auth/okta MFA other than Push in OSS

[pi...@workato.com]

hi 

I saw official disclaimer that Vault OSS MFA is supported by community and for now there is only Duo support. For Okta there is only Okta App Push type of MFA supported. How hard to support another type, e.g. I am interesting in Google Authenticator? 

If I do PR by myself how long does it take usually to pass code review and release it?

It is on critical path for us and we need this functionality quite urgently

Thank you

Alexey

[Becca Petrin]

Hi Alexey,

That's great that you're interested in doing Google Authenticator! It sounds like you need it quickly.

I'd recommend forking the repo to build what you need, and then when it's ready, PR'ing back into the main one. You can use your version of the forked code before it finishes the PR process, and then update to the main repo when it passes.

How long a PR takes for review varies. It depends on a lot of factors like how much code it is, test coverage, and the availability of reviewers. However, when a lot of PRs are opened, Jeff goes through and will add a "milestone" to it that says what release we're shooting for including it in. That gives some idea of how long it will take.

-Becca

[Becca Petrin]

Alexey,

I also should note that I'm not certain what our stance is on MFA back ends. There may have been some conversations around it before I joined the Vault team in February.

-B

[Alexey Pikin]

hi Becca,

thank you for response, I've already implemented it via AWS Auth +  MFA somehow. So MFA is validated at Role-Assuming process

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8f396c92-dcf6-40f2-89b5-8f93ea5dd9f9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

---

ap

[Becca Petrin]

Hi Alexey,

That's awesome!

I followed up about MFA in the Vault opensource repo, and learned that we don't currently seek PR's for it. The main reason is that it would be complex to implement fully across Vault. Jeff analyzed the code a while ago and found that:

• It requires specific integration (at a code level) into every auth backend
• It only works for auth backends; moreover, it only works for login paths for auth backends
• It cannot be configured centrally or via ACLs so it must be configured for each mount of each supporting auth backend

For this reason, we've avoided MFA in the opensource version of Vault, but did add it to the enterprise version. There's an in-depth discussion of it here if you'd like to know more: https://github.com/hashicorp/vault/issues/132

-B