2fa required via api but not via openid
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
New
|
Undecided
|
Unassigned |
Bug Description
So I discovered today that my ubuntu one login requires 2fa while trying to enable livepatch via "software & updates", but 2fa was not required when logging in directly via login.ubuntu.com or via launchpad OpenID. I suspect that has something to do with me no longer being at Canonical. Additionally when logging in directly to login.ubuntu.com *(with only user/pass), I'm not prompted for 2fa, nor do I see a 2fa configuration tabs.
Once I was added to sso-2f-testers it seems that 2fa was re-enabled when logging in directly to login.ubuntu.com, and the configuration tab became visible again.
The issue here is really that 2fa is enabled for the api, even though it's not enforced or configurable for openid or directly via login.ubuntu.com
The account in question has all the things that should trigger 2fa:
- @canonical.com address required" flag enabled
- "twofactor_
Also:
- was a member of ~canonical group (but probably isn't anymore?)
And the symptom seems to be:
- API logins ask for 2fa (e.g. gnome-software, probably snapcraft, and I guess other SSO API clients would have the same issue). This sounds correct-ish because the account does require 2fa. /bugs.launchpad .net/canonical- identity- provider/ +bug/1073074 is about a similar case but where a web login does not ask for 2fa and does NOT allow the login through, because 2fa is marked as required).
- Web logins do NOT ask for 2fa, and incorrectly allow the login through (bug https:/
- The user has no way of managing 2fa devices, because they were neither in ~canonical nor in ~sso-2f-testers at the time of encountering the issue.
Once the user was added to ~sso-2f-testers, things worked as expected apparently. However that's not entirely desirable in every case.