You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When vetting a 2nd token of the same type in the same RA browser session, the activation fails with an error on the gateway, because of the recent session-protection that was added to Stepup-Gateway 4.2.4:
Jan 25 12:56:13 pappstag1.prd.ams.surfconext.nl stepup-gateway[1288]: {"channel":"request","level":"CRITICAL","message":"Uncaught PHP Exception Surfnet\\StepupGateway\\SamlStepupProviderBundle\\Exception\\InvalidSubjectException: \"The subject should not be rewritten with another value. Old: \"s7tfpm-agv8\", new \"s7tft2-c660\"\" at /opt/openconext/OpenConext-gateway-4.2.4/src/Surfnet/StepupGateway/SamlStepupProviderBundle/Saml/StateHandler.php line 47","context":{"exception":{"class":"Surfnet\\StepupGateway\\SamlStepupProviderBundle\\Exception\\InvalidSubjectException","message":"The subject should not be rewritten with another value. Old: \"s7tfpm-agv8\", new \"s7tft2-c660\"","code":0,"file":"/opt/openconext/OpenConext-gateway-4.2.4/src/Surfnet/StepupGateway/SamlStepupProviderBundle/Saml/StateHandler.php:47"}},"extra":{"art":"10662","server":"sa-gw.surfconext.nl","application":"stepup-gateway","request_id":"59f44f5dba8f8c85d6e0b08b0d0e2ce1"}}
To reproduce, activate a tiqr-token in RA, and immediately activate another tiqr token in the same browser window.
Another (simpler) way to reproduce the issue that can easilly be repeated is using the self service interface. Start with an account with both a YubiKey and a Tiqr token registered that allows vetting with an existing token and ideally has email validation disabled (institution-f is setup this way)
Login to SS
Choose test a token, and authenticate with Tiqr. This authentication succeeds.
Remove the Tiqr token
Add a Tiqr token and complete the enrollment. The enrollment will fail with the error 10662 above on the gateway and subsequent enrollments of a Tiqr token will continue to fail.
Delete the sess_gateway cookie.
Add a Tiqr token and complete the enrollment, the enrollment now succeeds. You can now activate your token using the Yubikey in the account.
Related to "State confusion" mentioned in #186895557
As shown above a workaround is to delete the gateway session. This can be accomplished by restarting the browser, using a private window or by manually deleting the sess_gateway cookie of the gateway.
Targetted version: 4.2.4
Fixed in : release/4.2
Cherrypicked back to develop
The text was updated successfully, but these errors were encountered:
In SecondFactorVerificationService.php staat in de comments dat deze alleen door SA en RA gebruikt wordt. Als dat klopt, dan is daar de controle op het subject (regel 78-87) niet nodig.
In StateHandler.php wordt ongeveer dezelfde check op het subjectID gedaan, maar die moet alleen gedaan worden als er een authenticatie bezig is, geen SA of RA check. Verderop in de statehandler wordt is_second_factor_verification gezet, dus die kunnen we gebruiken, alleen wordt die in de SecondFactorVerificationService pas gezet NA het zetten van het subject
Ik denk dat het probleem in SA en RA is opgelost als we de check uit SecondFactorVerificationService.php weghalen, en de check in de statehandler af laten hangen van de `is_second_factor_verification (Michiel Kodde - Jan 31, 2024)
This issue is imported from pivotal - Originaly created at Jan 25, 2024 by Pieter van der Meulen
When vetting a 2nd token of the same type in the same RA browser session, the activation fails with an error on the gateway, because of the recent session-protection that was added to Stepup-Gateway 4.2.4:
To reproduce, activate a tiqr-token in RA, and immediately activate another tiqr token in the same browser window.
Another (simpler) way to reproduce the issue that can easilly be repeated is using the self service interface. Start with an account with both a YubiKey and a Tiqr token registered that allows vetting with an existing token and ideally has email validation disabled (institution-f is setup this way)
10662
above on the gateway and subsequent enrollments of a Tiqr token will continue to fail.sess_gateway
cookie.Related to "State confusion" mentioned in #186895557
As shown above a workaround is to delete the gateway session. This can be accomplished by restarting the browser, using a private window or by manually deleting the sess_gateway cookie of the gateway.
Targetted version: 4.2.4
Fixed in :
release/4.2
Cherrypicked back to
develop
The text was updated successfully, but these errors were encountered: