Two-factor providers

Two-factor auth providers apps are used to plug custom second factors into the Nextcloud core.

Implementing a simple two-factor auth provider

Two-factor auth providers must implement the OCP\Authentication\TwoFactorAuth\IProvider interface. The example below shows a minimalistic example of such a provider.

  1. <?php
  2. namespace OCA\TwoFactor_Test\Provider;
  3. use OCP\Authentication\TwoFactorAuth\IProvider;
  4. use OCP\IUser;
  5. use OCP\Template;
  6. class TwoFactorTestProvider implements IProvider {
  7. /**
  8. * Get unique identifier of this 2FA provider
  9. *
  10. * @return string
  11. */
  12. public function getId() {
  13. return 'test';
  14. }
  15. /**
  16. * Get the display name for selecting the 2FA provider
  17. *
  18. * @return string
  19. */
  20. public function getDisplayName() {
  21. return 'Test';
  22. }
  23. /**
  24. * Get the description for selecting the 2FA provider
  25. *
  26. * @return string
  27. */
  28. public function getDescription() {
  29. return 'Use a test provider';
  30. }
  31. /**
  32. * Get the template for rending the 2FA provider view
  33. *
  34. * @param IUser $user
  35. * @return Template
  36. */
  37. public function getTemplate(IUser $user) {
  38. // If necessary, this is also the place where you might want
  39. // to send out a code via e-mail or SMS.
  40. // 'challenge' is the name of the template
  41. return new Template('twofactor_test', 'challenge');
  42. }
  43. /**
  44. * Verify the given challenge
  45. *
  46. * @param IUser $user
  47. * @param string $challenge
  48. */
  49. public function verifyChallenge(IUser $user, $challenge) {
  50. if ($challenge === 'passme') {
  51. return true;
  52. }
  53. return false;
  54. }
  55. /**
  56. * Decides whether 2FA is enabled for the given user
  57. *
  58. * @param IUser $user
  59. * @return boolean
  60. */
  61. public function isTwoFactorAuthEnabledForUser(IUser $user) {
  62. // 2FA is enforced for all users
  63. return true;
  64. }
  65. }

Register the provider state

To always know if a provider is enabled for a user, the server persists the enabled/disabled state of each provider-user tuple. Hence a provider app has to propagate these state changes. This is handled by the provider registry.

You can have the registry injected via constructor dependency injection. Whenever the provider state is changed (user enables/disables the provider), the enableProviderFor or disableProviderFor method must be called.

Note

This provider registry was added in Nextcloud 14. For backwards compatibility, the server still occasionally uses the IProvider::isTwoFactorAuthEnabledForUser method if the provider state has not been set yet. This method will be removed in future releases.

Registering a two-factor auth provider

You need to inform the Nextcloud core that the app provides two-factor auth functionality. Two-factor providers are registered via info.xml.

  1. <two-factor-providers>
  2. <provider>OCA\TwoFactor_Test\Provider\TwoFactorTestProvider</provider>
  3. </two-factor-providers>

Providing an icon (optional)

To enhance how a provider is shown in the list of selectable providers on the login page, an icon can be specified. For that the provider class must implement the IProvidesIcons interface. The light icon will be used on the login page, whereas the dark one will be placed next to the heading of the optional personal settings (see below).

Provide personal settings (optional)

Like other Nextcloud apps, two-factor providers often require user configuration to work. In Nextcloud 15 a new, consolidated two-factor settings section was added. To add personal provider settings there, a provider must implement the IProvidesPersonalSettings interface.

Make a provider activatable by the admin (optional)

In order to make it possible for an admin to enable the provider for a given user via the occ command line tool, it’s necessary to implement the OCP\Authentication\TwoFactorAuth\IActivatableByAdmin interface. As described in the linked interface documentation, this should only be implemented for providers that need no user interaction when activated.

Make a provider deactivatable by the admin (optional)

In order to make it possible for an admin to disable the provider for a given user via the occ command line tool, it’s necessary to implement the OCP\Authentication\TwoFactorAuth\IDeactivatableByAdmin interface. As described in the linked interface documentation, this should only be implemented for providers that need no user interaction when deactivated.