lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-01-15T14:27:31Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3066"kid" missing from emitted JWT2024-01-15T14:27:31ZMaxime Besson"kid" missing from emitted JWTFollowing the migration to Crypt::JWT, ID tokens no longer contain a "kid".
Some applications require them, even if we expose only one key, so this has to be considered as a regressionFollowing the migration to Crypt::JWT, ID tokens no longer contain a "kid".
Some applications require them, even if we expose only one key, so this has to be considered as a regression2.18.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3065Error when verifying signature when OP uses more than one key and kid provide...2023-12-21T15:23:39ZClément OUDOTError when verifying signature when OP uses more than one key and kid provided in ID TokenAfter updating to 2.18, JWT issued by Google are not valid anymore:
```
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] Verification of JWT signature: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmY...After updating to 2.18, JWT issued by Google are not valid anymore:
```
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] Verification of JWT signature: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] JWT signature algorithm: RS256
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] Unable to verify JWT: JWS: invalid signature at /usr/share/perl5/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm line 1524.
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] Jwt was: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] JWT signature verification failed
```
But the JWT is valid: https://oauth2.googleapis.com/tokeninfo?id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
So there should be a problem on LL::NG side but I don't se what.2.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3063Set default logLevel to notice2023-12-19T21:49:13ZClément OUDOTSet default logLevel to noticeFor now the default logLevel is `warn`, which do not display messages like 'user xxx authenticated'.
It would be better to set the default value to `notice`.For now the default logLevel is `warn`, which do not display messages like 'user xxx authenticated'.
It would be better to set the default value to `notice`.2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3059sp: display rule doesn't work with saml federation / lazy loading2024-03-27T08:18:32ZMaxime Bessonsp: display rule doesn't work with saml federation / lazy loadingWhen using SAML federations, it is no longer possible to use sp:confKey as a display rule because at the time the rule is evaluated, the SP is not always loaded
We need a new syntax such as entityID:xxx + client_id:xxxWhen using SAML federations, it is no longer possible to use sp:confKey as a display rule because at the time the rule is evaluated, the SP is not always loaded
We need a new syntax such as entityID:xxx + client_id:xxx2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3058Access rule of an OIDC RP not working to dynamically display application in p...2023-12-14T12:49:05ZClément OUDOTAccess rule of an OIDC RP not working to dynamically display application in portal menuMay be a regression linked to OIDC RP lazy loading.
Steps to reproduce:
* Declare an OIDC RP with an access rule
* Declare an application in menu with display rule (sp: rp-example)
Expected result:
* Application not displayed for users...May be a regression linked to OIDC RP lazy loading.
Steps to reproduce:
* Declare an OIDC RP with an access rule
* Declare an application in menu with display rule (sp: rp-example)
Expected result:
* Application not displayed for users not matching the access rule
Current result:
* Application always displayed2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3055Internal error while processing a "access forbidden" SAML assertion2023-12-15T14:21:55ZYaddInternal error while processing a "access forbidden" SAML assertion### Affected version
Version: %2.17.2
Platform: any
### Summary
During SAML authentication, the ForgeRock server sends a SAML assertion that contains a new attribute with a "accès refusé" content. Lemon doesn't catch XML error and di...### Affected version
Version: %2.17.2
Platform: any
### Summary
During SAML authentication, the ForgeRock server sends a SAML assertion that contains a new attribute with a "accès refusé" content. Lemon doesn't catch XML error and displays an internal error
### Logs
```
[Wed Dec 6 03:03:53 2023] [LLNG:164] [debug] Processing setAuthSessionInfo
2023/12/06 03:03:53 [error] 157#157: *25 FastCGI sent in stderr: ":1: namespace error : Namespaced Attribute type in 'http://www.w3.org/2001/XMLSchema-instance' redefined
://www.w3.org/2001/XMLSchema-instance" ns1:type="xs:string" xsi:type="xs:string"
^
XML::Simple called at /usr/share/perl5/Lemonldap/NG/Portal/Lib/SAML.pm line 1548" while reading response header from upstream, client: 1.2.3.4, server: auth.poc-mail-avocat.fr, request: "POST /saml/proxySingleSignOnPost HTTP/1.1", upstream: "fastcgi://unix:/run/llng-fastcgi-server/llng-fastcgi.sock:", host: "auth.poc-mail-avocat.fr", referrer: "https://preprod-sso.cnb-prive.net/"
1.2.3.4 - - [06/Dec/2023:03:03:53 +0000] "POST /saml/proxySingleSignOnPost HTTP/1.1" 500 21 "https://preprod-sso.cnb-prive.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0"
2023/12/06 03:03:55 [info] 157#157: *26 client closed connection while waiting for request, client: 54.36.52.8, server: 0.0.0.0:443
```2.18.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3054Cannot get the full otpauth URL when registering a new TOTP2024-03-27T09:19:28ZSoisik FrogerCannot get the full otpauth URL when registering a new TOTPAs a user, I'd like to copy the content of the QR code when enrolling a new TOTP. This URL is useful if you use any device/software that do no rely on scanning a image.
