Defect #3015
open
Combination of SSO and IdM two-factor authentication does not work
30%
Description
SSO does not work two-factor authentication after IdM restart. 2fa can be turned on in IdM from version 10.7.0.
We encountered an error in the customer's environment with version 11.2.1. I also simulated it in the local environment by modifying the HTTP header - same error.
More info about error and local testing here: #3007
Related issues
Updated by David Štekl about 3 years ago
- Related to Task #3007: SSO and user login with two-factor authentication added
Updated by Tomáš Doischer about 3 years ago
- Category set to Authentication / Authorization
- Assignee set to Tomáš Doischer
Updated by Roman Kučera about 3 years ago
- Target version changed from 12.1.0 to 12.2.0
Updated by Roman Kučera almost 3 years ago
- Sprint set to Sprint 12.2-2 (Mar 02 - Mar 16)
Updated by Tomáš Doischer almost 3 years ago
- Status changed from New to In Progress
Updated by Tomáš Doischer almost 3 years ago
- Priority changed from High to Normal
- % Done changed from 0 to 10
I have been able to replicate this in SOME cases (but not always) using the same way as in #3007. I do not have any errors in the log and I don't think the error from #3007 is closely related to the issue (authorities are loaded after authentication which failed).
With this error, I've tried:- anonymous window - did not help
- removing cookies - did not help
- removing user storage - did not help
- turning off SSO (removing header) - did not help - I was able to login with password and MFA token but after turning SSO on again the error was present again
What I see in the log:
2022-03-07 10:27:40.625 WARN 859280 --- [http-nio-18080-exec-1] e.b.idm.core.security.auth.filter.JwtIdmAuthenticationFilter.authorize : Invalid token, reason: [Authorities changed or user logged out, log in again.]
2022-03-07 10:27:40.628 WARN 859283 --- [http-nio-18080-exec-1] eu.bcvsolutions.idm.core.exception.RestErrorAttributes.getErrorAttributes : [core:FORBIDDEN:13bbbe05-4860-47ae-8627-5154fdd7a7b5] Forbidden. ({path=/idm/api/v1/logout, message=Access Denied})
2022-03-07 10:27:40.706 WARN 859361 --- [http-nio-18080-exec-6] eu.bcvsolutions.idm.core.exception.RestErrorAttributes.getErrorAttributes : [core:FORBIDDEN:93cfa5ea-234c-4bc0-aa9e-2597cfbaede4] Forbidden. ({path=/idm/api/v1/authentication/remote-auth, m:
This is not very interesting.
One issue with testing is that in the development environment, I was not able to simulate this.
Updated by Tomáš Doischer almost 3 years ago
- % Done changed from 10 to 30
This issue only occurs when the application is deployed from WAR in Tomcat. Even if I run a separate frontend locally connected to the same backend, everything works correctly.
There don't seem to be any issues on the backend; TwoFactorAuthenticationRequiredException is raised in DefaultJwtAuthenticationService which is intended. This exception is then returned to the frontend which in turn causes the MFA dialog to be shown.
But in some cases, this doesn't happen. I have no way to debug this since this cannot be replicated in IDEs and not even console.log works on the frontend. I will need to analyze the issue further. The must be some request where the exception is raised but is not used on the frontend.
Updated by Roman Kučera over 2 years ago
- Target version changed from 12.2.0 to 13.0.0
Updated by Tomáš Doischer over 2 years ago
- Sprint deleted (
Sprint 12.2-2 (bře 02 - bře 16))