-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
id-challenge HTML element does not always contain a JSON value #128
Comments
This is happening to our org as well. aws-google-auth has become unusable for accounts that face CAPTCHA challenges. |
We are seeing this as well |
I'm experiencing the same behavior like @adcreare, it fixes itself after a few reruns. I'd be happy to try and make a PR for this, but I don't know enough SAML to find the values that are needed in the new Google page. |
For me it has completely stopped working now... Yesterday I noticed this issue for the first time. |
Same here. I got the occasional error in the past but a re-run fixed it. Since this morning it has stopped working altogether for me. |
Same here, stopped completely. |
Same here => previously one or two retries worked to get a "valid JSON" version. Since yesterday it stopped working. |
I just found out that this only affects the code path for Yubi key authentication, at least for me. As a (temporary) workaround, I removed the keys from my Google account and use Google's Authenticator app instead - not ideal, but at least I can authenticate again. |
@olitheolix thanks for this workaround. I can reproduce with yubikey only as well. Falling back to google authenticator works for me as well. |
I, too, am having the same issue with a YubiKey. |
It is now consistently broken for everyone on my team as well, including me. Disabling yubikey fixes it as well. It seems like the issue is that Google does some kind of browser detection and if it's not Chrome they want you to prompt to install Chrome. I've tried hardcoding the user agent in |
This is also broken for me. I also use a Yubikey. |
same here, yubikey as well. |
same here, I had to remove the yubikey and use google prompt as default. |
Same here. Looks like there is no way to change the default 2FA method on Google account setting, so you'll have to remove the yubikey to use Google's Authenticator app for workaround. |
Also having this issue with U2F (Yubikey). |
Just to be clear, this doesn't appear to be an issue with Yubikey, but with the U2F process. My Google TItan keys also have the same problem. |
To anybody in this issue (or the author of the tool (@stevemac007 ?)): can you recognize what's the payload of the I'm saying this because perhaps we could just detect when it's not a JSON and carry on with the auth (replying to the challenges using the Yubikey/Titan keys output)?: https://github.com/cevoaustralia/aws-google-auth/blob/master/aws_google_auth/google.py#L363 /cc @reisingerf |
Same issue, with yubikey |
Same issue here as well.... |
It looks repeatable enough that we should be able to work something out. The challenge with this whole tool is that it is reverse engineered from behavior in the wild, and google can (and has) change the format of these pages as they see fit. It looks like this is another one of those cases. If someone with access to one of the hardware keys that are having problems has the capability to help troubleshoot and reverse-engineer what is happening, I'd willingly accept (and help with) updates to the tool. I don't have one of these keys at the moment, so not something I can simulate, and hence resolve. If you have ways in which I can replicate this on my account I'm willing to take on the task of trying to work out a way around this. Just note, we can't promise anything - there have been a few things - like Captcha problems of the past - that required considerable time to try and work out, and as quickly as they were issues they seemed to go away again. There is no real view into the complexity that is the Google SSO machine from the outside. |
Set up some kind of campaign / funding avenue and I'm sure a bunch of us will have no trouble donating the money required to buy a YubiKey. |
On Mar 28, 2019, at 3:26 PM, Robert Sink ***@***.***> wrote:
Set up some kind of campaign / funding avenue and I'm sure a bunch of us will have no trouble donating the money required to buy a YubiKey.
If https://www.yubico.com/product/security-key-by-yubico/#security-key will work and you think you can do it, make an amazon wishlist with it and I’ll buy it for you right now. $20 is definitely worth it to me.
|
This change on the Google U2F reference implementation might explain things: TL;DR: Deprecating browser plugin side-loading in favor of WebAuthN. /cc @wandergeek |
Think I am going to switch to this to circumvent this issue: https://github.com/flowcommerce/aws-credentials-broker |
Hmm, uninstalled, switched to a virtual MFA and am still getting the JSON errors. Any ideas? |
I'm also having this issue with YubiKey (U2F). What worked for me was using Google Prompt for 2FA instead of YubiKey. |
Maybe there is a way to call other 2fa methods instead of yubikey? In my google account yubikey is the default method, with google prompt and authenticator coming in second and third places. |
Alright time this got fixed :) I'm also no python expert so if you spot anything horrible, let me know and I'll fix it |
This looks to be resolved with the 0.0.34 release. |
No, I'm still getting it on 0.0.35. Not sure of the reason however.
|
Sometimes aws-google-auth fails with the following exception:
I think the issue is because of the challenge HTML form having changed. During a failed run, it looks like this:
Based on this it looks like it comes down to the value string of id-challenge no longer being a stringified JSON object, but instead a "random" string that looks like
"...hUTYdnvUG6M25UzFVz..."
. I poked around but it wasn't clear to me what the right way is to fix this, especially becauselooks like it has the relevant data but also looks like it isn't simply JSON...
This has started happening approximately 5 days ago.
In case it is relevant, saving the html and opening it in a browser (Chrome) renders this page:
The text was updated successfully, but these errors were encountered: