deux.oauth2.validators

class deux.oauth2.validators.MFAOAuth2Validator

OAuth2 validator class for MFA that validates requests to authenticate with username and password by also verifying that they supply the correct MFA code or backup code if multifactor authentication is enabled.

validate_user(username, password, client, request, *args, **kwargs)

Overrides the OAuth2Validator validate method to implement multi factor authentication.

If MFA is disabled, authentication requires just a username and password.

If MFA is enabled, authentication requires a username, password, and either a MFA code or a backup code. If the request only provides the username and password, the server will generate an appropriate challenge and respond with mfa_required = True.

Upon using a backup code to authenticate, MFA will be disabled.

Parameters:

attrs – Dictionary of data inputted by the user.

Raises:

• deux.oauth2.exceptions.InvalidLoginError – If invalid MFA code or backup code are submitted. Also if both types of code are submitted simultaneously.
• deux.oauth2.exceptions.ChallengeRequiredMessage – If the user has MFA enabled but only supplies the correct username and password. This exception will prompt the OAuth2 system to send a response asking the user to supply an MFA code.