Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RA and SA issue when activating multiple tokens #400

Open
phavekes opened this issue Nov 30, 2024 · 3 comments
Open

RA and SA issue when activating multiple tokens #400

phavekes opened this issue Nov 30, 2024 · 3 comments

Comments

@phavekes
Copy link
Member

This issue is imported from pivotal - Originaly created at Jan 25, 2024 by Pieter van der Meulen

When vetting a 2nd token of the same type in the same RA browser session, the activation fails with an error on the gateway, because of the recent session-protection that was added to Stepup-Gateway 4.2.4:

Jan 25 12:56:13 pappstag1.prd.ams.surfconext.nl stepup-gateway[1288]: {"channel":"request","level":"CRITICAL","message":"Uncaught PHP Exception Surfnet\\StepupGateway\\SamlStepupProviderBundle\\Exception\\InvalidSubjectException: \"The subject should not be rewritten with another value. Old: \"s7tfpm-agv8\", new \"s7tft2-c660\"\" at /opt/openconext/OpenConext-gateway-4.2.4/src/Surfnet/StepupGateway/SamlStepupProviderBundle/Saml/StateHandler.php line 47","context":{"exception":{"class":"Surfnet\\StepupGateway\\SamlStepupProviderBundle\\Exception\\InvalidSubjectException","message":"The subject should not be rewritten with another value. Old: \"s7tfpm-agv8\", new \"s7tft2-c660\"","code":0,"file":"/opt/openconext/OpenConext-gateway-4.2.4/src/Surfnet/StepupGateway/SamlStepupProviderBundle/Saml/StateHandler.php:47"}},"extra":{"art":"10662","server":"sa-gw.surfconext.nl","application":"stepup-gateway","request_id":"59f44f5dba8f8c85d6e0b08b0d0e2ce1"}}

To reproduce, activate a tiqr-token in RA, and immediately activate another tiqr token in the same browser window.

Another (simpler) way to reproduce the issue that can easilly be repeated is using the self service interface. Start with an account with both a YubiKey and a Tiqr token registered that allows vetting with an existing token and ideally has email validation disabled (institution-f is setup this way)

  1. Login to SS
  2. Choose test a token, and authenticate with Tiqr. This authentication succeeds.
  3. Remove the Tiqr token
  4. Add a Tiqr token and complete the enrollment. The enrollment will fail with the error 10662 above on the gateway and subsequent enrollments of a Tiqr token will continue to fail.
  5. Delete the sess_gateway cookie.
  6. Add a Tiqr token and complete the enrollment, the enrollment now succeeds. You can now activate your token using the Yubikey in the account.

Related to "State confusion" mentioned in #186895557

As shown above a workaround is to delete the gateway session. This can be accomplished by restarting the browser, using a private window or by manually deleting the sess_gateway cookie of the gateway.

Targetted version: 4.2.4
Fixed in : release/4.2
Cherrypicked back to develop

@phavekes
Copy link
Member Author

Related to "State confusion" mentioned in https://www.pivotaltracker.com/story/show/186895557 (Peter Havekes - Jan 25, 2024)

@phavekes
Copy link
Member Author

Same issue occurs when adding two tokens of the same type in selfservice 

To reproduce in SA do (in one browser session):

  • Add a tiqr token
  • activate the tiqr token
  • Delete the token
  • Try to add another tiqr token
    (Peter Havekes - Jan 25, 2024)

@phavekes
Copy link
Member Author

@phavekes wrote this suggestion (in Dutch)

In SecondFactorVerificationService.php staat in de comments dat deze alleen door SA en RA gebruikt wordt. Als dat klopt, dan is daar de controle op het subject (regel 78-87) niet nodig.
In StateHandler.php wordt ongeveer dezelfde check op het subjectID gedaan, maar die moet alleen gedaan worden als er een authenticatie bezig is, geen SA of RA check. Verderop in de statehandler wordt is_second_factor_verification gezet, dus die kunnen we gebruiken, alleen wordt die in de SecondFactorVerificationService pas gezet NA het zetten van het subject
Ik denk dat het probleem in SA en RA is opgelost als we de check uit SecondFactorVerificationService.php weghalen, en de check in de statehandler af laten hangen van de `is_second_factor_verification (Michiel Kodde - Jan 31, 2024)

@phavekes phavekes removed their assignment Nov 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: New
Development

No branches or pull requests

1 participant