[Feature] OTP on already authenticated user - avoid login form #641
Description
This python module forces the user to be authenticated by submitting their username/password in the Login Form.
There are some cases where the django project uses an external authentication system (SAML2, OpenID, OAuth2 ...) and the Form Wizard should start from the TOKEN step instead than the AUTH step.
Expected Behavior
An already authenticated or pre-authenticated user should only be redirected to the setup/otp-form step instead of be forced to resubmit their username and password.
Current Behavior
Even if the user is authenticated he/she is forced to rebmit user and password.
Possible Solution
Further discussion is required before reaching an agreement about what would be the better solution with the less impacts on the current implementation.
Steps to Reproduce (for bugs)
- authenticate the user using another LoginView and another authentication system
- set a pre-auth status (or authenticate the user) on the custom LoginView
- redirect to the two-factor login
- the login form forces the user to be authenticated again
Is there any proposal or already available solution for integrate two-factor in an existing authentication system and bypass the username and password submission?
Is there any way to get a user authenticated without submitting the username and password but just the two-factor? (that would be a strategy to elude the login form)
How can I elude the form wizard by settings the internal storage/parameter to redirect the user-agent to the Token form, avoiding the LoginForm?