Two-factor providers

Two-factor auth providers must implement the OCP\Authentication\TwoFactorAuth\IProvider interface. The example below shows a minimalistic example of such a provider.

Register the provider state

To always know if a provider is enabled for a user, the server persists the enabled/disabled state of each provider-user tuple. Hence a provider app has to propagate these state changes. This is handled by the provider registry.

Note

This provider registry was added in Nextcloud 14. For backwards compatibility, the server still occasionally uses the method if the provider state has not been set yet. This method will be removed in future releases.

Providing an icon (optional)

To enhance how a provider is shown in the list of selectable providers on the login page, an icon can be specified. For that the provider class must implement the IProvidesIcons interface. The light icon will be used on the login page, whereas the dark one will be placed next to the heading of the optional personal settings (see below).

Like other Nextcloud apps, two-factor providers often require user configuration to work. In Nextcloud 15 a new, consolidated two-factor settings section was added. To add personal provider settings there, a provider must implement the interface.

Make a provider activatable by the admin (optional)

In order to make it possible for an admin to disable the provider for a given user via the occ command line tool, it’s necessary to implement the interface. As described in the linked interface documentation, this should only be implemented for providers that need no user interaction when deactivated.