🎨 [#3049] Remove/replace references to the obsoleted environment vari…

…ables
open-formulieren · Feb 7, 2024 · dff6ddb · dff6ddb
1 parent a90bc4d
commit dff6ddb
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 28 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -265,9 +265,6 @@ jobs:
           DB_USER: postgres
           DB_PASSWORD: ''
           E2E_DRIVER: ${{ matrix.browser }}
-          # with 2FA enabled, *for some reason* this doesn't work on CI -> can't find
-          # the inputs
-          TWO_FACTOR_PATCH_ADMIN: 'no'
           SDK_RELEASE: ${{ steps.sdk-tag.outputs.sdk_tag }}
 
   docs:

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -15,6 +15,11 @@ the time of writing, such a version has not been released yet.
 .. todo:: At release time (2.6.0), check if we need to gate this functionality behind a
    feature flag to prevent issues.
 
+The ``TWO_FACTOR_FORCE_OTP_ADMIN`` and ``TWO_FACTOR_PATCH_ADMIN`` environment variables
+are removed. Disabling MFA in the admin is no longer possible. Note that the OIDC
+login backends do not require (additional) MFA in the admin and we've added support for
+hardware tokens (like the YubiKey) which make MFA less of a nuisance.
+
 2.5.2 (2024-02-06)
 ==================
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -70,8 +70,6 @@ services:
       - CELERY_RESULT_BACKEND=redis://redis:6379/0
       - CELERY_LOGLEVEL=DEBUG
       - OPENFORMS_LOCATION_CLIENT=${OPENFORMS_LOCATION_CLIENT:-openforms.contrib.bag.client.BAGClient}
-      - TWO_FACTOR_FORCE_OTP_ADMIN=0
-      - TWO_FACTOR_PATCH_ADMIN=0
       - CORS_ALLOW_ALL_ORIGINS=${CORS_ALLOW_ALL_ORIGINS:-true}
       - EMAIL_HOST=smtp
       # Needed for Celery Flower to match the TIME_ZONE configured in the

diff --git a/docs/developers/backend/tests.rst b/docs/developers/backend/tests.rst
@@ -83,12 +83,7 @@ After installing the dependencies, install the browsers locally:
 
 .. code-block:: bash
 
-    TWO_FACTOR_PATCH_ADMIN=no python src/manage.py test src --tag=e2e
-
-.. note:: When the admin is monkeypatched to enable 2FA behaviour, it's been observed
-   that the end to end tests fail to run/complete properly. Disabling this via your
-   local settings or the environment variable ``TWO_FACTOR_PATCH_ADMIN=no`` mitigates
-   this.
+    python src/manage.py test src --tag=e2e
 
 **Configuration**
 

diff --git a/docs/installation/config.rst b/docs/installation/config.rst
@@ -316,12 +316,6 @@ Other settings
   `upstream documentation <https://www.django-rest-framework.org/api-guide/settings/#num_proxies>`_
   for more context. Defaults to ``1``.
 
-* ``TWO_FACTOR_FORCE_OTP_ADMIN``: Enforce 2 Factor Authentication in the admin or not.
-  Default ``True``. You'll probably want to disable this when using OIDC.
-
-* ``TWO_FACTOR_PATCH_ADMIN``: Whether to use the 2 Factor Authentication login flow for
-  the admin or not. Default ``True``. You'll probably want to disable this when using OIDC.
-
 * ``FORMS_EXPORT_REMOVED_AFTER_DAYS``: The number of days after which zip files of exported forms should be deleted.
   Defaults to 7 days.
 

diff --git a/docs/installation/security.rst b/docs/installation/security.rst
@@ -191,17 +191,11 @@ The internal URLs are:
 Two-factor auth
 ===============
 
-By default, the admin interface requires two-factor authentication using OTP. We only
-encourage disabling this when you are using single-sign-on via OIDC instead of username
-+ password authentication.
-
-The recommended settings are:
-
-.. code-block:: bash
-
-    TWO_FACTOR_FORCE_OTP_ADMIN=True
-    TWO_FACTOR_PATCH_ADMIN=True
-
+The admin interface requires two-factor authentication using OTP (using Microsoft or
+Google's Authenticator app) or hardware tokens such as YubiKeys. If you use a single
+sign on solution (e.g. Keycloak OIDC, Azure AD OIDC...), it is assumed that the second
+factor is enforced on those products and staff users do not need to provide an
+additional second factor in Open Forms.
 
 .. _installation_config_webserver: