Jump to content

Topic on Extension talk:OATHAuth

How to enforce MFA to all users, any examples will be useful

5
Wikiusr23 (talkcontribs)

I have the following config

##Users should be given access to the oathauth-enable user right so that they can enable it at Special:OATHAuth

$wgGroupPermissions['user']['oathauth-enable'] = true;

##Set MFA for all logged in users

#$wgOATHRequiredForGroups[] = ['user','WIKI-PSWiki-Admins'];

##Remove 'read' right until auth with MFA

$wgOATHExclusiveRights = ['read'];


But with this the users are being asked to do MFA but they don't have the rights to see the preferences page

TheDJ (talkcontribs)

As MediaWiki in general is architected for situations where users have read rights, you might run into unexpected problems when they don't, this being one of them. Manual:Preventing_access suggests Manual:$wgWhitelistRead. I'm not sure anyone has ever tested for a situation like the one you are describing, so unsure if that suggestion will work.

Wikiusr23 (talkcontribs)

Is my syntax in configuration correct?

The user are not able to see the login page as well though I have

$wgWhitelistRead = array ("Special:Userlogin");

Say I remove $wgOATHExclusiveRights, will $wgOATHRequiredForGroups take care of enforcing the user to have MFA on login, like register to MFA if they don't have it set.

This post was hidden by Wikiusr23 (history)
Nu77p0int3r (talkcontribs)

I had the same issue with my installation, so I edited the plugin.


In extensions/OATHAuth/src/Hook/HookHandler.php replace, from line 220 to 228:

$session = $user->getRequest()->getSession();

$WhitelistArray = $this->config->get( 'WhitelistRead' );
               if ( !is_array( $WhitelistArray ) ) {
                       $WhitelistArray = array();
               }

		if (
			!(bool)$session->get( OATHAuth::AUTHENTICATED_OVER_2FA, false ) &&
			in_array( $action, $this->config->get( 'OATHExclusiveRights' ) ) &&
			!in_array( $title, $WhitelistArray )
		) {
			$result = 'oathauth-action-exclusive-to-2fa';
			return false;
		}
		return true;


then, in LocalSettings.php:

$wgOATHExclusiveRights = ['read'];
$wgOATHRequiredForGroups = ['user'];
$wgWhitelistRead = [
   'Special:UserLogin',
   'Special:Preferences',
   'Special:Manage Two-factor authentication',
   'Special:OATHAuth',
   'MediaWiki:Common.css',
   'MediaWiki:Common.js'
]


Once 2FA is enabled, user must logout and login again

Reply to "How to enforce MFA to all users, any examples will be useful"