perf: Allow admins to configure available MFA services for user auth

Dockerfile

@@ -1,4 +1,4 @@
-FROM jumpserver/core-base:20251128_025056 AS stage-build
+FROM jumpserver/core-base:20251113_092612 AS stage-build
 
 ARG VERSION
 

apps/authentication/api/__init__.py

@@ -16,4 +16,3 @@ from .sso import *
 from .temp_token import *
 from .token import *
 from .face import *
-from .access_token import *

apps/authentication/api/access_token.py

@@ -1,32 +0,0 @@
-from django.utils.translation import gettext as _
-from django.utils import timezone
-from rest_framework.response import Response
-from rest_framework.decorators import action
-from rest_framework.status import HTTP_200_OK
-from rbac.permissions import RBACPermission
-from common.api import JMSModelViewSet
-from ..serializers import AccessTokenSerializer
-
-from oauth2_provider.models import get_access_token_model
-
-AccessToken = get_access_token_model()
-
-class AccessTokenViewSet(JMSModelViewSet):
-    serializer_class = AccessTokenSerializer
-    permission_classes = [RBACPermission]
-    http_method_names = ['get', 'options', 'delete']
-    rbac_perms = {
-        'revoke': 'oauth2_provider.delete_accesstoken',
-    }
-
-    def get_queryset(self):
-        return AccessToken.objects.filter(user=self.request.user).order_by('-created')
-
-    @action(methods=['DELETE'], detail=True, url_path='revoke')
-    def revoke(self, *args, **kwargs):
-        token = AccessToken.objects.filter(id=kwargs['pk']).first()
-        if not token or token.user != self.request.user:
-            return Response({ "detail": _("Access token not found.") }, status=HTTP_200_OK)
-        token = token.refresh_token or token
-        token.revoke()
-        return Response( {"detail": _("Token revoked successfully.")}, status=HTTP_200_OK)

apps/authentication/forms.py

@@ -50,7 +50,7 @@ class UserLoginForm(forms.Form):
 
 class UserCheckOtpCodeForm(forms.Form):
     code = forms.CharField(label=_('MFA Code'), max_length=128, required=False)
-    mfa_type = forms.CharField(label=_('MFA type'), max_length=128)
+    mfa_type = forms.CharField(label=_('MFA type'), max_length=128, required=False)
 
 
 class CustomCaptchaTextInput(CaptchaTextInput):

apps/authentication/mfa/base.py

@@ -72,10 +72,9 @@ class BaseMFA(abc.ABC):
     def is_active(self):
         return False
 
-    @staticmethod
+    @classmethod
-    @abc.abstractmethod
+    def global_enabled(cls):
-    def global_enabled():
+        return cls.name in settings.SECURITY_MFA_ENABLED_BACKENDS
-        return False
 
     @abc.abstractmethod
     def get_enable_url(self) -> str:

apps/authentication/mfa/custom.py

@@ -39,9 +39,9 @@ class MFACustom(BaseMFA):
     def is_active(self):
         return True
 
-    @staticmethod
+    @classmethod
-    def global_enabled():
+    def global_enabled(cls):
-        return settings.MFA_CUSTOM and callable(mfa_custom_method)
+        return super().global_enabled() and settings.MFA_CUSTOM and callable(mfa_custom_method)
 
     def get_enable_url(self) -> str:
         return ''

apps/authentication/mfa/email.py

@@ -50,9 +50,9 @@ class MFAEmail(BaseMFA):
         )
         sender_util.gen_and_send_async()
 
-    @staticmethod
+    @classmethod
-    def global_enabled():
+    def global_enabled(cls):
-        return settings.SECURITY_MFA_BY_EMAIL
+        return super().global_enabled and settings.SECURITY_MFA_BY_EMAIL
 
     def disable(self):
         return '/ui/#/profile/index'

apps/authentication/mfa/face.py

@@ -29,9 +29,10 @@ class MFAFace(BaseMFA, AuthFaceMixin):
             return True
         return bool(self.user.face_vector)
 
-    @staticmethod
+    @classmethod
-    def global_enabled():
+    def global_enabled(cls):
         return (
+                super().global_enabled() and
                 settings.XPACK_LICENSE_IS_VALID and
                 settings.XPACK_LICENSE_EDITION_ULTIMATE and
                 settings.FACE_RECOGNITION_ENABLED

apps/authentication/mfa/otp.py

@@ -25,10 +25,6 @@ class MFAOtp(BaseMFA):
             return True
         return self.user.otp_secret_key
 
