Canonical SSO provider

Using 2FA for production has strange interactions with staging

Bug #1041125 reported by Jonathan Lange on 2012-08-24

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	Fix Released	High	Unassigned

Bug Description

I've had 2FA set up on login.ubuntu.com using Google Authenticator for a couple of weeks. Today, I tried to log in to login.staging.ubuntu.com for the first time since then.

I was prompted for a 2FA password. I entered the password from my GAuth app, but it didn't work.

I looked into my device list (https://login.staging.ubuntu.com/device-list), and it said "Always use 2FA" but it had no devices at all.

I was able to add a device, but when I did, the barcode wouldn't scan and it asked me to enter with the same account name (<email address hidden>). When I entered the account & AES key, it overwrote my production account on GAuth.

Revision history for this message

Stuart Metcalfe (stuartmetcalfe) wrote on 2012-08-24:

Thanks for reporting this. Staging and production 2-factor was recently decoupled and you seem to have found a few glitches that we missed :(

> I was prompted for a 2FA password. I entered the password from my GAuth app, but it didn't work.

This is because, although we removed all 2-factor devices on staging, we didn't update the "always require" setting. It doesn't seem to prevent altering devices but we should probably update it globally anyway, to avoid further confusion.

> I was able to add a device, but when I did, the barcode wouldn't scan and it asked me to enter with the same account name
> (<email address hidden>). When I entered the account & AES key, it overwrote my production account on GAuth.

We should have a difference name on staging. The setting "twofactor.twofactor_service_ident" has a default of "UbuntuSSO". We should over-ride this in the staging config to something like "UbuntuSSOStaging" or similar.

Changed in canonical-identity-provider:
status:	New → Confirmed
importance:	Undecided → High

Stuart Metcalfe (stuartmetcalfe) on 2012-08-24

Changed in canonical-identity-provider:
assignee:	nobody → Ricardo Kirkner (ricardokirkner)

Canonical ISD bug wrangler (isd-bug-wrangler) on 2012-08-24

Changed in canonical-identity-provider:
status:	Confirmed → Triaged

Canonical ISD bug wrangler (isd-bug-wrangler) on 2012-09-19

Changed in canonical-identity-provider:
assignee:	Ricardo Kirkner (ricardokirkner) → nobody

Daniel Manrique (roadmr) on 2018-05-15

Changed in canonical-identity-provider:
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.