We are using opensource hashicorp vault in k8s.
Ldap + TOTP.
To allow users get their QR codes from cli it is enough to add following policy:
path “identity/mfa/method/totp/generate” {
capabilities = [“read”, “update”]
}
But that will not allow users to get their QR on UI thru ’ MFA setup’ in menu. As UI use /admin-generate to get the code.
So in that case we need to give
path “identity/mfa/method/totp/admin-generate” {
capabilities = [“read”, “update”]
}
But in that case if user will know somehow entity_id of some other user he will be able to generate QR for him if it is not generated yet.
It feels like a security risk.
Are there any way to allow user to use UI for QR code generation in better way?
Also we do not want admin to generate those codes manually and send to users.
Any ideas would be aprecated.