Merge pull request #6837 from NipuniBhagya/master

Restrict adding second-factor authenticators in the initial login step

Author: NipuniBhagya

.changeset/early-toys-share.md

@@ -0,0 +1,6 @@
+---
+"@wso2is/myaccount": patch
+"@wso2is/theme": patch
+---
+
+Add Duo logo in the theme

.changeset/friendly-carrots-own.md

@@ -0,0 +1,9 @@
+---
+"@wso2is/console": patch
+"@wso2is/features": patch
+"@wso2is/admin.applications.v1": patch
+"@wso2is/admin.authentication-flow-builder.v1": patch
+"@wso2is/admin.connections.v1": patch
+---
+
+Restrict second-factor authenticators in the initial step of the login flow

features/admin.applications.v1/constants/application-management.ts

@@ -347,7 +347,9 @@ export class ApplicationManagementConstants {
         LocalAuthenticatorConstants.AUTHENTICATOR_NAMES.TOTP_AUTHENTICATOR_NAME,
         LocalAuthenticatorConstants.AUTHENTICATOR_IDS.TOTP_AUTHENTICATOR_ID,
         FederatedAuthenticatorConstants.AUTHENTICATOR_NAMES.IPROOV_AUTHENTICATOR_NAME,
-        FederatedAuthenticatorConstants.AUTHENTICATOR_IDS.IPROOV_AUTHENTICATOR_ID
+        FederatedAuthenticatorConstants.AUTHENTICATOR_IDS.IPROOV_AUTHENTICATOR_ID,
+        FederatedAuthenticatorConstants.AUTHENTICATOR_NAMES.DUO_AUTHENTICATOR_NAME,
+        FederatedAuthenticatorConstants.AUTHENTICATOR_IDS.DUO_AUTHENTICATOR_ID
     ];
 
     // Known social authenticators.

features/admin.authentication-flow-builder.v1/providers/authentication-flow-provider.tsx

@@ -211,6 +211,15 @@ const AuthenticationFlowProvider = (props: PropsWithChildren<AuthenticationFlowP
                 : ConnectionsManagementUtils
                     .resolveConnectionResourcePath(connectionResourcesUrl, authenticator.image);
 
+            // Restrict the second factor authenticators being added in the first step.
+            if (ApplicationManagementConstants.SECOND_FACTOR_AUTHENTICATORS?.includes(
+                authenticator?.defaultAuthenticator?.authenticatorId)
+            ) {
+                secondFactorAuthenticators?.push(authenticator);
+
+                return;
+            }
+
             if (
                 ApplicationManagementConstants.SOCIAL_AUTHENTICATORS.includes(
                     authenticator.defaultAuthenticator.authenticatorId

