Fix for DUO Universal Prompt authentication #426
Conversation
Changing re.sub in line 147 of this file to look for ANY digit in front of the "v" part. We ran into an issue in our environment because the original code here was looking for v4 and our DUO setup was set to v3, so this replacement never happened and resulted in a malformed URL leading to 403 responses from the DUO server. Signed-off-by: smxjrz <Smelecs@gmail.com>
| @@ -145,7 +145,7 @@ def _perform_authentication_transaction( | |||
| ssl_verification_enabled, | |||
| ): | |||
| duo_host = re.sub( | |||
| r"/frame/frameless/v4/auth.*", | |||
| r"/frame/frameless/v\d+/auth.*", | |||
There was a problem hiding this comment.
I'm surprised it isn't needed to capture this version returned the Duo server, and reuse it in the constructed URLs sent to the same server afterward:
# rg -F 'v4' aws_adfs/_duo_universal_prompt_authenticator.py
219: status_for_url = duo_host + "/frame/v4/status"
246: result_for_url = duo_host + "/frame/v4/oidc/exit"
267: status_for_url = duo_host + "/frame/v4/status"
537: duo_url = duo_host + "/frame/v4/prompt"
574: prompt_for_url = duo_host + "/frame/v4/prompt"
Does everything really work fine with this single change?
There was a problem hiding this comment.
Hi @pdecat,
We've been using the tool against the DUO traditional prompt in our environment for a while with no issue and when our org made the switch over to the new Universal prompt, I had noticed that the latest version of the library started returning 403 when I tried to get credentials using the tool.
What I observed was that the duo_url before the regex replace call where my change is was making call out to "https://api-[API_ID].duosecurity.com/frame/frameless/v3/auth?sid=[[SID]]&tx=[[TX_ID]]/frame/v4/prompt"
The problem is, the goal of the regex wants to strip out the "frame/frameless/v3/auth?sid=[SID]&tx=[TX_ID]" part but the existing code is trying to match "/frame/frameless/v4/auth.*" and strip it out by replacing it with empty string, so you just have the URL to the DUO API.
The observation that I made, however, was that our DUO API was returning a different versioned /frame/frameless/v3/auth.* which led to the duo_url value in the having the frame/frameless/v3/auth?sid=[[SID]]&tx=[[TX_ID]] in the variable. which led to the following output
Error: Issues during beginning of the authentication process. The error response <Response [403]>
Which is due to the fact that the first call after this code (to /frame/v4/prompt) was not actually being called since the code was invoking "/frame/frameless/v3/auth?sid=[[SID]]&tx=[[TX_ID]]/frame/v4/prompt", where the "/frame/v4/prompt" part was part of tx in the query string of the URI.
Once I tweaked the regex to look for any digit the URI was stripped as expected from the DUO Url and we were able to get our credentials.
There was a problem hiding this comment.
Makes sense, thanks for the detailed explanation.
Changing re.sub in line 147 of this file to look for ANY digit in front of the "v" part.
We ran into an issue in our environment because the original code here was looking for "v4" and our DUO setup was returning "v3", so this replacement never happened and resulted in a malformed URL leading to 403 responses from the DUO server.