Right now, the URL as to be built from scratch from the displayed s...As a user, I'd like to copy the content of the QR code when enrolling a new TOTP. This URL is useful if you use any device/software that do no rely on scanning a image.
Right now, the URL as to be built from scratch from the displayed secret (if put in lowercase and without space).
Some kind of way to retrieve this URL (in the HREF attribute of the image ?) would make it easier to register TOTP without scans.2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3053Special OIDC scope to get app grid2024-03-27T10:23:56ZYaddSpecial OIDC scope to get app grid### Summary
Currently the app grid is available using `/myapplications`, only for conected users
### Problem
When using OIDC and `offline_access`scope, the relying party isn't able to get `/myapplications` result
### Proposition
Bui...### Summary
Currently the app grid is available using `/myapplications`, only for conected users
### Problem
When using OIDC and `offline_access`scope, the relying party isn't able to get `/myapplications` result
### Proposition
Build a special OIDC scope _(or macro value ?)_ to store the JSON result of the appgrid calculation, then will be available as long as offline session exists
Problem: won't be refreshed2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3051Add messaging broker support to share instantaneously events like logout or c...2024-03-27T10:53:38ZYaddAdd messaging broker support to share instantaneously events like logout or configuration updateWe can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "stat...We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "status" system2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3049Reset password with 2FA2024-03-27T10:56:07ZClément OUDOTReset password with 2FAAsked feature: if a user lost its password and has a 2FA, he could use the 2FA to reset its password.
To be discussed as we clearly loose security here: an attacker having the 2FA will be able to force the password, so it's like having ...Asked feature: if a user lost its password and has a 2FA, he could use the 2FA to reset its password.
To be discussed as we clearly loose security here: an attacker having the 2FA will be able to force the password, so it's like having only 1FA.
Maybe the idea would be to add 2FA on top on current reset feature (mail)?2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3048Error in Notification DBI backend2024-03-27T10:53:14ZClément OUDOTError in Notification DBI backendOna production environment, we encounter this error:
```
DBD::Pg::st execute failed: aucune connexion au serveur at /usr/share/perl5/Lemonldap/NG/Common/Notifications/DBI.pm line 283.
```
The DB is well started, so I suspect a bad conne...Ona production environment, we encounter this error:
```
DBD::Pg::st execute failed: aucune connexion au serveur at /usr/share/perl5/Lemonldap/NG/Common/Notifications/DBI.pm line 283.
```
The DB is well started, so I suspect a bad connection management in Notification DBI module.
Not easy to reproduce.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3043Return to 2FA manager after registration2023-11-21T08:52:56ZMaxime BessonReturn to 2FA manager after registrationCurrently, after registering a TOTP (or any other 2FA), the user remains on the TOTP screen:
![image](/uploads/33886c54eba6ab62c72a986f1aedb83a/image.png)
![image](/uploads/df3b7d37cd8b47704cf061a7319ec5ee/image.png)
This is consisten...Currently, after registering a TOTP (or any other 2FA), the user remains on the TOTP screen:
![image](/uploads/33886c54eba6ab62c72a986f1aedb83a/image.png)
![image](/uploads/df3b7d37cd8b47704cf061a7319ec5ee/image.png)
This is consistently reported by my users as confusing.
A better flow would be to take them back to the list of registered 2FA:
![image](/uploads/d0f8b7e1ae333be4afe8ce7f0740436c/image.png)
Similar to #2610 but for all 2FA types2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3041LLNG should not refuse logout when one OIDC/SAML SP fail to logout2024-02-12T02:44:25ZYaddLLNG should not refuse logout when one OIDC/SAML SP fail to logout### Affected version
Version: %2.17.1
### Summary
* Configure LLNG with one OIDC relying party with back channel logout
* Log-in and browse RP
* Shutdown RP
* Try to logout
Then LLNG just displays "Error" and refuse to logout
### Pr...### Affected version
Version: %2.17.1
### Summary
* Configure LLNG with one OIDC relying party with back channel logout
* Log-in and browse RP
* Shutdown RP
* Try to logout
Then LLNG just displays "Error" and refuse to logout
### Propose behavior
* Unlog anyway from LLNG
* Display a message "Didn't succeed to logout from all applications, you should close your browser"2.18.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3040Allow auto-detection of portal URL and domain2024-03-28T10:35:05ZMaxime BessonAllow auto-detection of portal URL and domainOne of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this partic...One of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this particular use case, because in my use case the portal and domain depends on `$req`.
