Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing preferred_client_mode after validate-check-enrollment #3429

Closed
lukasmatusiewicz opened this issue Dec 20, 2022 · 8 comments · Fixed by #3457
Closed

Missing preferred_client_mode after validate-check-enrollment #3429

lukasmatusiewicz opened this issue Dec 20, 2022 · 8 comments · Fixed by #3457
Assignees
@jona-samuel
Labels
Status: Waiting for merge into master Issue is resolved. Needs to be merged from a feature branch to master Type: Enhancement Not a complete new functional component/feature but an enhancement of an already existing feature.
Projects
privacyIDEA 3.8
Milestone
3.8 patches

Comments

@lukasmatusiewicz
Copy link

Scenario: User has no tokens, enroll-via-challenge is active and set to: "push". Policy with preferred client mode is set to: poll webauthn interactive.
Push token is enrolled, client receives the image with qr code, new push token exists in multi_challenge and contains client_mode: poll, but preferred_client_mode is now missing in server response.
Expectation: if multi_challenge contains a token that is set as the preferred one, the preferred_client_mode should be shown in the same response.
@lukasmatusiewicz lukasmatusiewicz added the Type: Possible bug Suspected bug by user label Dec 20, 2022
@lukasmatusiewicz
Copy link
Author

Log:
"client_mode": "poll", "serial": "PIPU0005DC32", "type": "push" }, "id": 2, "jsonrpc": "2.0", "result": { "authentication": "CHALLENGE", "status": true, "value": false }, "time": 1671547345.716556, "version": "privacyIDEA 3.8.dev3", "versionnumber": "3.8.dev3",

@lukasmatusiewicz
Copy link
Author

lukasmatusiewicz commented Dec 20, 2022
edited by cornelinux

Example of the right message:

        "client_mode": "interactive",
        "message": "Bitte geben Sie einen OTP-Wert ein: ",
        "serial": "TOTP00129442",
        "transaction_id": "01294272308714424797",
        "type": "totp"
      }
    ],
    "serial": "TOTP00129442",
    "threadid": 140013413730048,
    "transaction_id": "01294272308714424797",
    "transaction_ids": [
      "01294272308714424797",
    ],
    "type": "totp",
    "preferred_client_mode": "webauthn"
  },
  "id": 2,
  "jsonrpc": "2.0",

@cornelinux
Copy link
Member

The enrollment via validate/check shall contain the preferred_client_mode.

@cornelinux cornelinux added Type: Enhancement Not a complete new functional component/feature but an enhancement of an already existing feature. and removed Type: Possible bug Suspected bug by user labels Jan 5, 2023
@cornelinux cornelinux added this to the 3.8 patches milestone Jan 5, 2023
@cornelinux cornelinux added this to To do in privacyIDEA 3.8 via automation Jan 5, 2023
@cornelinux cornelinux changed the title Missing preferred_client_mode after enrollment Missing preferred_client_mode after validate-check-enrollment Jan 11, 2023
@cornelinux
Copy link
Member

@lukasmatusiewicz

We do not understand your expectaction.
When e.g. doing a enroll-via-validate we are sending this response for enrolling an HOTP token:

