Open erebion opened 1 year ago
In my opinion, the identity provider (Keycloak, Authentik, ...) should decide / enforce whether the user logs in with 2FA or not.
@jacksgt I agree thaqt it should be done on that end. However, users have not yet set up 2FA at the beginning of a migration to SSO and they can access the account via local login with 2FA and now also via SSO without.
Nextcloud has no way to know how the user authenticated against IdP, it trusts the login process was "secure enough". Every modern IdP supports 2FA and if you require second factor this should be enforced on the backend..
2FA should be available without relying on the SSO system.
Currently users are not asked for their TOTP when logging in, even if the Nextcloud setting is set to "force two factor authentication".
There should be a setting that allows forcing TOTP even via SSO.