What's the best way to minimize 2fa queries for snapcraft ?
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical SSO provider |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Working on 'snapcraft login' I ran into the following issue:
- login to SSO with 2FA (as that's the default mode for snapcraft),
- get the root macaroon from sca
- get the discharge_macarron from sso
=> fails with ssoclient.
- get the discharge macaroon from sso with the otp used for login
=> fails with
ssoclient.
- get the discharge macaroon with an auth based on the login session and the
login otp
=> fails with ssoclient.
- get the discharge macaroon from sso with a *new* otp without auth
=> works
So I'm not sure I'm using the API correctly but if getting a discharge
macaroon /always/ require 2fA for any operation (discharge macaroons
refreshes have been mentioned recently), the user experience will
be... painful :-/
Advice welcome.
| Vincent Ladeuil (vila) wrote | #1 |
| summary: |
- discharge macaroon should be provided by sca or 2fa makes like miserable + requiting 2 one-time-passwords to get a discharge macaroon makes like + miserable |
| summary: |
- requiting 2 one-time-passwords to get a discharge macaroon makes like + requiting 2 one-time-passwords to get a discharge macaroon makes life miserable |
| summary: |
- requiting 2 one-time-passwords to get a discharge macaroon makes life - miserable + What's the best way to minimize 2fa queries for snapcraft ? |
| Vincent Ladeuil (vila) wrote | #2 |
| Changed in canonical-identity-provider: | |
| status: | New → Invalid |
Ideally I should be able to get a discharge macaroon while being auth'ed with the first otp and without having to use a second one.