{
    "detail": {
        "client_mode": "interactive",
        "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXIAAAFyAQAAAADAX2ykAAABuElEQVR42u2bSW7DMAxFieoAPlKu7iP5AAZci4Mop6sALQoKT4tAkf8qD1+cHLk+WrugR48ePXr06H9JL75aP5H77Gj9+Oy7ePZS/Zd8ttD/r975Kjyjah/90dYfGOmQwLco3w60s9SdWvcGevpZNzZ81+CrrpXtvpr38C98V/LvcK05Gb5Lxd/Zv0qV+LsC35E/h3Xzg/y5Pt9cZt0sjV5v9RS/Z934q/Wvps6znfMBfOv69+HV2J0yxWTu5+p8/avmzyPgaug9QgffuvlVXM1zaeRnFpPhW9a/u+7MtQ7USBvag/hbnK9Vvbo7n/MFh0z8rR1/54I3Ib+XUPAtGn9Hw1lNPOG2dJr4u8L9LG2wjP6kdyrJn+v3N5xqxFonPZkYvnX5XmlTH/3+yLngW9m/7XLrjlpodLLInxfw79zkmOOv9a+of4vXRzk/0pfsouGckRj/lq6PbLWRSY92Vry/gX+r3885K4pILJLxF77V66PH+1ci6eR5nMTvWZyv9a9y5r/5JBi+i/CVMVrIwT/z31Xib5RGOQ5WExN/F8mf50xrvI5F/btM/cv/79CjR48ePfq/138D4FK6dLJve+wAAAAASUVORK5CYII=",
        "message": "Please scan the QR code!",
        "multi_challenge": [
            {
                "client_mode": "interactive",
                "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXIAAAFyAQAAAADAX2ykAAABuElEQVR42u2bSW7DMAxFieoAPlKu7iP5AAZci4Mop6sALQoKT4tAkf8qD1+cHLk+WrugR48ePXr06H9JL75aP5H77Gj9+Oy7ePZS/Zd8ttD/r975Kjyjah/90dYfGOmQwLco3w60s9SdWvcGevpZNzZ81+CrrpXtvpr38C98V/LvcK05Gb5Lxd/Zv0qV+LsC35E/h3Xzg/y5Pt9cZt0sjV5v9RS/Z934q/Wvps6znfMBfOv69+HV2J0yxWTu5+p8/avmzyPgaug9QgffuvlVXM1zaeRnFpPhW9a/u+7MtQ7USBvag/hbnK9Vvbo7n/MFh0z8rR1/54I3Ib+XUPAtGn9Hw1lNPOG2dJr4u8L9LG2wjP6kdyrJn+v3N5xqxFonPZkYvnX5XmlTH/3+yLngW9m/7XLrjlpodLLInxfw79zkmOOv9a+of4vXRzk/0pfsouGckRj/lq6PbLWRSY92Vry/gX+r3885K4pILJLxF77V66PH+1ci6eR5nMTvWZyv9a9y5r/5JBi+i/CVMVrIwT/z31Xib5RGOQ5WExN/F8mf50xrvI5F/btM/cv/79CjR48ePfq/138D4FK6dLJve+wAAAAASUVORK5CYII=",
                "message": "Please scan the QR code!",
                "serial": "OATH00944DF6",
                "transaction_id": "01940676094419630868",
                "type": "hotp"
            }
        ],
        "serial": "OATH00944DF6",
        "threadid": 139702922225408,
        "transaction_id": "01940676094419630868",
        "transaction_ids": [
            "01940676094419630868"
        ],
        "type": "hotp"
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "CHALLENGE",
        "status": true,
        "value": false
    },
    "signature": "rsa_sha256_pss:c8f0f38e1cec3a487361947663216517e6ed79dda6bbc3d45f0896fc342443db1e99b4074f5472ce284ed0bdefa017756cb1485790853b07b8de52e8bc9be4b008e6afcb88e93998f0335f471ac61d12a5fbcfc6561d5a208e0956eb735f2ca7382761c86fa1b676a321aa275cd3271b5e56bf90d61cccca6affa3225b268b0e00e81f12d9f03a47a90b12af1c4773fccf64a6899bae346c7e397e83af380a1ac65af8ba482c2d269faabae26393c933e245da880f341addaf1634596b3938032a8592094d7ec7b860c9d21febe5ee9fbb1619ae33ef277d53a8dad9bf098aee33b178f67d452c5e2fa28016f27bf0b975e4702f6369a5fd4b64c3d471ad9fc4",
    "time": 1673432654.7975852,
    "version": "privacyIDEA 3.8",
    "versionnumber": "3.8"
}

OK, if the user only has one token in challenge response we get this:

