in anymore.

I wanted to report this bug because I think this flow can lead to weird behaviour and blocked accounts. It is currently not a concern for me as I am just testing out the framework.

image

To Reproduce

First flow

Second flow

Directus Version

v10.5.2

Hosting Strategy

Self-Hosted (Docker Image)

DanielBiegler commented 1 year ago

Hi there! :)

Did this get fixed after you set your PUBLIC_URL environment variable like in #19331 ?

ivan-janssens-de-varebeke-lemon commented 1 year ago

No, both of the flows are occuring after setting the PUBLIC_URL env var

rijkvanzanten commented 1 year ago

We should disable the 2fa configuration if you're logging in through an sso provider (as the 2fa happens in there)