glpi-project
GLPI 11 beta 5 - Oauth SSO + GLPI 2FA does not work
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
Is there an existing issue for this?
- [x] I have searched the existing issues
Version
GLPI 11 beta 5
Bug description
Hello,
Oauth SSO authentication with GLPI's 2FA feature enabled does not work.
UI reports that the user is not authorized to log in.
Relevant log output
[2025-06-05 10:45:45] glpi.INFO: *** Deprecated: Calling static trait method GlpiPlugin\Oauthsso\Provider\ProviderTrait::populateOwnerDetailsFromUserValues is deprecated, it should only be called on a class using the trait at Google.php line 153
Backtrace :
./marketplace/oauthsso/src/Provider/Google.php:153
./marketplace/oauthsso/src/Authorization.php:80 GlpiPlugin\Oauthsso\Provider\Google->getOwnerDetails()
...ce/oauthsso/front/authorization.callback.php:81 GlpiPlugin\Oauthsso\Authorization::createFromCode()
...Glpi/Controller/LegacyFileLoadController.php:59 require()
./vendor/symfony/http-kernel/HttpKernel.php:181 Glpi\Controller\LegacyFileLoadController->__invoke()
./vendor/symfony/http-kernel/HttpKernel.php:76 Symfony\Component\HttpKernel\HttpKernel->handleRaw()
./vendor/symfony/http-kernel/Kernel.php:197 Symfony\Component\HttpKernel\HttpKernel->handle()
./public/index.php:56 Symfony\Component\HttpKernel\Kernel->handle()
[2025-06-05 10:45:45] glpi.WARNING: *** Warning: Undefined array key "jobtitle" at ProviderTrait.php line 98
Backtrace :
...lace/oauthsso/src/Provider/ProviderTrait.php:98
./marketplace/oauthsso/src/Provider/Google.php:153 GlpiPlugin\Oauthsso\Provider\ProviderTrait::populateOwnerDetailsFromUserValues()
./marketplace/oauthsso/src/Authorization.php:80 GlpiPlugin\Oauthsso\Provider\Google->getOwnerDetails()
...ce/oauthsso/front/authorization.callback.php:81 GlpiPlugin\Oauthsso\Authorization::createFromCode()
...Glpi/Controller/LegacyFileLoadController.php:59 require()
./vendor/symfony/http-kernel/HttpKernel.php:181 Glpi\Controller\LegacyFileLoadController->__invoke()
./vendor/symfony/http-kernel/HttpKernel.php:76 Symfony\Component\HttpKernel\HttpKernel->handleRaw()
./vendor/symfony/http-kernel/Kernel.php:197 Symfony\Component\HttpKernel\HttpKernel->handle()
./public/index.php:56 Symfony\Component\HttpKernel\Kernel->handle()
[2025-06-05 10:45:45] glpi.WARNING: *** Warning: Undefined array key "other_email" at ProviderTrait.php line 102
Backtrace :
...ace/oauthsso/src/Provider/ProviderTrait.php:102
./marketplace/oauthsso/src/Provider/Google.php:153 GlpiPlugin\Oauthsso\Provider\ProviderTrait::populateOwnerDetailsFromUserValues()
./marketplace/oauthsso/src/Authorization.php:80 GlpiPlugin\Oauthsso\Provider\Google->getOwnerDetails()
...ce/oauthsso/front/authorization.callback.php:81 GlpiPlugin\Oauthsso\Authorization::createFromCode()
...Glpi/Controller/LegacyFileLoadController.php:59 require()
./vendor/symfony/http-kernel/HttpKernel.php:181 Glpi\Controller\LegacyFileLoadController->__invoke()
./vendor/symfony/http-kernel/HttpKernel.php:76 Symfony\Component\HttpKernel\HttpKernel->handleRaw()
./vendor/symfony/http-kernel/Kernel.php:197 Symfony\Component\HttpKernel\HttpKernel->handle()
./public/index.php:56 Symfony\Component\HttpKernel\Kernel->handle()
Page URL
No response
Steps To reproduce
No response
Your GLPI setup information
No response
Anything else?
No response
Is the log still the same? This does not means the issue comes from GLPI core anyway :/
After a closer look, it appears that the OauthSSO plugin cannot determine whether MFA is enabled for the user attempting to log in. To retrieve this information, the plugin would need access to the user's ID — something that is not available within its execution scope.
Currently, the plugin "simulates" a login in GLPI using only the external-0 authentication type. As a result, it cannot interact with or verify MFA settings at this stage.
To address this, the plugin will be adjusted to bypass MFA when authentication is handled via an external OAuth provider. This is justified, as MFA enforcement should be the responsibility of the identity provider itself.