{
    "detail": {
        "client_mode": "interactive",
        "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXIAAAFyAQAAAADAX2ykAAABuElEQVR42u2bSW7DMAxFieoAPlKu7iP5AAZci4Mop6sALQoKT4tAkf8qD1+cHLk+WrugR48ePXr06H9JL75aP5H77Gj9+Oy7ePZS/Zd8ttD/r975Kjyjah/90dYfGOmQwLco3w60s9SdWvcGevpZNzZ81+CrrpXtvpr38C98V/LvcK05Gb5Lxd/Zv0qV+LsC35E/h3Xzg/y5Pt9cZt0sjV5v9RS/Z934q/Wvps6znfMBfOv69+HV2J0yxWTu5+p8/avmzyPgaug9QgffuvlVXM1zaeRnFpPhW9a/u+7MtQ7USBvag/hbnK9Vvbo7n/MFh0z8rR1/54I3Ib+XUPAtGn9Hw1lNPOG2dJr4u8L9LG2wjP6kdyrJn+v3N5xqxFonPZkYvnX5XmlTH/3+yLngW9m/7XLrjlpodLLInxfw79zkmOOv9a+of4vXRzk/0pfsouGckRj/lq6PbLWRSY92Vry/gX+r3885K4pILJLxF77V66PH+1ci6eR5nMTvWZyv9a9y5r/5JBi+i/CVMVrIwT/z31Xib5RGOQ5WExN/F8mf50xrvI5F/btM/cv/79CjR48ePfq/138D4FK6dLJve+wAAAAASUVORK5CYII=",
        "message": "Please scan the QR code!",
        "multi_challenge": [
            {
                "client_mode": "interactive",
                "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXIAAAFyAQAAAADAX2ykAAABuElEQVR42u2bSW7DMAxFieoAPlKu7iP5AAZci4Mop6sALQoKT4tAkf8qD1+cHLk+WrugR48ePXr06H9JL75aP5H77Gj9+Oy7ePZS/Zd8ttD/r975Kjyjah/90dYfGOmQwLco3w60s9SdWvcGevpZNzZ81+CrrpXtvpr38C98V/LvcK05Gb5Lxd/Zv0qV+LsC35E/h3Xzg/y5Pt9cZt0sjV5v9RS/Z934q/Wvps6znfMBfOv69+HV2J0yxWTu5+p8/avmzyPgaug9QgffuvlVXM1zaeRnFpPhW9a/u+7MtQ7USBvag/hbnK9Vvbo7n/MFh0z8rR1/54I3Ib+XUPAtGn9Hw1lNPOG2dJr4u8L9LG2wjP6kdyrJn+v3N5xqxFonPZkYvnX5XmlTH/3+yLngW9m/7XLrjlpodLLInxfw79zkmOOv9a+of4vXRzk/0pfsouGckRj/lq6PbLWRSY92Vry/gX+r3885K4pILJLxF77V66PH+1ci6eR5nMTvWZyv9a9y5r/5JBi+i/CVMVrIwT/z31Xib5RGOQ5WExN/F8mf50xrvI5F/btM/cv/79CjR48ePfq/138D4FK6dLJve+wAAAAASUVORK5CYII=",
                "message": "Please scan the QR code!",
                "serial": "OATH00944DF6",
                "transaction_id": "01940676094419630868",
                "type": "hotp"
            }
        ],
        "serial": "OATH00944DF6",
        "threadid": 139702922225408,
        "transaction_id": "01940676094419630868",
        "transaction_ids": [
            "01940676094419630868"
        ],
        "type": "hotp"
    },
    "id": 2,
    "jsonrpc": "2.0",
    "result": {
        "authentication": "CHALLENGE",
        "status": true,
        "value": false
    },
    "signature": "rsa_sha256_pss:c8f0f38e1cec3a487361947663216517e6ed79dda6bbc3d45f0896fc342443db1e99b4074f5472ce284ed0bdefa017756cb1485790853b07b8de52e8bc9be4b008e6afcb88e93998f0335f471ac61d12a5fbcfc6561d5a208e0956eb735f2ca7382761c86fa1b676a321aa275cd3271b5e56bf90d61cccca6affa3225b268b0e00e81f12d9f03a47a90b12af1c4773fccf64a6899bae346c7e397e83af380a1ac65af8ba482c2d269faabae26393c933e245da880f341addaf1634596b3938032a8592094d7ec7b860c9d21febe5ee9fbb1619ae33ef277d53a8dad9bf098aee33b178f67d452c5e2fa28016f27bf0b975e4702f6369a5fd4b64c3d471ad9fc4",
    "time": 1673432654.7975852,
    "version": "privacyIDEA 3.8",
    "versionnumber": "3.8"
}

We have detail->preferred_client_mode.

Does this mean you also want the detail->preferred_client_mode in the first case, during enroll-via-validate?
PLease confirm! Thanks. <3

@cornelinux
Copy link
Member

@jona-samuel: The enroll-via-validate is implemented in the tokenclass method enroll_via_validate (See

privacyidea/privacyidea/lib/tokens/hotptoken.py

Line 815 in b1e6c1d

def enroll_via_validate(cls, g, content, user_obj):
)
So it looks like we would simply have to dublicate the preferred_client_mode here.

I think #3382 is not relevant in this case.

@lukasmatusiewicz
Copy link
Author

lukasmatusiewicz commented Jan 11, 2023
edited

Shouldn't the preferred_client_mode be always there?

If a QR Code is sent with the challenge, the user should scan this code, and confirm a new token in the same step, right?
By the "interactive" token, UI should contain the image with an otp field to allow confirm a new token.
By the "push" token, the otp field shouldn't be shown, but the browser should poll for new token confirmation.
To behave elastically in those situations, preferred_client_mode will be useful. If it is not there, the client will set the default (otp) mode, and then the user has to choose the polling mode manually.

We have to consider all of these scenarios on the client side, but to see the preferred_client_mode will be never wrong. And we cann't know if the image tag contains the QR Code, or just the phone icon. We can just show the image in the right mode. That's it.

@jona-samuel jona-samuel linked a pull request Jan 12, 2023 that will close this issue
add preferred_client_mode to enroll_via_validate #3457
Merged
@jona-samuel
Copy link
Contributor

@lukasmatusiewicz can you test this change?

#3457

@lukasmatusiewicz
Copy link
Author

sure

@cornelinux cornelinux moved this from To do to Ready for Review in privacyIDEA 3.8 Jan 12, 2023
privacyIDEA 3.8 automation moved this from Ready for Review to Nearly Done Jan 18, 2023
@plettich plettich moved this from Nearly Done to Done in privacyIDEA 3.8 Jan 19, 2023
@plettich plettich moved this from Done to Nearly Done in privacyIDEA 3.8 Jan 19, 2023
@plettich plettich added the Status: Waiting for merge into master Issue is resolved. Needs to be merged from a feature branch to master label Jan 19, 2023
plettich pushed a commit that referenced this issue Jan 20, 2023
@plettich
Add preferred_client_mode to enroll_via_validate
8881b57 
Working on: #3429
@plettich plettich mentioned this issue Jan 20, 2023
Merged
@cornelinux cornelinux moved this from Nearly Done to Done in privacyIDEA 3.8 Jan 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jona-samuel jona-samuel

Labels
Status: Waiting for merge into master Issue is resolved. Needs to be merged from a feature branch to master Type: Enhancement Not a complete new functional component/feature but an enhancement of an already existing feature.
Projects
privacyIDEA 3.8
  
Done
Milestone
3.8 patches
Development

Successfully merging a pull request may close this issue.

add preferred_client_mode to enroll_via_validate privacyidea/privacyidea
4 participants
@cornelinux @plettich @jona-samuel @lukasmatusiewicz