Canonical SSO provider

2fa required via api but not via openid

Bug #1815782 reported by Dave Chiluk
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical SSO provider
New
Undecided
Unassigned

Bug Description

So I discovered today that my ubuntu one login requires 2fa while trying to enable livepatch via "software & updates", but 2fa was not required when logging in directly via login.ubuntu.com or via launchpad OpenID. I suspect that has something to do with me no longer being at Canonical. Additionally when logging in directly to login.ubuntu.com *(with only user/pass), I'm not prompted for 2fa, nor do I see a 2fa configuration tabs.

Once I was added to sso-2f-testers it seems that 2fa was re-enabled when logging in directly to login.ubuntu.com, and the configuration tab became visible again.

The issue here is really that 2fa is enabled for the api, even though it's not enforced or configurable for openid or directly via login.ubuntu.com

Revision history for this message
Daniel Manrique (roadmr) wrote :

The account in question has all the things that should trigger 2fa:

- @canonical.com address
- "twofactor_required" flag enabled

Also:
- was a member of ~canonical group (but probably isn't anymore?)

And the symptom seems to be:

- API logins ask for 2fa (e.g. gnome-software, probably snapcraft, and I guess other SSO API clients would have the same issue). This sounds correct-ish because the account does require 2fa.
- Web logins do NOT ask for 2fa, and incorrectly allow the login through (bug https://bugs.launchpad.net/canonical-identity-provider/+bug/1073074 is about a similar case but where a web login does not ask for 2fa and does NOT allow the login through, because 2fa is marked as required).
- The user has no way of managing 2fa devices, because they were neither in ~canonical nor in ~sso-2f-testers at the time of encountering the issue.

Once the user was added to ~sso-2f-testers, things worked as expected apparently. However that's not entirely desirable in every case.

Revision history for this message
Dave Chiluk (chiluk) wrote :

That is correct I was a member of ~canonical, but am not any more.

I'd actually argue that the web login was doing the correct thing. This is because as a user, when logging in I do not see any configuration for 2fa. Whereas the api prompting for 2fa seems wrong since there's no user-facing configuration visible once logged in via login.ubuntu.com showing that I 2fa is enabled.

Another solution would be to fix the UI to check for 2fa being required, and show the auth device configuration tab if it's required. The openid login would have to also be fixed to require 2fa.

I'm not sure what mechanism you use to determine if 2fa is required *(database lookup, launchpad group membership, something else) so take this all with a grain of salt.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.