What's the best way to minimize 2fa queries for snapcraft ?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Working on 'snapcraft login' I ran into the following issue:
- login to SSO with 2FA (as that's the default mode for snapcraft),
- get the root macaroon from sca
- get the discharge_macarron from sso
=> fails with ssoclient.
- get the discharge macaroon from sso with the otp used for login
=> fails with
ssoclient.
- get the discharge macaroon with an auth based on the login session and the
login otp
=> fails with ssoclient.
- get the discharge macaroon from sso with a *new* otp without auth
=> works
So I'm not sure I'm using the API correctly but if getting a discharge
macaroon /always/ require 2fA for any operation (discharge macaroons
refreshes have been mentioned recently), the user experience will
be... painful :-/
Advice welcome.
summary: |
- requiting 2 one-time-passwords to get a discharge macaroon makes like + requiting 2 one-time-passwords to get a discharge macaroon makes life miserable |
summary: |
- requiting 2 one-time-passwords to get a discharge macaroon makes life - miserable + What's the best way to minimize 2fa queries for snapcraft ? |
Ideally I should be able to get a discharge macaroon while being auth'ed with the first otp and without having to use a second one.