features/admin.connections.v1/constants/federated-authenticator-constants.ts

@@ -28,6 +28,7 @@ export class FederatedAuthenticatorConstants {
 
     public static readonly AUTHENTICATOR_IDS: {
         APPLE_AUTHENTICATOR_ID: string;
+        DUO_AUTHENTICATOR_ID: string;
         EMAIL_OTP_AUTHENTICATOR_ID: string;
         FACEBOOK_AUTHENTICATOR_ID: string;
         GITHUB_AUTHENTICATOR_ID: string;
@@ -46,28 +47,30 @@ export class FederatedAuthenticatorConstants {
         TWITTER_AUTHENTICATOR_ID: string;
         YAHOO_AUTHENTICATOR_ID: string;
     } = {
-            APPLE_AUTHENTICATOR_ID: "QXBwbGVPSURDQXV0aGVudGljYXRvcg",
-            EMAIL_OTP_AUTHENTICATOR_ID: "RW1haWxPVFA",
-            FACEBOOK_AUTHENTICATOR_ID: "RmFjZWJvb2tBdXRoZW50aWNhdG9y",
-            GITHUB_AUTHENTICATOR_ID: "R2l0aHViQXV0aGVudGljYXRvcg",
-            GOOGLE_OIDC_AUTHENTICATOR_ID: "R29vZ2xlT0lEQ0F1dGhlbnRpY2F0b3I",
-            HYPR_AUTHENTICATOR_ID: "SFlQUkF1dGhlbnRpY2F0b3I",
-            IPROOV_AUTHENTICATOR_ID: "SXByb292QXV0aGVudGljYXRvcg",
-            IWA_KERBEROS_AUTHENTICATOR_ID: "SVdBS2VyYmVyb3NBdXRoZW50aWNhdG9y",
-            MICROSOFT_AUTHENTICATOR_ID: "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
-            MS_LIVE_AUTHENTICATOR_ID: "TWljcm9zb2Z0V2luZG93c0xpdmVBdXRoZW50aWNhdG9y",
-            OFFICE_365_AUTHENTICATOR_ID: "T2ZmaWNlMzY1QXV0aGVudGljYXRvcg",
-            OIDC_AUTHENTICATOR_ID: "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
-            ORGANIZATION_ENTERPRISE_AUTHENTICATOR_ID: "T3JnYW5pemF0aW9uQXV0aGVudGljYXRvcg",
-            SAML_AUTHENTICATOR_ID: "U0FNTFNTT0F1dGhlbnRpY2F0b3I",
-            SIWE_AUTHENTICATOR_ID: "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
-            SMS_OTP_AUTHENTICATOR_ID: "U01TT1RQ",
-            TWITTER_AUTHENTICATOR_ID: "VHdpdHRlckF1dGhlbnRpY2F0b3I",
-            YAHOO_AUTHENTICATOR_ID: "WWFob29PQXV0aDJBdXRoZW50aWNhdG9y"
-        };
+        APPLE_AUTHENTICATOR_ID: "QXBwbGVPSURDQXV0aGVudGljYXRvcg",
+        DUO_AUTHENTICATOR_ID: "RHVvQXV0aGVudGljYXRvcg",
+        EMAIL_OTP_AUTHENTICATOR_ID: "RW1haWxPVFA",
+        FACEBOOK_AUTHENTICATOR_ID: "RmFjZWJvb2tBdXRoZW50aWNhdG9y",
+        GITHUB_AUTHENTICATOR_ID: "R2l0aHViQXV0aGVudGljYXRvcg",
+        GOOGLE_OIDC_AUTHENTICATOR_ID: "R29vZ2xlT0lEQ0F1dGhlbnRpY2F0b3I",
+        HYPR_AUTHENTICATOR_ID: "SFlQUkF1dGhlbnRpY2F0b3I",
+        IPROOV_AUTHENTICATOR_ID: "SXByb292QXV0aGVudGljYXRvcg",
+        IWA_KERBEROS_AUTHENTICATOR_ID: "SVdBS2VyYmVyb3NBdXRoZW50aWNhdG9y",
+        MICROSOFT_AUTHENTICATOR_ID: "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
+        MS_LIVE_AUTHENTICATOR_ID: "TWljcm9zb2Z0V2luZG93c0xpdmVBdXRoZW50aWNhdG9y",
+        OFFICE_365_AUTHENTICATOR_ID: "T2ZmaWNlMzY1QXV0aGVudGljYXRvcg",
+        OIDC_AUTHENTICATOR_ID: "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
+        ORGANIZATION_ENTERPRISE_AUTHENTICATOR_ID: "T3JnYW5pemF0aW9uQXV0aGVudGljYXRvcg",
+        SAML_AUTHENTICATOR_ID: "U0FNTFNTT0F1dGhlbnRpY2F0b3I",
+        SIWE_AUTHENTICATOR_ID: "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
+        SMS_OTP_AUTHENTICATOR_ID: "U01TT1RQ",
+        TWITTER_AUTHENTICATOR_ID: "VHdpdHRlckF1dGhlbnRpY2F0b3I",
+        YAHOO_AUTHENTICATOR_ID: "WWFob29PQXV0aDJBdXRoZW50aWNhdG9y"
+    };
 