This is similar to #933, but I think the fix proposed there no longer works since the migration to PSGI.
In the handler: it's probably not too difficult to do because every access to the portal URL goes through $class->tsv->portal. We just need to pass `$req` to it.
In the portal: we need to replace all calls to `$self->conf->{portal}` and `$self->conf->{domain}` to methods such as `getPortalUrl($req)` and `getDomain($req)`. This will require a lot of refactoring, but I think its a good idea because users will no longer have to define the `portal` and `domain` configuration variables anymore in most cases.
This is also a requirement of #2285
If I can find sponsorship for this feature I might implement it in 2.192.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3039Creating an new 2F plugin requires to edit available2F / available2FSelfRegis...2024-03-27T08:18:22ZClément OUDOTCreating an new 2F plugin requires to edit available2F / available2FSelfRegistration keysI don't know if this is a real issue but at least technical documentation must be updated.
Currently I follow instructions from:
```
perldoc Lemonldap::NG::Portal::Main::SecondFactor
```
The 2F module is not loaded at all because avail...I don't know if this is a real issue but at least technical documentation must be updated.
Currently I follow instructions from:
```
perldoc Lemonldap::NG::Portal::Main::SecondFactor
```
The 2F module is not loaded at all because available2F must be modified. I don't find it very convenient because the default value of this parameter will change when we will add a new core 2FA module in LL::NG.2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3038OKTA 2FA module2024-03-19T12:02:04ZClément OUDOTOKTA 2FA moduleThis feature request is about a new 2FA module which will use OKTA API: https://developer.okta.com/docs/reference/api/factors/
The use case:
* An organization is using LL::NG as main authentication portal
* For some power users, it choo...This feature request is about a new 2FA module which will use OKTA API: https://developer.okta.com/docs/reference/api/factors/
The use case:
* An organization is using LL::NG as main authentication portal
* For some power users, it choosed to buy some OKTA accounts, including MFA
* The user will register its MFA on OKTA (mail, SMS, mobile app, ...)
* The user will authenticate on LL::NG portal and use OKTA MFA as second factor
This requires of course that the user login on OKTA is known by LL::NG to request to correct MFA account.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3037Add a hook before 2FA validation2023-11-02T14:14:30ZMaxime BessonAdd a hook before 2FA validationAdding a hook right before validating 2F responses will let us fix #3034 as a plugin, or do other checksAdding a hook right before validating 2F responses will let us fix #3034 as a plugin, or do other checks2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3036OIDC response fron userinfo endpoint is not consistent when retrieving user data2023-11-20T14:36:08ZChristophe Maudouxchrmdx@gmail.comOIDC response fron userinfo endpoint is not consistent when retrieving user data### Affected version
Version: %2.17.1
Platform: All
### Summary
Always Send Exported Attributes = OFF
Only Allow Declared Scopes = ON
Scope : test=codeUnite,employeeType,unite
1 - Auth to portal/oauth2 >> OK (TO Obtain a session ...### Affected version
Version: %2.17.1
Platform: All
### Summary
Always Send Exported Attributes = OFF
Only Allow Declared Scopes = ON
Scope : test=codeUnite,employeeType,unite
1 - Auth to portal/oauth2 >> OK (TO Obtain a session ID)
2 - Retrieve from portal/oauth2/authorize >> OK (To obtain an authorization code)
3 - Obtain tokens from portal/oauth2/token >> OK (To obtain an access token)
4 - Retrieve user info from portal/oauth2/userinfo with the access token >> NOK
Sometimes :
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
and sometimes:
{
"sub" : "adam.sores"
}
The portal response is not consistent.
