Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Script based adaptive authentication fails with TOTP authenticator #5779

Closed
Seralahthan opened this issue Jun 19, 2019 · 0 comments · Fixed by wso2/carbon-identity-framework#2264
Closed

[Bug] Script based adaptive authentication fails with TOTP authenticator #5779

Seralahthan opened this issue Jun 19, 2019 · 0 comments · Fixed by wso2/carbon-identity-framework#2264
Labels
Affected/5.7.0 Complexity/High Component/Adaptive Auth Priority/High Type/Bug WUM

Comments

@Seralahthan
Copy link

When the script based adaptive authentication is used with TOTP authenticator as the second step and the OnFail event handler is configured to retry the step 02 (if failed) the user directed to the retry.do page (https://localhost:9443/authenticationendpoint/retry.do?sp=travelocity.com&tenantDomain=carbon.super) with "Authentication Error" message.
The expected behavior is to prompt the user to re-enter the TOTP code if the user enters a wrong code.

The following stack trace is observed in the logs

[2019-06-17 09:56:36,819] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authentication failed, user : admin@carbon.super org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: Authentication failed, user : admin@carbon.super at org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticator.processAuthenticationResponse(TOTPAuthenticator.java:306) at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:78) at org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticator.process(TOTPAuthenticator.java:121) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:501) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:475) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:175) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handleAuthenticationStep(GraphBasedSequenceHandler.java:410) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handleNode(GraphBasedSequenceHandler.java:170) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handle(GraphBasedSequenceHandler.java:125) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:139) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:244)

[2019-06-17 09:56:36,823] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Exception in Authentication Framework java.lang.NullPointerException at org.wso2.carbon.extension.identity.helper.FederatedAuthenticatorUtil.setUsernameFromFirstStep(FederatedAuthenticatorUtil.java:399) at org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticator.initiateAuthenticationRequest(TOTPAuthenticator.java:149) at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:72) at org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticator.process(TOTPAuthenticator.java:121) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:501) at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:266) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handleAuthenticationStep(GraphBasedSequenceHandler.java:410) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handleNode(GraphBasedSequenceHandler.java:170) at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraphBasedSequenceHandler.handle(GraphBasedSequenceHandler.java:125) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:139) at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:244)

Debugging

While debugging the issue I was able to notice the following suspicious points which might be helpful in fixing the issue.

The NullPointerException is thrown in the FederatedAuthenticatorUtil class [1] as the AuthenticationContext passed to the "setUsernameFromFirstStep" method has "null" values passed for the "authenticatedUser" and "authenticatedAuthenticator". We need to further analyze why the context is not properly populating when provided a wrong TOTP and triggers the OnFail execution.

Also, I noticed that when the TOTP Authenticator completes the authentication flow with flowStatus == FAIL_COMPLETED and tries to execute the OnFail flow where we initiate a retry. But unexpectedly the authentication step number is getting increased to 3 during the flow [2].
We need to further investigate this behavior as well.

Suggestions

Fix provided in the PR [3] might resolve the NullPointerException.

Steps to reproduce

  • Configure the following 3 authentication steps
    Step 1: Local authentication = basic
    Step 2: Local authentication = TOTP (Google)
    Step 3: Federated Authentication: Email OTP

  • Create a user with 'Internal/GoogleAuthentication' role.

  • Use the test.script.js [4]

  • Try the authentication flow and provide a wrong TOTP in the second step.

[1] https://github.com/wso2-extensions/identity-extension-utils/blob/v1.0.5/component/helper/src/main/java/org/wso2/carbon/extension/identity/helper/FederatedAuthenticatorUtil.java#L395
[2] https://github.com/wso2-support/carbon-identity-framework/blob/support-5.12.153/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/sequence/impl/GraphBasedSequenceHandler.java#L400-L408
[3] wso2-extensions/identity-extension-utils#13
[4] https://drive.google.com/open?id=1NujxR5duKLWr96ZEAvhbyXd-rCIHraiB
@Seralahthan Seralahthan changed the title Script based adaptive authentication fails with TOTP authenticator [IS-5.7.0][Bug]Script based adaptive authentication fails with TOTP authenticator Jun 19, 2019
@Seralahthan Seralahthan changed the title [IS-5.7.0][Bug]Script based adaptive authentication fails with TOTP authenticator [IS-5.7.0][Bug] Script based adaptive authentication fails with TOTP authenticator Jun 19, 2019
@Seralahthan Seralahthan changed the title [IS-5.7.0][Bug] Script based adaptive authentication fails with TOTP authenticator [Bug] Script based adaptive authentication fails with TOTP authenticator Jun 19, 2019
ruwanta pushed a commit to ruwanta/carbon-identity-framework that referenced this issue Jun 25, 2019
Merge fix for wso2/product-is#5779
faf783e
@ruwanta ruwanta mentioned this issue Jun 25, 2019
Merged
19 tasks
@pamodaaw pamodaaw mentioned this issue Oct 7, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Affected/5.7.0 Complexity/High Component/Adaptive Auth Priority/High Type/Bug WUM
Projects
None yet
Milestone
No milestone
3 participants
@vihanga-liyanage @senthalan @Seralahthan