Authentication in custom script seems to be stuck in steps

By: Cornelius Kölbel user 12 Aug 2020 at 5:42 a.m. CDT

6 Responses
Cornelius Kölbel gravatar
Hello, I am trying to write a custom authentication script for 2FA with privacyIDEA. I think I did not quite understand the concept of the steps. We started with a basic custom script and we see that all methods in our script are call. The authenticate method returns True, but authentication still fails. So I *assume* there is something wrong with the stepping. Our own debug output looks like this: * No extra HTML Page for page 1 * IsValidAuthMethod is successfull * Prepare for step 1 * No parameter for step 1 * authenticating in step 1 * authentication step one successful * No parameter for step 2 * getCountAuthSteps returns 1 * No parameter for step 2 So what puzzles me is, the authentication is successful but it looks like as if it is somehow stuck in step 2. Our skeleton test script can be found here: https://github.com/privacyidea/gluu/blob/master/privacyidea.py How can I finalize the authentication flow? Thanks a lot Cornelius
Ubuntu 18.04
closed

Answers

By Jose Gonzalez staff 12 Aug 2020 at 8:30 a.m. CDT

Copy
Jose Gonzalez gravatar
Hi Cornelius, We don't offer assistance on custom script coding for community users, however, after a quick inspection of the script you linked I have some observations: - L23 returns `False` (I assume you already populated a property `privacyidea_url` for this script) - L25 and many others use python 3.x style, I'm not really sure it is properly recognized in custom scripts because Gluu uses Jython as the engine to run scripts and it expects 2.x syntax - L56 returns `True` but that's not enough because oxAuth cannot determine who the authenticated user is. So you may like to remove that `return` and around L63 do `authenticationService.authenticate(user_name, user_password)`. That will tie the session to the user identified by `user_name`. I recommend to study the basic script (It is already listed in oxTrust), and then move to a simle 2FA one like twilio_sms.

By Cornelius Kölbel user 12 Aug 2020 at 9:01 a.m. CDT

Copy
Cornelius Kölbel gravatar
Hello Jose, thank you for your response. Mike asked to me pass my questions to this support forum. Otherwise I totally understand you. The print syntax is fine. It is actually your 3rd point. When we do an ``authenticationService.authenticate`` it works out, but only if the user enters his (in our case) LDAP password. We would like to be that flexible, that the user does not need to enter his LDAP password. So how is the user object actually bound to the session. So something happens under the hood in ``authenticationService.authenticate``. Is it even possible to **not** have the user enter his LDAP password at all? Thanks a lot Cornelius

By Cornelius Kölbel user 12 Aug 2020 at 9:04 a.m. CDT

Copy
Cornelius Kölbel gravatar
Hm is this: https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/gluu/oxauth/service/AuthenticationService.java#L146 what makes the user being authenticated?

By Cornelius Kölbel user 12 Aug 2020 at 9:25 a.m. CDT

Copy
Cornelius Kölbel gravatar
Solved it. I need to add the username in "auth_user" in the session. I can do this in the Jython script like this: ~~~~python sessionIdService = CdiUtil.bean(SessionIdService) sessionId = sessionIdService.getSessionId() # fetch from persistence sessionId.getSessionAttributes().put("auth_user", user_name) sessionIdService.updateSessionId(sessionId) ~~~~ Thanks a lot for all pointers. Kind regards Cornelius

By Jose Gonzalez staff 12 Aug 2020 at 10:24 a.m. CDT

Copy
Jose Gonzalez gravatar
> Is it even possible to not have the user enter his LDAP password at all? Yes. You can do basically whatever you want via cust scripts. I consider the following would be better: `authenticationService.authenticate(user_name)`. Check [this](https://gluu.org/docs/gluu-server/4.1/developer-guide/tips-cust-script-pages/#class-authenticationservice)

By Cornelius Kölbel user 12 Aug 2020 at 11:02 a.m. CDT

Copy
Cornelius Kölbel gravatar
Hi Jose, cool! Thanks a lot. So many API and documentation. This will ease things even more. Kind regards Cornelius

Post an answer