Skip to content

Enable per-tenant WebAuthn, MFA fixes & UI#5

Draft
shashankjaintdl wants to merge 1 commit into
mainfrom
feature/authenza-7
Draft

Enable per-tenant WebAuthn, MFA fixes & UI#5
shashankjaintdl wants to merge 1 commit into
mainfrom
feature/authenza-7

Conversation

@shashankjaintdl

@shashankjaintdl shashankjaintdl commented May 20, 2026

Copy link
Copy Markdown
Owner

Add tenant-level WebAuthn setting and wiring, tighten MFA behavior, and update login UI and config.

  • Docs: expanded README and ROADMAP with WebAuthn/MFA features and roadmap items.
  • DB: Liquibase changesets add tenant_settings keys: webauthn_fingerprint_enabled and mfa_biometrics_customize_rp (defaults=false).
  • IAM: permit public user flows and MFA setup/confirm endpoints in IamSecurityConfig to support pre-login operations.
  • WebAuthn service/controller: inject tenant settings, enforce tenant-level WebAuthn via checkWebAuthnEnabled() (throws AccessDenied), and adjust error response code in rename passkey endpoint.
  • Auth core: JdbcTenantUserDetailsService: refine MFA requirement logic to rely on mfa_enabled only, add debug logs and clearOrphanMfaSecret() to remove abandoned secrets; SecurityConfig now permits tenant root URL and clears orphan secrets after non-MFA login.
  • LoginController/template: expose tenant WebAuthn flag to the login page; login.html updated (styling/formatting, JS) to show passkey button only when browser supports WebAuthn and tenant setting enabled; JS and markup cleaned up.
  • Config: increase HTTP session timeout to 4h and enable debug logging for tenant user details service.

These changes enable opt-in per-tenant passkeys, avoid orphaned MFA secrets blocking logins, and wire the UI to respect tenant settings.

@shashankjaintdl
Enable per-tenant WebAuthn, MFA fixes & UI
06d9694 
Add tenant-level WebAuthn setting and wiring, tighten MFA behavior, and update login UI and config.

- Docs: expanded README and ROADMAP with WebAuthn/MFA features and roadmap items.
- DB: Liquibase changesets add tenant_settings keys: `webauthn_fingerprint_enabled` and `mfa_biometrics_customize_rp` (defaults=false).
- IAM: permit public user flows and MFA setup/confirm endpoints in IamSecurityConfig to support pre-login operations.
- WebAuthn service/controller: inject tenant settings, enforce tenant-level WebAuthn via checkWebAuthnEnabled() (throws AccessDenied), and adjust error response code in rename passkey endpoint.
- Auth core: JdbcTenantUserDetailsService: refine MFA requirement logic to rely on mfa_enabled only, add debug logs and clearOrphanMfaSecret() to remove abandoned secrets; SecurityConfig now permits tenant root URL and clears orphan secrets after non-MFA login.
- LoginController/template: expose tenant WebAuthn flag to the login page; login.html updated (styling/formatting, JS) to show passkey button only when browser supports WebAuthn and tenant setting enabled; JS and markup cleaned up.
- Config: increase HTTP session timeout to 4h and enable debug logging for tenant user details service.

These changes enable opt-in per-tenant passkeys, avoid orphaned MFA secrets blocking logins, and wire the UI to respect tenant settings.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shashankjaintdl