Session upgrade link in 2FA manager not working
Concerned version
Version: 2.0.14
Platform: AlmaLinux 8/nginx/uwsgi (same with FastCGI)
Summary
Default auth is done against AD (Samba4), which gives an auth level of 2. Session upgrade plugin is enabled, with 3 2FA types (TOTP, Yubi and webauthn). All those 2FA grant an authentication level of 5. If an application requires an auth level > 2, I'm correctly presented the session upgrade form, and, except for Bug 2761 it's working. If I haven't upgraded my session yet (so my auth level is still 2), go into the 2FA manager (/2fregisters), there's a button to re-authenticate. If I click on it, I'm redirected to /sessionupgrade, then click on the new reauthenticate button. Instead of being prompted to enter my 2FA, I'm back to the 2FA Manager, with an auth level still at 2.
So, the problem is that I cannot "manually" upgrade my session, I must access a vhost which requires a superior auth level to do so.
I'd like to be able to manually upgrade my session because I've configured the switch context plugin with a rule "inGroup('Admin') and $authenticationLevel >= 5" and it feels a bit clumsy to be forced to first access another (unrelated) app just to upgrade the session auth level, I should be able to do so from the portal.
Logs
Here's the logs when I reauthenticate from the 2FA manager
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] VH sso.test.local is HTTPS
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Get session bfa81e667a9ae61c8dc089bd1b3b304e44054fccaf779addba381c64461d2d10 from Handler::Main::Run
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Check session validity from Handler
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Session timeout -> 72000
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Session timeoutActivity -> 7200s
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Session _utime -> 1646035357
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] now -> 1646037901
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] _lastSeen -> 1646037884
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] now - _lastSeen = 17
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Session timeoutActivityInterval -> 60
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Session TTL = 69456
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] No URL authentication level found...
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] sso.test.local: Apply default rule
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] removing cookie
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Cookies -> llnglanguage=fr; googtrans=/auto/en; mysso=bfa61e667a9ae61c8fc089bd1b3b304e44054fccaf779acdba381c64461d2d10
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] CookieName -> mysso
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] newCookies -> llnglanguage=fr; googtrans=/auto/en;
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] User dani was granted to access to /upgradesession
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Start routing upgradesession
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Processing controlUrl
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Confirm parameter accepted 1
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Required URL (param: urldc | value: https://sso.test.local/2fregisters | alias: https://sso.test.local)
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] No URL authentication level found...
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Processing importHandlerData
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Processing secondFactor
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Current authentication level satisfied target service, skipping 2FA
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Processing storeHistory
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Processing buildCookie
févr. 28 09:45:01 proxyin LLNG[127372]: [notice] User dani successfully authenticated at level 2
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] [notice] User dani successfully authenticated at level 2
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Processing code ref
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Removing _url from pdata
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Removing keepPdata from pdata
févr. 28 09:45:01 proxyin LLNG[127372]: [notice] dani connected
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] [notice] dani connected
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Calling autoredirect
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Building redirection to https://sso.test.local/2fregisters
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] VH sso.test.local is HTTPS
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Get session bfa81e667a9ae61c8dc089bd1b3b304e44054fccaf779addba381c64461d2d10 from Handler internal cache
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] No URL authentication level found...
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] sso.test.local: Apply default rule
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] removing cookie
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Cookies -> llnglanguage=fr; googtrans=/auto/en; mysso=bfa81e667a9ae61c8dc089bd1b3b304e44054fccaf779addba381c64461d2d10
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] CookieName -> mysso
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] newCookies -> llnglanguage=fr; googtrans=/auto/en;
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] User dani was granted to access to /2fregisters
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Start routing 2fregisters
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Looking if totp2F register is available
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Looking if webauthn2F register is available
févr. 28 09:45:01 proxyin LLNG[127372]: [debug] Looking if yubikey2F register is available
The problem seems to be that the reauth button redirect to the 2FA manager, which cannot itself be protected with an auth level > 2 (as it would prevent users to register their 2FA in the first place)
Backends used
MariaDB (config and session), AD/Samba4 (password and user)