-    @staticmethod
-    def global_enabled():
-        return True
-
     def get_enable_url(self) -> str:
         return reverse('authentication:user-otp-enable-start')
 

apps/authentication/mfa/passkey.py

@@ -23,9 +23,9 @@ class MFAPasskey(BaseMFA):
             return False
         return self.user.passkey_set.count()
 
-    @staticmethod
+    @classmethod
-    def global_enabled():
+    def global_enabled(cls):
-        return settings.AUTH_PASSKEY
+        return super().global_enabled() and settings.AUTH_PASSKEY
 
     def get_enable_url(self) -> str:
         return '/ui/#/profile/passkeys'

apps/authentication/mfa/radius.py

@@ -27,9 +27,9 @@ class MFARadius(BaseMFA):
     def is_active(self):
         return True
 
-    @staticmethod
+    @classmethod
-    def global_enabled():
+    def global_enabled(cls):
-        return settings.OTP_IN_RADIUS
+        return super().global_enabled() and settings.OTP_IN_RADIUS
 
     def get_enable_url(self) -> str:
         return ''

apps/authentication/mfa/sms.py

@@ -46,9 +46,9 @@ class MFASms(BaseMFA):
     def send_challenge(self):
         self.sms.gen_and_send_async()
 
-    @staticmethod
+    @classmethod
-    def global_enabled():
+    def global_enabled(cls):
-        return settings.SMS_ENABLED
+        return super().global_enabled() and settings.SMS_ENABLED
 
     def get_enable_url(self) -> str:
         return '/ui/#/profile/index'

apps/authentication/serializers/token.py

@@ -9,12 +9,11 @@ from common.utils import get_object_or_none, random_string
 from users.models import User
 from users.serializers import UserProfileSerializer
 from ..models import AccessKey, TempToken
-from oauth2_provider.models import get_access_token_model
 
 __all__ = [
     'AccessKeySerializer', 'BearerTokenSerializer',
     'SSOTokenSerializer', 'TempTokenSerializer',
-    'AccessKeyCreateSerializer', 'AccessTokenSerializer',
+    'AccessKeyCreateSerializer'
 ]
 
 
@@ -115,28 +114,3 @@ class TempTokenSerializer(serializers.ModelSerializer):
         token = TempToken(**kwargs)
         token.save()
         return token
-
-
-class AccessTokenSerializer(serializers.ModelSerializer):
-    token_preview = serializers.SerializerMethodField(label=_("Token"))
-
-    class Meta:
-        model = get_access_token_model()
-        fields = [
-            'id', 'user', 'token_preview', 'is_valid',
-            'is_expired', 'expires', 'scope', 'created', 'updated',
-        ]
-        read_only_fields = fields
-        extra_kwargs = {
-            'scope': { 'label': _('Scope') },
-            'expires': { 'label': _('Date expired') },
-            'updated': { 'label': _('Date updated') },
-            'created': { 'label': _('Date created') },
-        }
-
-
-    def get_token_preview(self, obj):
-        token_string = obj.token
-        if len(token_string) > 16: 
-            return f"{token_string[:6]}...{token_string[-4:]}"
-        return "****"

apps/authentication/tasks.py

@@ -47,9 +47,3 @@ def clean_expire_token():
         count = TempToken.objects.filter(date_expired__lt=expired_time).delete()
         logging.info('Deleted %d temporary tokens.', count[0])
     logging.info('Cleaned expired temporary and connection tokens.')
-
-
-@register_as_period_task(crontab=CRONTAB_AT_AM_TWO)
-def clear_oauth2_provider_expired_tokens():
-    from oauth2_provider.models import clear_expired
-    clear_expired()

apps/authentication/templates/authentication/login.html

@@ -376,7 +376,7 @@
                     </div>
                     {% if form.challenge %}
                         {% bootstrap_field form.challenge show_label=False %}
-                    {% elif form.mfa_type %}
+                    {% elif form.mfa_type and mfa_backends %}
                         <div class="form-group" style="display: flex">
                             {% include '_mfa_login_field.html' %}
                         </div>

apps/authentication/urls/api_urls.py

@@ -16,8 +16,6 @@ router.register('super-connection-token', api.SuperConnectionTokenViewSet, 'supe
 router.register('admin-connection-token', api.AdminConnectionTokenViewSet, 'admin-connection-token')
 router.register('confirm', api.UserConfirmationViewSet, 'confirm')
 router.register('ssh-key', api.SSHkeyViewSet, 'ssh-key')
-# oauth2-provider
-router.register('access-tokens', api.AccessTokenViewSet, 'access-token')
 
