I've changed my 2FA device over the weekend in https://accounts.fedoraproject.org/. The move went fine and I can log into e.g. Bodhi using the new device.
However, I can't log into the OCP cluster anymore it seems. I keep getting 400 - Bad Request after trying to log in. It might be unrelated to the 2FA change, though things worked fine last week.
Metadata Update from @humaton: - Issue tagged with: authentication, low-gain, low-trouble
@jlebon in the password field on the ocp4 console, you can append your 2FA token to the end of your normal password and it should work.
Yup, that's what I usually do and kept trying but it didn't work. That said, trying now it looks like it works again! Maybe some kind of cache invalidation needed to happen or something?
Anyway, thanks for looking!
Metadata Update from @jlebon: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Hmm, this is happening again now even though I didn't change anything. I can log in fine with my password + OTP in e.g. Bodhi and https://accounts.fedoraproject.org/. It seems localized to OCP.
Metadata Update from @jlebon: - Issue status updated to: Open (was: Closed)
@jlebon , when that happens, can you login fine on both :
? If you can, then indeed something doesn't work correctly between OCP then trying to reach out to ipsilon (id.centos.org) IdP for openid connect.
@jlebon , when that happens, can you login fine on both : https://accounts.centos.org https://id.centos.org ? If you can, then indeed something doesn't work correctly between OCP then trying to reach out to ipsilon (id.centos.org) IdP for openid connect.
Logging into OCP works again, so I can't test your suggestion. :) But let's leave this open for a bit in case it decides to stop working again.
Hmm, possibly related: https://pagure.io/fedora-infrastructure/issue/9990
as discussed in the infra and releng meeting, closing this one and feel free to reopen if you encounter the issue again (but the other fedora ticket was closed as fixed too)
Metadata Update from @arrfab: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Was hitting this again where I could log into https://accounts.centos.org/ and https://accounts.fedoraproject.org/ fine with my password + OTP but not in https://id.centos.org/.
Ended up changing my password in https://accounts.fedoraproject.org/ to try to jog things up and that seems to have done the trick.
I've been hitting this again recently. Sometimes it works to just keep trying until it lets me in. But today, that trick doesn't work.
Can log in fine in https://accounts.centos.org/user/jlebon/ and https://accounts.fedoraproject.org/user/jlebon/.
Have there been any other reports about this?
hey @jlebon No, you're actually the only one who reported it but there were quite a lot of network issues at the DC where Fedora infra is hosted in the last two days (and so where IPA and ipsilon instances are hosted too). I obviously also have 2FA enabled on my account, but I never use ipsilon (meaning that I'm not typing my 2FA/OTP code there), as I'm using it in transparent why with my kerberos ticket So that means that if (I'm not using it though) I have to login on openshift, it doesn't even ask me my username/password/otp combination at all and does that transparently with kerberos (so OTP is only needed once to kinit)
Are you using that feature ? see https://wiki.centos.org/Authentication#Enabling_kerberos_for_IdP
Metadata Update from @arrfab: - Issue priority set to: Waiting on Reporter (was: Needs Review)
no activity and also Fedora reported at that time some network issue in the DC where IPA and ipsilon instances were hosted. There is also still another sssd issue which is also tracked in fedora-infra tracker so closing this one here for now (and no news for the workaround with kerberos)
Hey Fabian,
Sorry was on vacation for a while. I've set up GSSAPI now for Fedora and it works great so far! Thanks for the tip.
Login to comment on this ticket.