     public static readonly AUTHENTICATOR_NAMES: {
         APPLE_AUTHENTICATOR_NAME: string;
+        DUO_AUTHENTICATOR_NAME: string;
         EMAIL_OTP_AUTHENTICATOR_NAME: string;
         FACEBOOK_AUTHENTICATOR_NAME: string;
         GITHUB_AUTHENTICATOR_NAME: string;
@@ -84,23 +87,24 @@ export class FederatedAuthenticatorConstants {
         ORGANIZATION_ENTERPRISE_AUTHENTICATOR_NAME: string;
         YAHOO_AUTHENTICATOR_NAME: string;
     } = {
-            APPLE_AUTHENTICATOR_NAME: "AppleOIDCAuthenticator",
-            EMAIL_OTP_AUTHENTICATOR_NAME: "EmailOTP",
-            FACEBOOK_AUTHENTICATOR_NAME: "FacebookAuthenticator",
-            GITHUB_AUTHENTICATOR_NAME: "GithubAuthenticator",
-            GOOGLE_OIDC_AUTHENTICATOR_NAME: "GoogleOIDCAuthenticator",
-            IPROOV_AUTHENTICATOR_NAME: "IproovAuthenticator",
-            IWA_KERBEROS_AUTHENTICATOR_NAME: "IWAKerberosAuthenticator",
-            MICROSOFT_AUTHENTICATOR_NAME: "MicrosoftAuthenticator",
-            MS_LIVE_AUTHENTICATOR_NAME: "MicrosoftWindowsLiveAuthenticator",
-            OFFICE_365_AUTHENTICATOR_NAME: "Office365Authenticator",
-            OIDC_AUTHENTICATOR_NAME: "OpenIDConnectAuthenticator",
-            ORGANIZATION_ENTERPRISE_AUTHENTICATOR_NAME: "OrganizationAuthenticator",
-            SAML_AUTHENTICATOR_NAME: "SAMLSSOAuthenticator",
-            SMS_OTP_AUTHENTICATOR_NAME: "SMSOTP",
-            TWITTER_AUTHENTICATOR_NAME: "TwitterAuthenticator",
-            YAHOO_AUTHENTICATOR_NAME: "YahooOAuth2Authenticator"
-        };
+        APPLE_AUTHENTICATOR_NAME: "AppleOIDCAuthenticator",
+        DUO_AUTHENTICATOR_NAME: "DuoAuthenticator",
+        EMAIL_OTP_AUTHENTICATOR_NAME: "EmailOTP",
+        FACEBOOK_AUTHENTICATOR_NAME: "FacebookAuthenticator",
+        GITHUB_AUTHENTICATOR_NAME: "GithubAuthenticator",
+        GOOGLE_OIDC_AUTHENTICATOR_NAME: "GoogleOIDCAuthenticator",
+        IPROOV_AUTHENTICATOR_NAME: "IproovAuthenticator",
+        IWA_KERBEROS_AUTHENTICATOR_NAME: "IWAKerberosAuthenticator",
+        MICROSOFT_AUTHENTICATOR_NAME: "MicrosoftAuthenticator",
+        MS_LIVE_AUTHENTICATOR_NAME: "MicrosoftWindowsLiveAuthenticator",
+        OFFICE_365_AUTHENTICATOR_NAME: "Office365Authenticator",
+        OIDC_AUTHENTICATOR_NAME: "OpenIDConnectAuthenticator",
+        ORGANIZATION_ENTERPRISE_AUTHENTICATOR_NAME: "OrganizationAuthenticator",
+        SAML_AUTHENTICATOR_NAME: "SAMLSSOAuthenticator",
+        SMS_OTP_AUTHENTICATOR_NAME: "SMSOTP",
+        TWITTER_AUTHENTICATOR_NAME: "TwitterAuthenticator",
+        YAHOO_AUTHENTICATOR_NAME: "YahooOAuth2Authenticator"
+    };
 
     public static readonly AUTHENTICATOR_DISPLAY_NAMES: {
         APPLE_AUTHENTICATOR_DISPLAY_NAME: string;
@@ -109,12 +113,12 @@ export class FederatedAuthenticatorConstants {
         GOOGLE_OIDC_AUTHENTICATOR_DISPLAY_NAME: string;
         MICROSOFT_AUTHENTICATOR_DISPLAY_NAME: string;
     } = {
-            APPLE_AUTHENTICATOR_DISPLAY_NAME: "Apple",
-            FACEBOOK_AUTHENTICATOR_DISPLAY_NAME: "Facebook",
-            GITHUB_AUTHENTICATOR_DISPLAY_NAME: "GitHub",
-            GOOGLE_OIDC_AUTHENTICATOR_DISPLAY_NAME: "Google",
-            MICROSOFT_AUTHENTICATOR_DISPLAY_NAME: "Microsoft"
-        };
+        APPLE_AUTHENTICATOR_DISPLAY_NAME: "Apple",
+        FACEBOOK_AUTHENTICATOR_DISPLAY_NAME: "Facebook",
+        GITHUB_AUTHENTICATOR_DISPLAY_NAME: "GitHub",
+        GOOGLE_OIDC_AUTHENTICATOR_DISPLAY_NAME: "Google",
+        MICROSOFT_AUTHENTICATOR_DISPLAY_NAME: "Microsoft"
+    };
 
     /**
      * Google One Tap enabling request parameter.

features/admin.connections.v1/resources/guides/duo/assets/build-login-flow.png

@@ -693,7 +693,7 @@
                                         </div>
                                     </div>
                                     <br>
-                                <%} else if (isGoogleIdp) { %>
+                                <% } else if (isGoogleIdp) { %>
                                     <div class="social-login blurring social-dimmer">
                                         <div
                                             class="ui basic segment google-one-tap-loader"