 urlpatterns = [
     path('<str:backend>/qr/unbind/', api.QRUnBindForUserApi.as_view(), name='qr-unbind'),

apps/common/apps.py

@@ -5,7 +5,6 @@ import sys
 
 from django.apps import AppConfig
 from django.db import close_old_connections
-from django.conf import settings
 
 
 class CommonConfig(AppConfig):
@@ -24,21 +23,3 @@ class CommonConfig(AppConfig):
         if not os.environ.get('DJANGO_DEBUG_SHELL'):
             django_ready.send(CommonConfig)
             close_old_connections()
-        
-        self._auto_register_jumpserver_client_if_not_exists()
-
-    def _auto_register_jumpserver_client_if_not_exists(self):
-        """ Auto register JumpServer Client application if not exists.  """
-        from oauth2_provider.models import get_application_model
-        Application = get_application_model()
-        client_id = settings.OAUTH2_PROVIDER_CLIENT_ID
-        if Application.objects.filter(client_id=client_id).exists():
-            return
-        Application.objects.create(
-            name='JumpServer Client',
-            client_id=client_id,
-            client_type=Application.CLIENT_PUBLIC,
-            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
-            redirect_uris=settings.OAUTH2_PROVIDER_CLIENT_REDIRECT_URI,
-            skip_authorization=True,
-        )

apps/i18n/lina/en.json

@@ -280,8 +280,7 @@
     "CACertificate": "Ca certificate",
     "CAS": "CAS",
     "CMPP2": "Cmpp v2.0",
-    "CTYun": "State Cloud",
+    "CTYunPrivate": "eCloud Private Cloud",
-    "CTYunPrivate": "State Cloud(Private)",
     "CalculationResults": "Error in cron expression",
     "CallRecords": "Call Records",
     "CanDragSelect": "Select by dragging; Empty means all selected",
@@ -1635,8 +1634,5 @@
     "selectedAssets": "Selected assets",
     "setVariable": "Set variable",
     "userId": "User ID",
-    "userName": "User name",
+    "userName": "User name"
-    "AccessToken": "Access tokens",
+}
-    "AccessTokenTip": "Access Token is a temporary credential generated through the OAuth2 (Authorization Code Grant) flow using the JumpServer client, which is used to access protected resources.",
-    "Revoke": "Revoke"
-}

apps/i18n/lina/zh.json

@@ -279,7 +279,6 @@
     "CACertificate": "CA 证书",
     "CAS": "CAS",
     "CMPP2": "CMPP v2.0",
-    "CTYun": "天翼云",
     "CTYunPrivate": "天翼私有云",
     "CalculationResults": "cron 表达式错误",
     "CallRecords": "调用记录",
@@ -1645,8 +1644,5 @@
     "userId": "用户ID",
     "userName": "用户名",
     "Risk": "风险",
-    "selectFiles": "已选择选择{number}文件",
+    "selectFiles": "已选择选择{number}文件"
-    "AccessToken": "访问令牌",
+}
-    "AccessTokenTip": "访问令牌是通过 JumpServer 客户端使用 OAuth2（授权码授权）流程生成的临时凭证，用于访问受保护的资源。",
-    "Revoke": "撤销"
-}

apps/jumpserver/conf.py

@@ -569,7 +569,7 @@ class Config(dict):
         'SAFE_MODE': False,
         'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
         'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True,
-        'SECURITY_MFA_BY_EMAIL': False,
+        'SECURITY_MFA_ENABLED_BACKENDS': [],
         'SECURITY_COMMAND_EXECUTION': False,
         'SECURITY_COMMAND_BLACKLIST': [
             'reboot', 'shutdown', 'poweroff', 'halt', 'dd', 'half', 'top'
@@ -735,10 +735,6 @@ class Config(dict):
 
