New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix challenge response API #1353

Closed
cornelinux opened this Issue Dec 21, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@cornelinux
Copy link
Member

cornelinux commented Dec 21, 2018

There is an inconsistancy in the challenge response API between a user triggered challenge and an administrative triggered challenge.

User triggers challenge

The user has two tokens, both with the same PIN. So this user actually can give the PIN and it will trigger two challenges:

http POST http://localhost:5000/validate/check user=cornelius pass=test

{
    "detail": {
        "attributes": {
            "state": "01928502550899427322",
            "valid_until": "2018-12-21 13:49:37.107654"
        },
        "message": "please enter otp: , Enter the OTP from the Email:",
        "multi_challenge": [
            {
                "attributes": null,
                "serial": "TOTP0001573B",
                "transaction_id": "01928502550899427322"
            },
            {
                "attributes": {
                    "state": "01928502550899427322",
                    "valid_until": "2018-12-21 13:49:37.107654"
                },
                "serial": "PIEM000024B0",
                "transaction_id": "01928502550899427322"
            }
        ],
        "serial": "PIEM000024B0",
        "threadid": 139947024250624,
        "transaction_id": "01928502550899427322"
    },
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": false
    },
    "time": 1545396077.114939,
    "version": "privacyIDEA 2.23.3",
    "versionnumber": "2.23.3"
}

In this case all challenges have the same transaction_id and the response could simply be sent with this very only transaction_id.
privacyIDEA will find the right token.

administrative trigger

An administrator can trigger a challenge for a user.
In this case no PIN is involved and a challenge for each chal resp token of this user will be triggered:

http POST http://localhost:5000/validate/triggerchallenge authorization:$PITOK user=cornelius

{
    "detail": {
        "attributes": {
            "state": null,
            "valid_until": "2018-12-21 13:50:07.834025"
        },
        "messages": [
            "please enter otp: ",
            "Enter the OTP from the Email:"
        ],
        "threadid": 139947024250624,
        "transaction_ids": [
            "01391359713621908840",
            "13838382389650072226"
        ]
    },
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": 2
    },
    "time": 1545396107.835951,
    "version": "privacyIDEA 2.23.3",
    "versionnumber": "2.23.3"

In this case each token has it's own challenge.
The first in the list is from a TOTP token ("please enter otp:"), the second in the list from an email (Enter the OTP from the Email").

In this case the application would have to check both transaction_ids in the list "transaction_ids":

http POST http://localhost/validate/check user=cornelius pass=123456 transaction_id=01391359713621908840
http POST http://localhost/validate/check user=cornelius pass=123456 transaction_id=13838382389650072226

If one of both requests returns True, then the one challenge was successfully answered.

I think in the long run we should have the triggerchallenge API return the same JSON as the /validate/check - i.e. only one transaction_id.

For backward compatiblity we should return the following. i.e. a combination/merge of both:

    "detail": {
        "attributes": {
            "state": null,
            "valid_until": "2018-12-21 13:50:07.834025"
        },
        "message": "please enter otp: , Enter the OTP from the Email:",
        "messages": [
            "please enter otp: ",
            "Enter the OTP from the Email:"
        ],
        "multi_challenge": [
            {
                "attributes": null,
                "serial": "TOTP0001573B",
                "transaction_id": "01928502550899427322"
            },
            {
                "attributes": {
                    "state": "01928502550899427322",
                    "valid_until": "2018-12-21 13:49:37.107654"
                },
                "serial": "PIEM000024B0",
                "transaction_id": "01928502550899427322"
            },
        "threadid": 139947024250624,
        "transaction_ids": [
            "01391359713621908840",
            "01391359713621908840"
        ],
        "transaction_id": "01928502550899427322"
    },

@cornelinux cornelinux added this to the 3.0 Code Cleanup milestone Dec 21, 2018

cornelinux added a commit that referenced this issue Dec 21, 2018

Make triggerchallenge HTTP response consistent
The endpoints /validate/check and /validate/triggerchallenge
are able to trigger a challenge. They where not consisitent.
Now both endpoints return the same JSON, when a challenge is triggered.
If there are several C/R tokens, only ONE transaction_id is created,
which makes it easier for the calling application.

Closes #1353

cornelinux added a commit that referenced this issue Dec 21, 2018

Make triggerchallenge HTTP response consistent
The endpoints /validate/check and /validate/triggerchallenge
are able to trigger a challenge. They where not consisitent.
Now both endpoints return the same JSON, when a challenge is triggered.
If there are several C/R tokens, only ONE transaction_id is created,
which makes it easier for the calling application.

Closes #1353

fredreichbier added a commit that referenced this issue Jan 8, 2019

Make triggerchallenge HTTP response consistent (#1355)
* Make triggerchallenge HTTP response consistent

The endpoints /validate/check and /validate/triggerchallenge
are able to trigger a challenge. They where not consisitent.
Now both endpoints return the same JSON, when a challenge is triggered.
If there are several C/R tokens, only ONE transaction_id is created,
which makes it easier for the calling application.

Closes #1353

* Add review comments for better readability

* Return pin-change info per token

Previously only the pin change info of the
first token-object was returned.

* increase diff coverage

fredreichbier added a commit that referenced this issue Jan 8, 2019

Make triggerchallenge HTTP response consistent (#1355)
* Make triggerchallenge HTTP response consistent

The endpoints /validate/check and /validate/triggerchallenge
are able to trigger a challenge. They where not consisitent.
Now both endpoints return the same JSON, when a challenge is triggered.
If there are several C/R tokens, only ONE transaction_id is created,
which makes it easier for the calling application.

Closes #1353

* Add review comments for better readability

* Return pin-change info per token

Previously only the pin change info of the
first token-object was returned.

* increase diff coverage
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment