New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing preferred_client_mode after validate-check-enrollment #3429
Comments
Log: |
Example of the right message: "client_mode": "interactive",
"message": "Bitte geben Sie einen OTP-Wert ein: ",
"serial": "TOTP00129442",
"transaction_id": "01294272308714424797",
"type": "totp"
}
],
"serial": "TOTP00129442",
"threadid": 140013413730048,
"transaction_id": "01294272308714424797",
"transaction_ids": [
"01294272308714424797",
],
"type": "totp",
"preferred_client_mode": "webauthn"
},
"id": 2,
"jsonrpc": "2.0", |
The enrollment via validate/check shall contain the preferred_client_mode. |
We do not understand your expectaction. {
"detail": {
"client_mode": "interactive",
"image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXIAAAFyAQAAAADAX2ykAAABuElEQVR42u2bSW7DMAxFieoAPlKu7iP5AAZci4Mop6sALQoKT4tAkf8qD1+cHLk+WrugR48ePXr06H9JL75aP5H77Gj9+Oy7ePZS/Zd8ttD/r975Kjyjah/90dYfGOmQwLco3w60s9SdWvcGevpZNzZ81+CrrpXtvpr38C98V/LvcK05Gb5Lxd/Zv0qV+LsC35E/h3Xzg/y5Pt9cZt0sjV5v9RS/Z934q/Wvps6znfMBfOv69+HV2J0yxWTu5+p8/avmzyPgaug9QgffuvlVXM1zaeRnFpPhW9a/u+7MtQ7USBvag/hbnK9Vvbo7n/MFh0z8rR1/54I3Ib+XUPAtGn9Hw1lNPOG2dJr4u8L9LG2wjP6kdyrJn+v3N5xqxFonPZkYvnX5XmlTH/3+yLngW9m/7XLrjlpodLLInxfw79zkmOOv9a+of4vXRzk/0pfsouGckRj/lq6PbLWRSY92Vry/gX+r3885K4pILJLxF77V66PH+1ci6eR5nMTvWZyv9a9y5r/5JBi+i/CVMVrIwT/z31Xib5RGOQ5WExN/F8mf50xrvI5F/btM/cv/79CjR48ePfq/138D4FK6dLJve+wAAAAASUVORK5CYII=",
"message": "Please scan the QR code!",
"multi_challenge": [
{
"client_mode": "interactive",
"image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXIAAAFyAQAAAADAX2ykAAABuElEQVR42u2bSW7DMAxFieoAPlKu7iP5AAZci4Mop6sALQoKT4tAkf8qD1+cHLk+WrugR48ePXr06H9JL75aP5H77Gj9+Oy7ePZS/Zd8ttD/r975Kjyjah/90dYfGOmQwLco3w60s9SdWvcGevpZNzZ81+CrrpXtvpr38C98V/LvcK05Gb5Lxd/Zv0qV+LsC35E/h3Xzg/y5Pt9cZt0sjV5v9RS/Z934q/Wvps6znfMBfOv69+HV2J0yxWTu5+p8/avmzyPgaug9QgffuvlVXM1zaeRnFpPhW9a/u+7MtQ7USBvag/hbnK9Vvbo7n/MFh0z8rR1/54I3Ib+XUPAtGn9Hw1lNPOG2dJr4u8L9LG2wjP6kdyrJn+v3N5xqxFonPZkYvnX5XmlTH/3+yLngW9m/7XLrjlpodLLInxfw79zkmOOv9a+of4vXRzk/0pfsouGckRj/lq6PbLWRSY92Vry/gX+r3885K4pILJLxF77V66PH+1ci6eR5nMTvWZyv9a9y5r/5JBi+i/CVMVrIwT/z31Xib5RGOQ5WExN/F8mf50xrvI5F/btM/cv/79CjR48ePfq/138D4FK6dLJve+wAAAAASUVORK5CYII=",
"message": "Please scan the QR code!",
"serial": "OATH00944DF6",
"transaction_id": "01940676094419630868",
"type": "hotp"
}
],
"serial": "OATH00944DF6",
"threadid": 139702922225408,
"transaction_id": "01940676094419630868",
"transaction_ids": [
"01940676094419630868"
],
"type": "hotp"
},
"id": 2,
"jsonrpc": "2.0",
"result": {
"authentication": "CHALLENGE",
"status": true,
"value": false
},
"signature": "rsa_sha256_pss:c8f0f38e1cec3a487361947663216517e6ed79dda6bbc3d45f0896fc342443db1e99b4074f5472ce284ed0bdefa017756cb1485790853b07b8de52e8bc9be4b008e6afcb88e93998f0335f471ac61d12a5fbcfc6561d5a208e0956eb735f2ca7382761c86fa1b676a321aa275cd3271b5e56bf90d61cccca6affa3225b268b0e00e81f12d9f03a47a90b12af1c4773fccf64a6899bae346c7e397e83af380a1ac65af8ba482c2d269faabae26393c933e245da880f341addaf1634596b3938032a8592094d7ec7b860c9d21febe5ee9fbb1619ae33ef277d53a8dad9bf098aee33b178f67d452c5e2fa28016f27bf0b975e4702f6369a5fd4b64c3d471ad9fc4",
"time": 1673432654.7975852,
"version": "privacyIDEA 3.8",
"versionnumber": "3.8"
} OK, if the user only has one token in challenge response we get this: {
"detail": {
"client_mode": "interactive",