         # MCP
         'MCP_ENABLED': False,
-
-        # oauth2_provider settings 
-        'OAUTH2_PROVIDER_ACCESS_TOKEN_EXPIRE_SECONDS': 36000,
-        'OAUTH2_PROVIDER_REFRESH_TOKEN_EXPIRE_SECONDS': 2592000,
     }
 
     old_config_map = {

apps/jumpserver/settings/base.py

@@ -141,7 +141,6 @@ INSTALLED_APPS = [
     'drf_spectacular',
     'drf_spectacular_sidecar', 
     'django_cas_ng',
-    'oauth2_provider',
     'channels',
     'django_filters',
     'bootstrap3',

apps/jumpserver/settings/libs.py

@@ -30,7 +30,6 @@ REST_FRAMEWORK = {
     ),
     'DEFAULT_AUTHENTICATION_CLASSES': (
         # 'rest_framework.authentication.BasicAuthentication',
-        "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
         'authentication.backends.drf.AccessTokenAuthentication',
         'authentication.backends.drf.PrivateTokenAuthentication',
         'authentication.backends.drf.ServiceAuthentication',
@@ -223,13 +222,3 @@ PIICO_DRIVER_PATH = CONFIG.PIICO_DRIVER_PATH
 LEAK_PASSWORD_DB_PATH = CONFIG.LEAK_PASSWORD_DB_PATH
 
 JUMPSERVER_UPTIME = int(time.time())
-
-# OAuth2 Provider settings
-OAUTH2_PROVIDER = {
-    'ALLOWED_REDIRECT_URI_SCHEMES': ['https', 'jms'],
-    'PKCE_REQUIRED': True,
-    'ACCESS_TOKEN_EXPIRE_SECONDS': CONFIG.OAUTH2_PROVIDER_ACCESS_TOKEN_EXPIRE_SECONDS,
-    'REFRESH_TOKEN_EXPIRE_SECONDS': CONFIG.OAUTH2_PROVIDER_REFRESH_TOKEN_EXPIRE_SECONDS,
-}
-OAUTH2_PROVIDER_CLIENT_ID = 'FkkXFf0wPelYPIbvf0VElkZtyrw8TWIcyqakDgni'
-OAUTH2_PROVIDER_CLIENT_REDIRECT_URI = 'jms://auth/callback'

apps/jumpserver/urls.py

@@ -54,7 +54,6 @@ app_view_patterns = [
     path('download/', views.ResourceDownload.as_view(), name='download'),
     path('redirect/confirm/', views.RedirectConfirm.as_view(), name='redirect-confirm'),
     path('i18n/<str:lang>/', views.I18NView.as_view(), name='i18n-switch'),
-    path('oauth2-provider/', include('oauth2_provider.urls', namespace='oauth2-provider')),
 ]
 
 if settings.XPACK_ENABLED:

apps/jumpserver/views/other.py

@@ -148,6 +148,6 @@ class RedirectConfirm(TemplateView):
         parsed = urlparse(url)
         if not parsed.scheme or not parsed.netloc:
             return False
-        if parsed.scheme not in ['http', 'https', 'jms']:
+        if parsed.scheme not in ['http', 'https']:
             return False
         return True

apps/rbac/const.py

@@ -133,11 +133,6 @@ exclude_permissions = (
     ('terminal', 'session', 'delete,change', 'command'),
     ('applications', '*', '*', '*'),
     ('settings', 'chatprompt', 'add,delete,change', 'chatprompt'),
-    ('oauth2_provider', 'grant', '*', '*'),
-    ('oauth2_provider', 'refreshtoken', '*', '*'),
-    ('oauth2_provider', 'idtoken', '*', '*'),
-    ('oauth2_provider', 'application', '*', '*'),
-    ('oauth2_provider', 'accesstoken', 'add,change', 'accesstoken')
 )
 
 only_system_permissions = (
@@ -165,7 +160,6 @@ only_system_permissions = (
     ('authentication', 'temptoken', '*', '*'),
     ('authentication', 'passkey', '*', '*'),
     ('authentication', 'ssotoken', '*', '*'),
-    ('oauth2_provider', 'accesstoken', '*', '*'),
     ('tickets', '*', '*', '*'),
     ('orgs', 'organization', 'view', 'rootorg'),
     ('terminal', 'applet', '*', '*'),

apps/rbac/tree.py

@@ -129,7 +129,6 @@ special_pid_mapper = {
     "rbac.view_systemtools": "view_workbench",
     'tickets.view_ticket': 'tickets',
     "audits.joblog": "job_audit",
-    'oauth2_provider.accesstoken': 'authentication',
 }
 
 special_setting_pid_mapper = {
@@ -185,8 +184,6 @@ verbose_name_mapper = {
     'tickets.view_ticket': _("Ticket"),
     'settings.setting': _("Common setting"),
     'rbac.view_permission': _('View permission tree'),
-    'authentication.passkey': _("Passkey"),
-    'oauth2_provider.accesstoken': _("Access token"),
 }
 
 xpack_nodes = [

apps/settings/serializers/security.py

@@ -1,3 +1,7 @@
+import importlib
+import os
+
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
@@ -117,6 +121,35 @@ class SecurityLoginLimitSerializer(serializers.Serializer):
     )
 
