Skip to content

JumpCloud provider requests MFA when user doesn't exist #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
iainelder opened this issue Sep 8, 2020 · 3 comments · Fixed by #556
Closed

JumpCloud provider requests MFA when user doesn't exist #552

iainelder opened this issue Sep 8, 2020 · 3 comments · Fixed by #556

Comments

@iainelder
Copy link
Contributor

iainelder commented Sep 8, 2020
edited
Loading

I had to refer to the source code to solve a strange login problem I had. It seems the code makes a false assumption.

saml2aws/pkg/provider/jumpcloud/jumpcloud.go

Line 117 in f70fefb

// Check if we get a 401. If we did, MFA is required and the OTP was not provided.

// Check if we get a 401. If we did, MFA is required and the OTP was not provided.
// Get the OTP and resubmit.

Not necessarily. You also get a 401 if the "username" is incorrect.

I don't have MFA configured on my JumpCloud user.

In my case, I was putting the actual JumpCloud username (aws-sandbox) instead of the email address (aws-sandbox@example.com) which is what the JumpCloud login console page really expects.

I don't see a way to disable the MFA prompt. That may be because I'm new to this tool, but I didn't see it in the README.

Failing that, is there a way to programmatically distinguish 401 for lack of MFA and 401 for incorrect credentials? I'm also new to Jumpcloud so I don't know if that's possible.
@jack1902
Copy link
Contributor

jack1902 commented Sep 9, 2020

@iainelder you can inspect the res.Body of the request, as the res.StatusCode alone clearly isn't enough (i would argue that not setting MFA is a bad idea but thats not the issue here)

// Invalid User or bad password
{{"message":"Authentication failed."}}

// MFA Required carry on requesting MFA from the User
{{"factors":[{"type":"totp","status":"available"},{"type":"duo","status":"available"}],"message":"MFA required."}}

@iainelder
Copy link
Contributor Author

i would argue that not setting MFA is a bad idea

MFA is not yet company policy, so we need the tool to work without MFA as well.

It's on the roadmap, but our first priority is to eliminate long-lived IAM access keys. saml2aws is extremely helpful to achieve this.

So our first step is to train people to use saml2aws for configuring the CLI. When we have that under control, enabling MFA is an important next step.

you can inspect the res.Body of the request

Great! What do we need to implement this? Is there another module whose pattern we can follow?

I have reproduced similar outputs using the DUMP_CONTENT=true environment variable. I don't have time to dedicate to a fix right now, but I would like to give it a go later if someone else doesn't jump in first.

@iainelder iainelder mentioned this issue Sep 10, 2020
Merged
@iainelder
Copy link
Contributor Author

@jack1902 I put together a PR that I think solves this. Could you take a look? It's my first time writing Go and my first contribution to this project so any pointers would be appreciated. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fail if Jumpcloud 401 does not prompt for MFA
2 participants
@iainelder @jack1902