Replace 2fa solution

.github/workflows/ci.yml

@@ -265,9 +265,6 @@ jobs:
           DB_USER: postgres
           DB_PASSWORD: ''
           E2E_DRIVER: ${{ matrix.browser }}
-          # with 2FA enabled, *for some reason* this doesn't work on CI -> can't find
-          # the inputs
-          TWO_FACTOR_PATCH_ADMIN: 'no'
           SDK_RELEASE: ${{ steps.sdk-tag.outputs.sdk_tag }}
 
   docs:

CHANGELOG.rst

@@ -15,6 +15,11 @@ the time of writing, such a version has not been released yet.
 .. todo:: At release time (2.6.0), check if we need to gate this functionality behind a
    feature flag to prevent issues.
 
+The ``TWO_FACTOR_FORCE_OTP_ADMIN`` and ``TWO_FACTOR_PATCH_ADMIN`` environment variables
+are removed. Disabling MFA in the admin is no longer possible. Note that the OIDC
+login backends do not require (additional) MFA in the admin and we've added support for
+hardware tokens (like the YubiKey) which make MFA less of a nuisance.
+
 2.5.2 (2024-02-06)
 ==================
 

docker-compose.yml

@@ -70,8 +70,6 @@ services:
       - CELERY_RESULT_BACKEND=redis://redis:6379/0
       - CELERY_LOGLEVEL=DEBUG
       - OPENFORMS_LOCATION_CLIENT=${OPENFORMS_LOCATION_CLIENT:-openforms.contrib.bag.client.BAGClient}
-      - TWO_FACTOR_FORCE_OTP_ADMIN=0
-      - TWO_FACTOR_PATCH_ADMIN=0
       - CORS_ALLOW_ALL_ORIGINS=${CORS_ALLOW_ALL_ORIGINS:-true}
       - EMAIL_HOST=smtp
       # Needed for Celery Flower to match the TIME_ZONE configured in the

docs/developers/backend/tests.rst

@@ -83,12 +83,7 @@ After installing the dependencies, install the browsers locally:
 
 .. code-block:: bash
 
-    TWO_FACTOR_PATCH_ADMIN=no python src/manage.py test src --tag=e2e
-
-.. note:: When the admin is monkeypatched to enable 2FA behaviour, it's been observed
-   that the end to end tests fail to run/complete properly. Disabling this via your
-   local settings or the environment variable ``TWO_FACTOR_PATCH_ADMIN=no`` mitigates
-   this.
+    python src/manage.py test src --tag=e2e
 
 **Configuration**
 

docs/installation/config.rst

@@ -316,12 +316,6 @@ Other settings
   `upstream documentation <https://www.django-rest-framework.org/api-guide/settings/#num_proxies>`_
   for more context. Defaults to ``1``.
 
-* ``TWO_FACTOR_FORCE_OTP_ADMIN``: Enforce 2 Factor Authentication in the admin or not.
-  Default ``True``. You'll probably want to disable this when using OIDC.
-
-* ``TWO_FACTOR_PATCH_ADMIN``: Whether to use the 2 Factor Authentication login flow for
-  the admin or not. Default ``True``. You'll probably want to disable this when using OIDC.
-
 * ``FORMS_EXPORT_REMOVED_AFTER_DAYS``: The number of days after which zip files of exported forms should be deleted.
   Defaults to 7 days.
 

docs/installation/security.rst

@@ -191,17 +191,11 @@ The internal URLs are:
 Two-factor auth
 ===============
 
-By default, the admin interface requires two-factor authentication using OTP. We only
-encourage disabling this when you are using single-sign-on via OIDC instead of username
-+ password authentication.
-
-The recommended settings are:
-
-.. code-block:: bash
-
-    TWO_FACTOR_FORCE_OTP_ADMIN=True
-    TWO_FACTOR_PATCH_ADMIN=True
-
+The admin interface requires two-factor authentication using OTP (using Microsoft or
+Google's Authenticator app) or hardware tokens such as YubiKeys. If you use a single
+sign on solution (e.g. Keycloak OIDC, Azure AD OIDC...), it is assumed that the second
+factor is enforced on those products and staff users do not need to provide an
+additional second factor in Open Forms.
 
