From ed9264fd2aeb50ada8b5c270a22da8b6f8bfb2c0 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Fri, 13 Mar 2026 14:13:25 +0100
Subject: [PATCH] [Web] Allow force_tfa for LDAP and Keycloak users

---
 data/web/inc/functions.mailbox.inc.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index a002ab41b..9506bbf1f 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1115,6 +1115,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
           if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
             $force_pw_update = 0;
+          }
+          if ($authsource == 'generic-oidc'){
             $force_tfa = 0;
           }
           $mailbox_attrs = json_encode(
@@ -3126,6 +3128,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               }
               if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
                 $force_pw_update = 0;
+              }
+              if ($authsource == 'generic-oidc'){
                 $force_tfa = 0;
               }
               $pw_recovery_email    = (isset($_data['pw_recovery_email']) && $authsource == 'mailcow') ? $_data['pw_recovery_email'] : $is_now['attributes']['recovery_email'];