Retrieving MFA Status via API

ron6325904 · July 13, 2023, 8:55am

Hi,

I would like to get the MFA/ two factor authentication status for each user via API.
When sending the GetUser REST:
https://gitlab.com/api/v4/users/ID (Users API | GitLab)

I don’t get “two_factor_enabled” field in the response. Is there any other REST where I can check what is the MFA status of a user/organization? In gitlab SAAS.

gitlab-greg · July 14, 2023, 10:38pm

To get two_factor_enabled using the Users API, you must be an administrator. Therefore, this is not available on GitLab.com.

There is a currently an feature request to add two_factor_enabled field to API calls for group owners: Enable two_factor_enabled API field for group owners (#385177) · Issues · GitLab.org / GitLab · GitLab. If you’re interested in this feature, I encourage you to the issue and feel free to share your feedback and use case in the comments.

ron6325904 · July 15, 2023, 6:06am

Thanks Greg for the prompt response!
But even when using an admin user, I’m not getting this info in the response.
Can you please elaborate what do you mean by “this is not available on Gitlab.com” ?
You mean “https://gitlab.com/api/v4/users/ID” endpoint won’t work even if I’m an admin?
If so - which endpoint should I use?

gitlab-greg · July 15, 2023, 3:51pm

Hi @ron6325904 ,

You may be the owner of a group or namespace on GitLab.com, but you’re not an administrator on GitLab.com. Admin access on GitLab.com is carefully audited and monitored and only a couple of GitLab team members have access to administration tools and settings on GitLab.com. This includes accessing that GitLab.com API endpoints as an administrator. Administer GitLab | GitLab

You mean https://gitlab.com/api/v4/users/ID endpoint won’t work even if I’m an admin?

It will work (in that you’ll get a response instead of an error) but it will not return information that is only available to GitLab.com administrators (including whether the user has two_factor enabled).

This is why the documentation on how to check if a single user has two_factor enabled says “For administrators” and it has the “SELF-MANAGED” label next to it.

ron6325904 · July 18, 2023, 1:23pm

Thanks Greg.
The documentation specifies that:
“On Gitlab seld-managed, available in all tiers. Not available on Gitlab SaaS.”

Can you please elaborate what does it mean?
This endpoint won’t return MFA info if I’m using Gitlab SaaS?

In addition, Is there a way to check if my user is an administrator (using API)?

ron6325904 · July 18, 2023, 1:24pm

If there is no way to verify it via API, can you please point me where i can find it in GUI?

ron6325904 · July 24, 2023, 1:03pm

Kind reminder