 
+class DynamicMFAChoiceField(serializers.MultipleChoiceField):
+    def __init__(self, **kwargs):
+        _choices = self._get_dynamic_choices()
+        super().__init__(choices=_choices, **kwargs)
+
+    @staticmethod
+    def _get_dynamic_choices():
+        choices = []
+        mfa_dir = os.path.join(settings.APPS_DIR, 'authentication', 'mfa')
+        for filename in os.listdir(mfa_dir):
+            if not filename.endswith('.py') or filename.startswith('__init__'):
+                continue
+
+            module_name = f'authentication.mfa.{filename[:-3]}'
+            try:
+                module = importlib.import_module(module_name)
+            except ImportError:
+                continue
+
+            for attr_name in dir(module):
+                item = getattr(module, attr_name)
+                if not isinstance(item, type) or not attr_name.startswith('MFA'):
+                    continue
+                if 'BaseMFA' != item.__base__.__name__:
+                    continue
+                choices.append((item.name, item.display_name))
+        return choices
+
+
 class SecurityAuthSerializer(serializers.Serializer):
     SECURITY_MFA_AUTH = serializers.ChoiceField(
         choices=(
@@ -130,10 +163,10 @@ class SecurityAuthSerializer(serializers.Serializer):
         required=False, default=True,
         label=_('Third-party login MFA'),
     )
-    SECURITY_MFA_BY_EMAIL = serializers.BooleanField(
+    SECURITY_MFA_ENABLED_BACKENDS = DynamicMFAChoiceField(
-        required=False, default=False,
+        default=[], allow_empty=True,
-        label=_('MFA via Email'),
+        label=_('MFA Backends'),
-        help_text=_('Email as a method for multi-factor authentication')
+        help_text=_('MFA methods supported for user login')
     )
     OTP_ISSUER_NAME = serializers.CharField(
         required=False, max_length=16, label=_('OTP issuer name'),

apps/users/views/profile/otp.py

@@ -37,12 +37,25 @@ logger = get_logger(__name__)
 class UserOtpEnableStartView(AuthMixin, TemplateView):
     template_name = 'users/user_otp_check_password.html'
 
+    @staticmethod
+    def get_redirect_url():
+        message_data = {
+            'title': _('Redirecting'),
+            'message': _('No MFA services are available. Please contact the administrator'),
+            'redirect_url': reverse('authentication:login'),
+            'auto_redirect': True,
+        }
+        return FlashMessageUtil.gen_message_url(message_data)
+
     def get(self, request, *args, **kwargs):
         try:
             self.get_user_from_session()
         except SessionEmptyError:
             url = reverse('authentication:login') + '?_=otp_enable_start'
             return redirect(url)
+
+        if not MFAOtp.global_enabled():
+            return redirect(self.get_redirect_url())
         return super().get(request, *args, **kwargs)
 
 

pyproject.toml

@@ -45,7 +45,7 @@ dependencies = [
     'sshpubkeys==3.3.1',
     'uritemplate==4.1.1',
     'vine==5.0.0',
-    'werkzeug==3.1.4',
+    'werkzeug==3.0.6',
     'unicodecsv==0.14.1',
     'httpsig==1.3.0',
     'treelib==1.6.4',
@@ -84,7 +84,7 @@ dependencies = [
     'rest-condition==1.0.3',
     'drf-spectacular==0.28.0',
     'pillow==10.2.0',
-    'pytz==2025.2',
+    'pytz==2023.3',
     'django-proxy==1.2.2',
     'python-daemon==3.0.1',
     'eventlet==0.40.3',
@@ -152,7 +152,6 @@ dependencies = [
     'playwright==1.55.0',
     'pdf2image==1.17.0',
     'drf-spectacular-sidecar==2025.8.1',
-    "django-oauth-toolkit==2.4.0",
 ]
 
 [project.urls]

utils/delete_oauth2_provider_application.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-#
-
-function delete_oauth2_provider_applications() {
-python3 ../apps/manage.py shell << EOF
-from oauth2_provider.models import *
-apps = Application.objects.all()
-apps.delete()
-print("OAuth2 Provider Applications deleted successfully!")
-EOF
-}
-
-delete_oauth2_provider_applications