```
### Logs
Client LOGS :
adam.sores@dgn092st014467:~$ for i in {1..1000} ; do curl -s -H 'Authorization: Bearer a896d64f0dc3f424384ea6c57827ea1441ab3858a05c356964e90b3f041d93ca' 'https://auth.dvsso.gendarmerie.fr/oauth2/userinfo' | json_pp ;sleep 1; done
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"sub" : "adam.sores"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"sub" : "adam.sores"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"sub" : "adam.sores"
}
{
"sub" : "adam.sores"
}
{
"sub" : "adam.sores"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"sub" : "adam.sores"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
******************************************
Portal LOGS :
2023-11-02T12:09:19+01:00 [debug] Redirect ************* to portal (url was /oauth2/userinfo)
2023-11-02T12:09:19+01:00 [debug] User not authenticated, Try in use, cancel redirection
2023-11-02T12:09:19+01:00 [debug] Start routing oauth2
2023-11-02T12:09:19+01:00 [debug] URL detected as an OpenID Connect USERINFO URL
2023-11-02T12:09:19+01:00 [debug] Bearer access token
2023-11-02T12:09:19+01:00 [debug] Received Access Token a896d64f0dc3f424384ea6c57827ea1441ab3858a05c356964e90b3f041d93ca
2023-11-02T12:09:19+01:00 [debug] Try to get SSO session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370
2023-11-02T12:09:19+01:00 [debug] Get session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370 from Portal::Main::Run
2023-11-02T12:09:19+01:00 [debug] Return SSO session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370
2023-11-02T12:09:19+01:00 [debug] Found corresponding user: adam.sores
2023-11-02T12:09:19+01:00 [debug] Calling hook oidcGenerateUserInfoResponse
2023-11-02T12:09:19+01:00 [debug] Apply following CORS policy:
2023-11-02T12:09:19+01:00 [debug] Access-Control-Allow-Origin
2023-11-02T12:09:19+01:00 [debug] *
--
2023-11-02T12:09:20+01:00 [debug] Redirect ************ to portal (url was /oauth2/userinfo)
2023-11-02T12:09:20+01:00 [debug] User not authenticated, Try in use, cancel redirection
2023-11-02T12:09:20+01:00 [debug] Start routing oauth2
2023-11-02T12:09:20+01:00 [debug] URL detected as an OpenID Connect USERINFO URL
2023-11-02T12:09:20+01:00 [debug] Bearer access token
2023-11-02T12:09:20+01:00 [debug] Received Access Token a896d64f0dc3f424384ea6c57827ea1441ab3858a05c356964e90b3f041d93ca
2023-11-02T12:09:20+01:00 [debug] Try to get SSO session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370
2023-11-02T12:09:20+01:00 [debug] Get session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370 from Portal::Main::Run
2023-11-02T12:09:20+01:00 [debug] Return SSO session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370
2023-11-02T12:09:20+01:00 [debug] Found corresponding user: adam.sores
2023-11-02T12:09:20+01:00 [debug] Calling hook oidcGenerateUserInfoResponse
2023-11-02T12:09:20+01:00 [debug] Apply following CORS policy:
2023-11-02T12:09:20+01:00 [debug] Access-Control-Allow-Origin
2023-11-02T12:09:20+01:00 [debug] *
--
```Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3035FIDO2 / WebAuthn Passwordless2024-03-27T08:17:28ZClément OUDOTFIDO2 / WebAuthn PasswordlessFIDO2 / WebAuthn is implemented in LemonLDAP::NG for 2FA. Another use case is to use the FIDO2 / WebAuthn as main authentication factor, to replace the login/password form. This is called "Passwordless".
To have this feature, we need to...FIDO2 / WebAuthn is implemented in LemonLDAP::NG for 2FA. Another use case is to use the FIDO2 / WebAuthn as main authentication factor, to replace the login/password form. This is called "Passwordless".
To have this feature, we need to decide how the registration of 2FA will be done (do we need to keep login/password for registration or is there another way for a user to enroll its device?) and how the association between the 2FA device and the user account will be done.2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3034Deletion of a 2FA in the middle of an authentication flow is not taken into a...2023-11-02T13:19:30ZMaxime BessonDeletion of a 2FA in the middle of an authentication flow is not taken into account### Affected version
Version: 2.17.1
### Summary
* As user, register a 2FA
* As user, go to portal, login with your 1st factor, and choose your 2FA
* You are prompted to enter a code or complete the webauthn challenge, and you have $...### Affected version
Version: 2.17.1
### Summary
* As user, register a 2FA
* As user, go to portal, login with your 1st factor, and choose your 2FA
* You are prompted to enter a code or complete the webauthn challenge, and you have $sfTimeout seconds to do it (can be several minutes)
* As an admin, delete the 2FA for this user
* As a user, complete the 2FA challenge successfully :x:
### Possible fixes
This is caused by the fact that `_2fdevices` is copied into the user's session, and stored as a OneTimeToken during the 2FA flow. Despite the 2FA being removed by the admin, it still exists in the OneTimeToken.
I think we should update the `_2fDevices` array when the 2FA challenge is completed to make sure the selected device still exists.In discussionMaxime BessonMaxime Besson