Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trigger local MFA when coming through GSS #91

Closed
michielbdejong opened this issue Nov 1, 2023 · 8 comments
Closed

Trigger local MFA when coming through GSS #91

michielbdejong opened this issue Nov 1, 2023 · 8 comments

Comments

@michielbdejong
Copy link
Member

I want to test #72 myself with our new setup from pondersource/dev-stock#50 (comment)
@michielbdejong michielbdejong mentioned this issue Nov 1, 2023
Closed
@michielbdejong
Copy link
Member Author

Testing this now, trying to set up a local MFA method for usr2 on sunet-nc2.

@michielbdejong michielbdejong changed the title Test local MFA trigger when coming through GSS Trigger local MFA when coming through GSS Nov 3, 2023
@michielbdejong
Copy link
Member Author

I set up TOTP for usr2 and then logged in in a private browsing tab, but TOTP was not triggered after landing from GSS. Investigating.

@michielbdejong
Copy link
Member Author

will add some logging statements into https://github.com/pondersource/mfazones/blob/8a2edc40201e4f6759bc66c518f591ff56f34f4a/lib/AppInfo/Application.php#L59

@michielbdejong
Copy link
Member Author

I can see error_log statements getting logged:

docker logs -f sunet-nc2 | grep php:notice

@michielbdejong
Copy link
Member Author

I'm getting an error on https://github.com/pondersource/mfazones/blob/21ed0179b4ba05e65096ffa251f130311fee8a3a/lib/AppInfo/Application.php#L51 - no instance of the class TwoFactorManager is found in the server container apparently.

@michielbdejong
Copy link
Member Author

#58 mentioned this snippet:

--- lib/Controller/SlaveController.php.bak      2023-05-15 12:09:59.781413663 +0200
+++ lib/Controller/SlaveController.php  2023-05-15 12:21:22.377966117 +0200
@@ -26,6 +26,7 @@
 use Firebase\JWT\ExpiredException;
 use Firebase\JWT\JWT;
 use OC\Authentication\Token\IToken;
+use OC\Authentication\TwoFactorAuth\Manager;
 use OCA\GlobalSiteSelector\GlobalSiteSelector;
 use OCA\GlobalSiteSelector\TokenHandler;
 use OCA\GlobalSiteSelector\UserBackend;
@@ -33,6 +34,7 @@
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\OCSController;
+use OCP\IConfig;
 use OCP\ILogger;
 use OCP\IRequest;
 use OCP\ISession;
@@ -63,12 +65,16 @@
        /** @var IURLGenerator */
        private $urlGenerator;

+       private IConfig $config;
+
        /** @var ICrypto */
        private $crypto;

        /** @var TokenHandler */
        private $tokenHandler;

+       private Manager $twoFactorManager;
+
        /** @var IUserManager */
        private $userManager;

@@ -100,7 +106,9 @@
                                                                IUserSession $userSession,
                                                                ISession $session,
                                                                IURLGenerator $urlGenerator,
+                                                               IConfig $config,
                                                                ICrypto $crypto,
+                                                               Manager $twoFactorManager,
                                                                TokenHandler $tokenHandler,
                                                                IUserManager $userManager,
                                                                UserBackend $userBackend
@@ -110,7 +118,9 @@
                $this->logger = $logger;
                $this->userSession = $userSession;
                $this->urlGenerator = $urlGenerator;
+               $this->config = $config;
                $this->crypto = $crypto;
+               $this->twoFactorManager = $twoFactorManager;
                $this->tokenHandler = $tokenHandler;
                $this->userManager = $userManager;
                $this->userBackend = $userBackend;
@@ -173,6 +183,10 @@
                }

                $this->userSession->createSessionToken($this->request, $uid, $uid, null, IToken::REMEMBER);
+
+               $user = $this->userManager->get($uid);
+               $this->twoFactorManager->prepareTwoFactorLogin($user, false);
+
                $home = $this->urlGenerator->getAbsoluteURL($target);
                return new RedirectResponse($home);

@michielbdejong
Copy link
Member Author

We should fix https://github.com/pondersource/nextcloud-mfa-awareness/blob/sunet-custom-with-gss/servers/sunet-nextcloud/init-nc2-gss-follower.sh#L9 before we can investigate this further

@michielbdejong
Copy link
Member Author

Duplicate of #72

@michielbdejong michielbdejong marked this as a duplicate of #72 Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@michielbdejong