-
Notifications
You must be signed in to change notification settings - Fork 871
Does TwoFactorSignIn contain a bug or am I configuring Identity incorrectly? #981
Comments
Copying S/O post, so everything is in one place. I have been working on an ASP.NET Core application for a couple months. Now near finishing the first beta I realized I hadn't enabled Two-Factor Authentication, and now I think I uncovered a bug in the implementation for Microsoft.AspNetCore.Identity. If we look at how a user is retrieved, it does this:
However, the TwoFactorSignInAsync method in the SignInManager never sets a Claims of type UserIdClaimType, but it sets 4 times the same Name claim, containing the User's Id.
EDIT: By the way, this is easily solved by changing GetUserId to something like this:
|
I'm not sure what you mean by TwoFactorSignInAsync sets the username 4 times. So this method is what generates the principal for sign in: https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/UserClaimsPrincipalFactory.cs#L78 SignIn manager does some work around verifying the two factor code, and the user, but the actual application cookie generation is done by the UserClaimsPrincipalFactory. Perhaps you are looking at the wrong cookie (there are 4 of them) In general its only the application cookie that you should care about, the rest are there for identity APIs to work |
Hello @HaoK, If I debug right after {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: MYGUID} Thus, either how I set up Identity in Startup is wrong or the 1.0.0 version of TwoFactorSignInAsync does not put the expected claim type "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" |
Can you make sure that AutomaticAuthenticate is off for all of the cookie middleware other than the ApplicationCookie (inside of IdentityOptions.Cookies.XyzCookie) |
AutomaticAuthenticate is a bool, and I am not setting it explicitly in my code, so my guess is that it's false by default? |
What version of the packages are you using, there was a bug fixed in older versions where the defaults used to be true, you can turn all of the AutomaticAuthenticates to false other than the Application if don't want to upgrade |
I have no problem upgrading, I am even on EF Core 1.0.1 already. But I have the latest stable as per Nuget (1.0.0). I'll try turn them off explicitly and see what it does |
The defaults should be set to off: https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/IdentityCookieOptions.cs |
I followed the link provided and changed the Identity setup to this:
Now after a successful "TwoFactorSignInAsync", HttpContext.User contains 0 identities/claims so not even my workaround works. I checked and all but ApplicationCookie have |
Just to clarify expectations, assuming TwoFactorSignIn returned success, it should be setting a cookie which contains the application cookie which will have the user on the next request. Is that what you are seeing? I'd also try getting rid of any HttpOnly/Cookie secure extraneous settings for now. |
Using this
I'd expect that if I enter the if it's because all is good, the user entered the correct code and etc. Under normal "_SignInManager.PasswordSignInAsync" this is true; however, for TwoFactorSignInAsync I get null. twoFactorInfo = good, retrieved the expected entity GOING BACK (all TwoFactorSignInAsync apparently ran fine hence result.Succeeded == true) => HttpContext.User contains absolutely no claims. |
Again, two factor sign in if successful, means the NEXT request will have the User set. Authentication for the current request has already happened. None of the SignIn's have any effect on the current request. |
Ahhh, I now get what you are saying. I did not know that. In fact, I never really saw that mentioned anywhere. |
Can someone please, for the love of god, provide an example project for a basic 2FA setup in Web API 2. I'm using Identity 2.2.2 and I need to implement 2FA ASAP, I'm already behind schedule and I need this NOW. Been struggling with this for days and the MVC5 template from Visual Studio 2017 wasn't helpful. The SignInManager.PasswordSignInAsync() method works fine, it returns RequiresVerification. But I'm not sure what to do from there. In my AuthorizationServerProvider class, in the GrantResourceOwnerCredentials() method, what do I do after receiving a status of RequiresVerification, do I have to sign the user in by generating the user identity - for the SignInManager to work properly - or do I set an error on the context and return. What I need to do is this: if the /token end-point results in RequiresVerification, return an error to notify the client (angular app) that the user needs to verify the 2FA security code. Then I generate and send the code, and display some UI for verification. The user receives the code, sends it to another end-point and it gets verified successfully. But then when I try to call SignInManager.TwoFactorSignInAsync() it always fails with a status of Failure. This is my code:
I'm generating and sending the code using the UserManager class because the SignInManager.SendTwoFactorCodeAsync() method doesn't work (User Id not found). And this is how I verify the security code in another end-point:
I'm getting the user by username and password again, because for some messed up reason, the SignInManager.GetVerifiedUserIdAsync() method returns an empty GUID. But the SignInManager.HasBeenVerifiedAsync() returns true (?!). I'm nearly there, it shouldn't be this difficult, I think I'm missing something here. What I want is this:
This is my Startup.cs config:
I have implemented 2FA in MVC 5 apps before, nothing fancy there. But in Web API + OWIN projects, I think I'm lost. I'd really appreciate it if someone took the time to guide me in the right direction or perhaps provide example code. I need to deploy my 2FA implementation in less than a week. Thank in advance, fingers crossed, I'll get a helpful response soon. Cheers. |
@inexuscore That is completely unrelated to this question I had. You should either open a new bug report or question in Stack Overflow (you'll likely get better answers there). |
@CamiloTerevinto I understand that. I couldn't find anything useful on SO, and since you guys were talking about the 2FA bug, I thought I post my question here. I'll open a thread on SO but doubt I'd get any answers there. Bug reports won't help either, the repo is closed and they've moved on to Identity 3 and .NETCore .. any ideas are appreciated. |
@inexuscore The problem is that here there was no bug. This was my own problem of not knowing how the framework works :) post it there and email me the link, I'll try to check it out |
@CamiloTerevinto most probably, that's what I was thinking. I think I'm missing something. In the config, or the way I'm using the framework. Sure, I'll link you up as soon as I've created the SO thread. |
Plase refer to Does Identity Core TwoFactorSignIn contain a bug?
The text was updated successfully, but these errors were encountered: