authentik
authentik copied to clipboard
goauthentik
Stage binding policy always skipping stage
Describe your question/
I am attempting to setup a flow in which a user will be required to verify their MFA to log into an OAuth application, UNLESS they have a "2fa_override" attribute. However, I am seeing an issue where no matter what policy I place on the Authenticator Validation Stage, this stage is always skipped (as if it is always being denied), even if the policy is just return True (return False, actual code to look for the attribute I mentioned, or anything else, all have the same effect. The stage is always skipped and the user is never asked to verify their code). No logs are generated despite me having checked to log all executions of the policy. If I remove the policy entirely, the flow works as expected.
It should be noted however, that it seems this problem only occurs when the flow is actually executed by the application. If I run the flow from the "Execute flow" buttons in the flow editor, everything appears to work as expected. I therefore believe that there is some issue with the OAuth provider that is skipping the stage when the policy exists. I was not able to find anything in the documentation mentioning this as intended behavior. It should also be noted I am attempting to use this with the Github compatibility layer.
Relevant infos Ver 2022.4.1. Issue has existed at least since 2022.3.
Screenshots
Flow diagram:
Logs No logs are generated indicating the policy executed. The normal flow logs are shown which I can pull if needed but from my quick glance they do not appear any different from any other regular flow.
Version and Deployment (please complete the following information):
- authentik version: 2022.4.1
- Deployment: docker
I filed this under "question" as I am not sure if this is intended behavior, but it may make more under bug report if it is not.
How are your stages and policies configured? Do they run with the flow plan or are they re-run? Exporting your flow would be helpful.
I have tried the different plan options (re-run on/off, plan on/off), there is no change to the way it runs. Correct me if I'm wrong, but since this is the first stage in the flow anyway, wouldn't it not matter which evaluate mode is used (as long as one of them is on) as either way the stage gets evaluated just before it is shown to the user?
Regardless, I've attached the flow (extension changed to txt as github will not allow the akflow extension) 2fa-verify.txt
I am seeing the same thing with the default recovery flow to reset your password. It never prompts for the email address to send the email. It just jumps to the reset page which always fails.
Running 2022.7.2. I also noticed that having both "Evaluate on plan" and "Re-evaluate policies" is still causing the policy evulations to be cached (enabling Execution Logging shows event logs only after clearing the policy cache).
Disconcertingly I've experienced this with the passwordless-login. On an older version of Authentik this was acting as expected, however I am unsure when this broke.
Policy testing returns as expected True for users with WebAuthnDevice and false without. My last known good authentik version was ~~2022.6.3~~ *Edit: just did a roll back and this version still has the issue.
The initial issue for this was most likely caused by the flow cache, caused by these two config options:
(The defaults have changed with different authentik versions)
For flows like this where the policy needs to be executed just-in-time instead of being executed before the flow starts, the second option needs to be enabled and the first one disabled.
