Hi, Our implementation uses the CAS login form to log users in and checks username/password from a separate service. We're adding an optional MFA for users and we want to save the chosen MFA provider per user into the same service that handles usernames and passwords.
There's a way to trigger MFA from a REST endpoint (implemented by RestEndpointMultifactorAuthenticationTrigger) which seems to suite us well. However, the current implementation of the REST MFA trigger seems to let users bypass MFA by simply not including the service parameter when logging in. To me this seems like a glaring bug in the implementation. My question is, can we force the service parameter (server side) or set a default service somehow in the logging flow to mitigate this immediately? Tomi -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f00605a-5934-4287-8a0e-2abfab643b3an%40apereo.org.