 .. _installation_config_webserver:
 

dotenv.example

@@ -8,8 +8,6 @@ DB_USER=open-forms
 DB_PASSWORD=""
 DB_HOST=""
 
-TWO_FACTOR_PATCH_ADMIN=no
-TWO_FACTOR_FORCE_OTP_ADMIN=no
 # LANGUAGE_CODE=nl
 #CORS_ALLOW_ALL_ORIGINS=yes
 # CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8000
@@ -32,3 +30,6 @@ TWO_FACTOR_FORCE_OTP_ADMIN=no
 # Recording Suwinet VCR cassettes
 # SUWINET_CLIENT_KEY=/path/to/privatekey.pem
 # SUWINET_BASE_URL=https://url/of/gateway/suwiml
+
+# Applies to dev settings module only!
+DISABLE_2FA=yes

requirements/base.in

@@ -15,7 +15,6 @@ html5lib
 --no-binary lxml
 lxml
 O365  # microsoft graph
-phonenumbers
 Pillow  # handle images
 portalocker[redis]
 psycopg2  # database driver
@@ -62,7 +61,7 @@ django-tinymce
 django-treebeard
 django-yubin
 mozilla-django-oidc-db
-maykin-django-two-factor-auth[phonenumbers]
+maykin-2fa
 django-timeline-logger
 django-csp
 django-csp-reports

requirements/base.txt

@@ -14,6 +14,8 @@ ape-pie==0.1.0
     #   zgw-consumers
 asgiref==3.5.0
     # via django
+asn1crypto==1.5.1
+    # via webauthn
 async-timeout==4.0.2
     # via redis
 attrs==20.3.0
@@ -35,6 +37,8 @@ boltons==21.0.0
     #   glom
 brotli==1.1.0
     # via fonttools
+cbor2==5.6.1
+    # via webauthn
 celery==5.2.7
     # via
     #   -r requirements/base.in
@@ -78,6 +82,7 @@ cryptography==42.0.2
     #   josepy
     #   mozilla-django-oidc
     #   pyopenssl
+    #   webauthn
 cssselect2==0.7.0
     # via weasyprint
 defusedxml==0.7.1
@@ -116,13 +121,14 @@ django==3.2.24
     #   django-solo
     #   django-timeline-logger
     #   django-treebeard
+    #   django-two-factor-auth
     #   djangorestframework
     #   drf-jsonschema-serializer
     #   drf-nested-routers
     #   drf-polymorphic
     #   drf-spectacular
     #   mail-cleaner
-    #   maykin-django-two-factor-auth
+    #   maykin-2fa
     #   mozilla-django-oidc
     #   mozilla-django-oidc-db
     #   sentry-sdk
@@ -159,7 +165,7 @@ django-digid-eherkenning==0.10.0
 django-filter==23.2
     # via -r requirements/base.in
 django-formtools==2.3
-    # via maykin-django-two-factor-auth
+    # via django-two-factor-auth
 django-hijack==3.4.1
     # via -r requirements/base.in
 django-ipware==5.0.0
@@ -176,10 +182,10 @@ django-ordered-model==3.6
     # via
     #   -r requirements/base.in
     #   django-admin-index
-django-otp==1.0.6
-    # via maykin-django-two-factor-auth
+django-otp==1.3.0
+    # via django-two-factor-auth
 django-phonenumber-field==5.2.0
-    # via maykin-django-two-factor-auth
+    # via django-two-factor-auth
 django-privates==1.5.0
     # via
     #   -r requirements/base.in
@@ -211,6 +217,8 @@ django-tinymce==3.6.1
     # via -r requirements/base.in
 django-treebeard==4.7
     # via -r requirements/base.in
+django-two-factor-auth[phonenumberslite,webauthn]==1.16.0
+    # via maykin-2fa
 django-yubin==2.0.2
     # via -r requirements/base.in
 djangorestframework==3.14.0
@@ -303,7 +311,7 @@ mail-cleaner==1.2.0
     # via -r requirements/base.in
 mail-parser==3.15.0
     # via django-yubin
-maykin-django-two-factor-auth[phonenumbers]==2.0.4
+maykin-2fa==1.0.0
     # via -r requirements/base.in
 maykin-json-logic-py==0.13.0
     # via -r requirements/base.in
@@ -331,10 +339,8 @@ packaging==23.1
     # via prance
 pathable==0.4.3
     # via jsonschema-spec
-phonenumbers==8.12.29
-    # via
-    #   -r requirements/base.in
-    #   maykin-django-two-factor-auth
+phonenumberslite==8.13.29
+    # via django-two-factor-auth
 pillow==10.2.0
     # via
     #   -r requirements/base.in
@@ -363,6 +369,7 @@ pyopenssl==24.0.0
     #   django-simple-certmanager
     #   josepy
     #   maykin-python3-saml
+    #   webauthn
     #   zgw-consumers
 pyphen==0.10.0
     # via weasyprint
@@ -396,7 +403,7 @@ pyyaml==6.0.1
     #   gemma-zds-client
     #   jsonschema-spec
 qrcode==6.1
-    # via maykin-django-two-factor-auth
+    # via django-two-factor-auth
 redis==4.5.4
     # via
     #   celery-once
@@ -494,6 +501,8 @@ wcwidth==0.2.5
     # via prompt-toolkit
 weasyprint==60.1
     # via -r requirements/base.in
+webauthn==2.0.0
+    # via django-two-factor-auth
 webencodings==0.5.1
     # via
     #   bleach

