Audit Log for /auth Requiring a Challenge


#1

Would it be possible to have the audit log entry for a /auth where a challenge is required to be displayed differently than a failed auth?

Both the entry where the PIN was correct but a challenge is needed and an incorrect PIN both show up in the Audit Log as a generic “Wrong Credentials”. It would be helpful if the entry contained a flag if the PIN was correct but a challenge was needed.


#2

No, this is not possible.
Unless s.o. does a convincing pull request.


#3

Is there anything else that I might be able to utilize to get similar information? The goal would be when troubleshooting logon issues to be able to determine if the PIN is incorrect versus the OTP being incorrect.


#4

Think about what you just said, take a look at the audit log and look closer.


#5

If I am using calls against /validate, I show the different messages of ‘wrong otp pin’ and ‘enter token code from sms’ in the audit log.

If I use calls against /auth, the audit log only shows ‘Authentication failure. Wrong credentials’ for both scenarios.


#6

I achieved results similar to the /validate by adding a couple lines to the error.py class.

class AuthError(privacyIDEAError):
    def __init__(self, description, id=ERROR.AUTHENTICATE, details=None):
        self.details = details
        if details is not None and details.get('message') is not None:
            description = details.get('message')
        privacyIDEAError.__init__(self, description=description, id=id)