simplesamlphp-module-privacyidea icon indicating copy to clipboard operation
simplesamlphp-module-privacyidea copied to clipboard
verified publisher icon privacyidea

AlternateLoginOptions don't work

Open nomennesc-io opened this issue 1 year ago • 5 comments

After failing a webauthn challenge, users are presented with alternate login options. I haven't been able to successfully use them, though, nothing I tried resulted in successful authentication.

Is there an easy way to disable this feature entirely and simply return the user to the original login screen with an authentication failed message?

nomennesc-io avatar Jan 12 '25 14:01 nomennesc-io

Hi, the plan is to always offer OTP input. Then, depending on whether challenges had been triggered, webauthn or push is offered in the alternate login options (+preferred_client_mode setting in the server chosing the mode first used by the plugin). So if you fail webauthn there should only be the option to try otp but not push if the user does not have a push token. Is there no error displayed after failing webauthn? what was the reason for failing and which OS? I am not sure how it currently looks in this plugin because, frankly, this does not have priority for us.

nilsbehlen avatar Jan 13 '25 11:01 nilsbehlen

Hey, thanks for the response!

if you fail webauthn there should only be the option to try otp but not push if the user does not have a push token.

If i fail webauthn (in this case by failing to enter the correct yubikey pin or unplugging the device), i don't get any error message, but remain at the page asking to 'Please confirm with your WebAuthn token' and presenting two 'Alternate login options:' 'WebAuthn' and 'OTP'. Upon selecting OTP, an OTP input field appears, but whatever I enter, it will just return with the same screen.

After a bit more debugging, I found out Privacyidea is returning 'message': 'Response did not match the challenge.', so it seems like it's trying to send an OTP as response to the WebAuthn challenge instead of initiating a new validate call.

The OS is debian bookworm.

nomennesc-io avatar Jan 13 '25 12:01 nomennesc-io

Thanks for the information. I guess what you wrote is the cause of the problem. If you can, feel free to submit a PR to fix it, as we currently do not have the resources to work on this project.

nilsbehlen avatar Jan 17 '25 11:01 nilsbehlen

we currently do not have the resources to work on this project

Sorry to hear that, i'll see what i can do to conjure up a PR.

Are there any future plans to pick this project back up again or would I be better off migrating to keycloak?

nomennesc-io avatar Jan 22 '25 22:01 nomennesc-io

We will probably update this some time, but we have multiple plugins so it always takes some time before we do something. However, i would advise to use keycloak because it is way more modern and has a more widespread use. we prioritize our keycloak plugin because of that.

nilsbehlen avatar Jan 23 '25 08:01 nilsbehlen