requirements/ci.txt

@@ -23,6 +23,11 @@ asgiref==3.5.0
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   django
+asn1crypto==1.5.1
+    # via
+    #   -c requirements/base.txt
+    #   -r requirements/base.txt
+    #   webauthn
 async-timeout==4.0.2
     # via
     #   -c requirements/base.txt
@@ -67,6 +72,11 @@ brotli==1.1.0
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   fonttools
+cbor2==5.6.1
+    # via
+    #   -c requirements/base.txt
+    #   -r requirements/base.txt
+    #   webauthn
 celery==5.2.7
     # via
     #   -c requirements/base.txt
@@ -143,6 +153,7 @@ cryptography==42.0.2
     #   josepy
     #   mozilla-django-oidc
     #   pyopenssl
+    #   webauthn
 cssselect==1.1.0
     # via pyquery
 cssselect2==0.7.0
@@ -189,13 +200,14 @@ django==3.2.24
     #   django-solo
     #   django-timeline-logger
     #   django-treebeard
+    #   django-two-factor-auth
     #   djangorestframework
     #   drf-jsonschema-serializer
     #   drf-nested-routers
     #   drf-polymorphic
     #   drf-spectacular
     #   mail-cleaner
-    #   maykin-django-two-factor-auth
+    #   maykin-2fa
     #   mozilla-django-oidc
     #   mozilla-django-oidc-db
     #   sentry-sdk
@@ -264,7 +276,7 @@ django-formtools==2.3
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-    #   maykin-django-two-factor-auth
+    #   django-two-factor-auth
 django-hijack==3.4.1
     # via
     #   -c requirements/base.txt
@@ -294,16 +306,16 @@ django-ordered-model==3.6
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   django-admin-index
-django-otp==1.0.6
+django-otp==1.3.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-    #   maykin-django-two-factor-auth
+    #   django-two-factor-auth
 django-phonenumber-field==5.2.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-    #   maykin-django-two-factor-auth
+    #   django-two-factor-auth
 django-privates==1.5.0
     # via
     #   -c requirements/base.txt
@@ -356,6 +368,12 @@ django-treebeard==4.7
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+django-two-factor-auth[phonenumberslite,webauthn]==1.16.0
+    # via
+    #   -c requirements/base.txt
+    #   -r requirements/base.txt
+    #   django-two-factor-auth
+    #   maykin-2fa
 django-webtest==1.9.7
     # via -r requirements/test-tools.in
 django-yubin==2.0.2
@@ -559,11 +577,10 @@ markdown==3.3.4
     # via sphinx-markdown-tables
 markupsafe==2.1.2
     # via jinja2
-maykin-django-two-factor-auth[phonenumbers]==2.0.4
+maykin-2fa==1.0.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-    #   maykin-django-two-factor-auth
 maykin-json-logic-py==0.13.0
     # via
     #   -c requirements/base.txt
@@ -638,11 +655,11 @@ pathspec==0.9.0
     # via black
 pep8==1.7.1
     # via -r requirements/test-tools.in
-phonenumbers==8.12.29
+phonenumberslite==8.13.29
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-    #   maykin-django-two-factor-auth
+    #   django-two-factor-auth
 pillow==10.2.0
     # via
     #   -c requirements/base.txt
@@ -715,6 +732,7 @@ pyopenssl==24.0.0
     #   django-simple-certmanager
     #   josepy
     #   maykin-python3-saml
+    #   webauthn
     #   zgw-consumers
 pyphen==0.10.0
     # via
@@ -779,7 +797,7 @@ qrcode==6.1
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
-    #   maykin-django-two-factor-auth
+    #   django-two-factor-auth
 recommonmark==0.7.1
     # via -r requirements/docs.in
 redis==4.5.4
@@ -1006,6 +1024,11 @@ weasyprint==60.1
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
+webauthn==2.0.0
+    # via
+    #   -c requirements/base.txt
+    #   -r requirements/base.txt
+    #   django-two-factor-auth
 webencodings==0.5.1
     # via
     #   -c requirements/base.txt