#7068 WebUI: password login does not work when 2FA token is present
Opened 2 years ago by cheimes. Modified a month ago

Web UI does not accept password-only login when a 2FA OTP is present although both password and OTP are enabled.

Steps to reproduce:

  • add an OTP token to a user
  • enable authentication types "password" and "Two factor authentication"
  • attempt to log into WebUI with password + OTP: success
  • attempt to log into WebUI with password only: fail

The web UI uses kinit for authentication. Internally it creates armor ccache to establish a FAST tunnel for 2FA. When a FAST tunnel is present and 2FA is enabled, libkrb5 prefers password+OTP. Kerberos does not attempt a fallback to password-only. The command line tool kinit can be forced to perform password-only with CTRL+C:

$ sudo dnf install krb5-pkinit
$ kinit -c /tmp/armor_ccache -n
$ kinit -T /tmp/armor_ccache user
Enter OTP Token Value: <CTRL+C>
Password for user@REALM: <password>

I would even say that it worked before.

@rharwood do you know if behavior changed? If we would know what method user wants to use is there a way how to force certain behavior. Or the only way is to use FAST for 2FA and no FAST for only password?

What time frame is "before"? I'm not immediately aware of any changes, but I can go looking if I have some idea.

Metadata Update from @pvoborni:
- Issue assigned to abbra
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.7
- Issue tagged with: regression

2 years ago

I'd like to add, that this behavior is not how the HTTP service on the FreeIPA server is configured. The WebUI is not using it's own service definition as described in FreeIPA itself.


@hicksaw I don't know what part of definition you mean. If Auth Indicators then they are not relevant for the use case in ticket describtion. The bug is about obtaining ticket granting ticket in forms based Web UI auth which is not related to getting service ticket for HTTPD service.

@pvoborni my expectation would be that the FreeIPA web UI authentication should behave as the HTTPD service is configured in FreeIPA for the FreeIPA server.

My statement supports the original post: when a user account has a second factor configured, that this second factor is required to authenticate is unexpected, and the configuration of the HTTP service on the IPA server also indicates that the 2nd factor should not be required.

In addition, I would expect that the FreeIPA web UI to be an example of a web service does what FreeIPA tells it to.

Just for the record, the documentation clearly describes the behavior when both "password" and "password+OTP" are enabled:

Combining Multiple Authentication Methods
If you set multiple methods at once, either one of them will be sufficient for successful authentication. For example:

    If you configure both two-factor and password authentication, the user must provide the password (first factor), but providing the OTP (second factor) is optional when using the command line:

    First Factor:
    Second Factor (optional):

    In the web UI, the user must still provide both factors. 

The WebUI requires both factors.

@frenaud Thanks! Next time I'm going to read our documentation first.

Let's close my bug as invalid. Do you agree, @abbra ?

We discussed this with @pvoborni and @frenaud while in Brno and we'd like to actually improve here by providing a separate field for 2FA token value in the UI. So let's keep the bug as valid one.

@pvoborni actually had it partially implemented, I think.

A clarification: we're doing only doing 2FA on two hosts in our environment by activating the hosts' OTP auth-indicator, all other hosts and services are expected to use just username & password.

So this 'feature' causing exceptions to the expected behavior. We would very much prefer to be able to disable 2FA on the web UI login and API authentication to maintain consistent behavior in our environment.

(i.e. the product owner considers this a bug to be fixed and won't drop it because it degrades the user experience)

I have the patch in temp branch https://github.com/freeipa/freeipa/compare/master...pvoborni:login_mixed_authtypes (there is also other stuff). It needs some work(better commit message) and especially a test.

Metadata Update from @pvoborni:
- Issue assigned to pvoborni (was: abbra)

2 years ago

Since mixed login is documented as In the web UI, the user must still provide both factors., it's not a regression.

Metadata Update from @cheimes:
- Issue untagged with: regression
- Issue priority set to: normal (was: important)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @stsymbal:
- Issue tagged with: webui

a year ago

@pvoborni Is this something you have time to work on? Would be definitely great for UX.

Login to comment on this ticket.

Attachments 1
Attached 2 years ago View Comment