@tobias
Most of the APIs to configure MFA in Keystone are admin only, and while I think making them more user friendly may be a good idea it can be a little hard with Keystone.
Essentially, to setup TOTP you shouldn't be able to do so until you can prove you can generate a passcode. Doing that logic in Keystone isn't easy, but we already have a workflow that mostly does that in an Adjutant plugin, which will be rewritten for the current MFA auth-rules based method and moved into master. We can in the process also expand that as a generic set of APIs and Horizon panels for setting up and managing MFA.
Not sure we can really do a check of your source ip before we allow setting it... especially since Horizon pollutes the source ip, but an API call you make could work.
@tobias
Most of the APIs to configure MFA in Keystone are admin only, and while I think making them more user friendly may be a good idea it can be a little hard with Keystone.
Essentially, to setup TOTP you shouldn't be able to do so until you can prove you can generate a passcode. Doing that logic in Keystone isn't easy, but we already have a workflow that mostly does that in an Adjutant plugin, which will be rewritten for the current MFA auth-rules based method and moved into master. We can in the process also expand that as a generic set of APIs and Horizon panels for setting up and managing MFA.
Not sure we can really do a check of your source ip before we allow setting it... especially since Horizon pollutes the source ip, but an API call you make could work.