I'm locked out of my account since I activated OTP. I'm still able to send this because I had logged into pagure before and the session didn't expire yet ^^'. This is the second time I try to activate OTP, and it failed both time, locking me out of my account, each time with a different authenticator app :/... (The first time was a while ago.)
As soon as possible
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: Needs investigation, low-gain, ops
Metadata Update from @zlopez: - Issue assigned to zlopez
I'm looking at your account and don't see any reason for this to happen. I removed the OTP from your account for now.
But what is the error you are experiencing when trying to login with the OTP?
It was an "Authentication failed" generic message.
I had tried in the past with GNOME World's Authenticator, and now with Proton Pass's Authenticator.
Another (maybe ?) related issue is that I have an a :
400 - Bad Request Invalid transaction id
Every time I try to connect for the first time into any Fedora Service, but when I press once again on login, it then works (without needing to put password and login again).
It was an "Authentication failed" generic message. I had tried in the past with GNOME World's Authenticator, and now with Proton Pass's Authenticator.
I'm looking at the authentication logs and see one successful authentication to Bugzilla and then some failed ones for COPR. But those seems to be done by OpenID not OIDC, not sure if that could be the reason.
Another (maybe ?) related issue is that I have an a : ``` 400 - Bad Request Invalid transaction id ``` Every time I try to connect for the first time into any Fedora Service, but when I press once again on login, it then works (without needing to put password and login again).
Another (maybe ?) related issue is that I have an a : ``` 400 - Bad Request
Invalid transaction id ```
Unfortunately that is a known issue and we couldn't fix it yet.
I had also tried to authenticate to Fedora Accounts unsuccessfully. For Bugzilla, the authentication was before I had activated OTP.
I can't really find the cause of this in the logs. From the logs it seems like you got 401, which means bad credentials.
Only thing that comes to my mind is if you did put the OTP to correct field.
I did, to the best of my knowledge, put the OTP in the correct field :/... Well, I guess I'll just have to use fedora without OTP for now...
Just a wild shot in the dark: when you are logging into accounts.fedoraproject.org are you using your username? or email?
Please try with username.
I am using my username. Since I use a password manager which autofills, and it only has my username, that's certain.
ok, that theory is shot down then. ;(
@abompard any ideas here?
I tried enrolling a OTP on a test account and logging in to Noggin and Ipsilon and it worked for me too :-/ After setting up the OTP, where did you try to login @lyessaadi ? Noggin ? Another infra application? When enrolling a token, Noggin asks you for a 6-digit code to verify that the enrolling has worked. When you logged in afterwards, did you use the next (or a following) 6-digit code that your application gave you, or did you use the same one you used to enroll the token? Are you available on Matrix or IRC so that we can try to debug this? Thanks!
I had tried on COPR and Noggin. I would be available to try on Matrix to debug this ! On which Matrix channel should I go ?
Hey! You can join https://matrix.to/#/#admin:fedoraproject.org (named "Fedora Infrastructure Team"). Please ping me (@abompard) when you're ready.
Oh I have an idea: how long is your password? Is it "pretty long"? Because there's a size limit to passwords and OTP tokens add 6 chars to the password, but not to the limit.
I'm thinking about it because I see this in the kerberos logs:
Mar 12 13:10:21 ipa01.iad2.fedoraproject.org krb5kdc[3726219](info): preauth (otp) verify failure: Message too long
Yup, it is pretty long since it's password-manager generated, and I wanted my Fedora account to be pretty secure.
127 characters according to wc.
That's very possibly it.
This is related to: https://pagure.io/freeipa/issue/9600
Obviously we didn't take those steps we wanted to in the last comment... Will do now! :-)
Hey ! Could I get unlocked of my account ^^ ? I would be willing to continue debugging that as well, I just also want to update packages.
I deleted the OTP from your account. Feel free to continue debugging.
@lyessaadi Did you resolve the issue?
The underlying issue isn't gone, but with a shorter password OTP works !
@abompard Do you want to keep this open till we have the fix?
The prod version has been updated with the password size limit, so I think we can close this.
Metadata Update from @abompard: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.