Possibility to set up 2FA on login

[ChristophWurst]

Originally discussed in #11021 and brought up in #12249, it would be a UX enhancement if we could allow users setting up their 2FA on login in case it was enforced by admins.

This will require some dedicated setup pages that are accessible even when 2FA is enforced, hence require a restructuring of how 2FA providers works and communicate with the server.

[rullzer]

Now that we have the new provider interfaces probably

• New interface that exposes this possibility ( ILoginConfiguration or whatever)
• This should do similar stuff to the admin page so I guess we can reuse parts

Maybe we should add a special controller to help out?

[ChristophWurst]

I would say we need a (tagging) interface for providers that support this, so the server knows whether the user can't log in or is able to do the registration. Then we need a selection screen for the case of more than one provider. And then we can let the provider render a template like on the challenge and settings pages. The interface would look like this

namespace OCP\Authentication\TwoFactorAuth;

interface ISelfRegistrationProvider {
    public function getTemplate(): \OCP\Template;
}

… and in order to allow the client-side to talk to the server-side controllers we can add a new controller method annotation like @NoTwoFactorRequired that does not block requests. Provider apps can use this to create their settings controller for the registration.

Is there anything else we need?

[rullzer]

I think that is indeed it!

[ChristophWurst]

Let's aim to do this for 17 then ;)