"image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXIAAAFyAQAAAADAX2ykAAABuElEQVR42u2bSW7DMAxFieoAPlKu7iP5AAZci4Mop6sALQoKT4tAkf8qD1+cHLk+WrugR48ePXr06H9JL75aP5H77Gj9+Oy7ePZS/Zd8ttD/r975Kjyjah/90dYfGOmQwLco3w60s9SdWvcGevpZNzZ81+CrrpXtvpr38C98V/LvcK05Gb5Lxd/Zv0qV+LsC35E/h3Xzg/y5Pt9cZt0sjV5v9RS/Z934q/Wvps6znfMBfOv69+HV2J0yxWTu5+p8/avmzyPgaug9QgffuvlVXM1zaeRnFpPhW9a/u+7MtQ7USBvag/hbnK9Vvbo7n/MFh0z8rR1/54I3Ib+XUPAtGn9Hw1lNPOG2dJr4u8L9LG2wjP6kdyrJn+v3N5xqxFonPZkYvnX5XmlTH/3+yLngW9m/7XLrjlpodLLInxfw79zkmOOv9a+of4vXRzk/0pfsouGckRj/lq6PbLWRSY92Vry/gX+r3885K4pILJLxF77V66PH+1ci6eR5nMTvWZyv9a9y5r/5JBi+i/CVMVrIwT/z31Xib5RGOQ5WExN/F8mf50xrvI5F/btM/cv/79CjR48ePfq/138D4FK6dLJve+wAAAAASUVORK5CYII=",
"message": "Please scan the QR code!",
"multi_challenge": [
{
"client_mode": "interactive",
"image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXIAAAFyAQAAAADAX2ykAAABuElEQVR42u2bSW7DMAxFieoAPlKu7iP5AAZci4Mop6sALQoKT4tAkf8qD1+cHLk+WrugR48ePXr06H9JL75aP5H77Gj9+Oy7ePZS/Zd8ttD/r975Kjyjah/90dYfGOmQwLco3w60s9SdWvcGevpZNzZ81+CrrpXtvpr38C98V/LvcK05Gb5Lxd/Zv0qV+LsC35E/h3Xzg/y5Pt9cZt0sjV5v9RS/Z934q/Wvps6znfMBfOv69+HV2J0yxWTu5+p8/avmzyPgaug9QgffuvlVXM1zaeRnFpPhW9a/u+7MtQ7USBvag/hbnK9Vvbo7n/MFh0z8rR1/54I3Ib+XUPAtGn9Hw1lNPOG2dJr4u8L9LG2wjP6kdyrJn+v3N5xqxFonPZkYvnX5XmlTH/3+yLngW9m/7XLrjlpodLLInxfw79zkmOOv9a+of4vXRzk/0pfsouGckRj/lq6PbLWRSY92Vry/gX+r3885K4pILJLxF77V66PH+1ci6eR5nMTvWZyv9a9y5r/5JBi+i/CVMVrIwT/z31Xib5RGOQ5WExN/F8mf50xrvI5F/btM/cv/79CjR48ePfq/138D4FK6dLJve+wAAAAASUVORK5CYII=",
"message": "Please scan the QR code!",
"serial": "OATH00944DF6",
"transaction_id": "01940676094419630868",
"type": "hotp"
}
],
"serial": "OATH00944DF6",
"threadid": 139702922225408,
"transaction_id": "01940676094419630868",
"transaction_ids": [
"01940676094419630868"
],
"type": "hotp"
},
"id": 2,
"jsonrpc": "2.0",
"result": {
"authentication": "CHALLENGE",
"status": true,
"value": false
},
"signature": "rsa_sha256_pss:c8f0f38e1cec3a487361947663216517e6ed79dda6bbc3d45f0896fc342443db1e99b4074f5472ce284ed0bdefa017756cb1485790853b07b8de52e8bc9be4b008e6afcb88e93998f0335f471ac61d12a5fbcfc6561d5a208e0956eb735f2ca7382761c86fa1b676a321aa275cd3271b5e56bf90d61cccca6affa3225b268b0e00e81f12d9f03a47a90b12af1c4773fccf64a6899bae346c7e397e83af380a1ac65af8ba482c2d269faabae26393c933e245da880f341addaf1634596b3938032a8592094d7ec7b860c9d21febe5ee9fbb1619ae33ef277d53a8dad9bf098aee33b178f67d452c5e2fa28016f27bf0b975e4702f6369a5fd4b64c3d471ad9fc4",
"time": 1673432654.7975852,
"version": "privacyIDEA 3.8",
"versionnumber": "3.8"
} We have Does this mean you also want the |
@jona-samuel: The enroll-via-validate is implemented in the tokenclass method
So it looks like we would simply have to dublicate the preferred_client_mode here. I think #3382 is not relevant in this case. |
Shouldn't the If a QR Code is sent with the challenge, the user should scan this code, and confirm a new token in the same step, right? We have to consider all of these scenarios on the client side, but to see the |
@lukasmatusiewicz can you test this change? |
sure |
Scenario: User has no tokens, enroll-via-challenge is active and set to: "push". Policy with preferred client mode is set to: poll webauthn interactive.
Push token is enrolled, client receives the image with qr code, new push token exists in multi_challenge and contains client_mode: poll, but preferred_client_mode is now missing in server response.
Expectation: if multi_challenge contains a token that is set as the preferred one, the preferred_client_mode should be shown in the same response.
The text was updated successfully, but these errors were encountered: