E-mail OTP with challenge response

vjr · September 25, 2017, 1:49pm

I believe this is a simple question and something that is probably easy to solve, but I have spent already several days with making PrivacyIdea work and I don’t want to give it much more time as I’m testing different solutions to implement this. So - the scenario:

Users are loaded in PrivacyIdea database with e-mail field (already done).
Request for authentication comes from FreeRadius (done)
PrivacyIdea checks the password, if correct, sends e-mail OTP and returns challenge-response request to FreeRadius. (not working)
User fills in the OTP, sends to Radius -> PrivacyIdea checks the OTP and if OK, it sends Accept.

The best hint I found was in this GitHub issue:

However when I set “passthru”: “userstore” in authetication policy, the user just gets authenticated and no OTP or e-mail is generated although there is a “validate_check” event with action: enroll. If I don’t set the passthru, PrivacyIdea expects OTP and not password so the authentication fails. If I don’t have a token enrolled, authentication fails with “The user has no tokens assigned”.

Could someone please just paste a working configuration for e-mail/SMS authentication with challenge-response? I’m becoming desperate.

PrivacyIdea version: 2.19.1

Jochen_Hein · September 25, 2017, 3:22pm

Do I understand you correctly, that the user doesn’t have an email token assigned when you start?

I’f try the following (but I never used email tokens):

enroll an email token for the user - decide if you want to user token pin or userstore
define an authentication policy that has:
no passthru
challenge_response to email
call /validate/check manually and see if a token get generated

If not, see privacyidea.log. If it works, try radtest and tool at freeradiuslog and privacyidea.log.

Can you provide your config and annotated logs?

vjr · September 26, 2017, 7:12am

Hi Jochen,
thank you for your answer. What I need is basically this funcionality of LinOTP. I did what you suggested, enrolled a new token with Type: “email”. I don’t understand where I should

decide if you want to user token pin or userstore

I don’t see such option in token enrollment. The user should first authenticate with their password saved in userdb (userstore I suppose) and then get the e-mail with OTP for the challenge response.

I created a simple policy:
PassUser authentication { "challenge_response": "email" } [ "myrealm" ] [] [ "Passwd_Resolver" ]

My Events from before and other policies have been disabled.

When I run […]/validate/check?user=testotp&pass=[…], I get JSON response:

{"jsonrpc": "2.0", "signature": "[long number]", "detail": {"message": "wrong otp value", "type": "email", "serial": "PIEM00007E85", "otplen": 6, "threadid": 140640815691968}, "versionnumber": "2.19.1", "version": "privacyIDEA 2.19.1", "result": {"status": true, "value": false}, "time": 1506408477.331072, "id": 1}

No e-mail is being sent, PrivacyIdea seems to expect the OTP, not the user password.

Config files stripped of comments.
pi.cfg:

SUPERUSER_REALM = ['super', 'administrators']
SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://pi:[...]@localhost/pi'
SECRET_KEY = '[...]'
PI_PEPPER = "[...]"
PI_ENCFILE = '/etc/privacyidea/enckey'
PI_AUDIT_KEY_PRIVATE = '/etc/privacyidea/encauditpr.key'
PI_AUDIT_KEY_PUBLIC = '/etc/privacyidea/encauditpu.key'
PI_LOGFILE = '/var/log/privacyidea/privacyidea.log'
PI_LOGLEVEL = 10

rlm_perl.ini:

[Default]
URL = https://localhost/validate/check
SSL_CHECK = false
DEBUG = true
[Mapping]
[Mapping user]

The log file is too big, please see:

Please let me know if you have any other idea.

cornelinux · September 26, 2017, 12:58pm

Hi vjr,

ah, autoenrollment of email or sms tokens. This is currently not possible. (see https://github.com/privacyidea/privacyidea/blob/4f3dc5e5d6560d34a43dc32d71e9c597807434cb/doc/faq/rollout-strategies.rst)

Well, you might manage to do this via an token event handler with the action token init, but even if you manage to do this correctly, the user will be only able to authenticate with the next request, since the actions are handled after the event. I.e. the user would already have failed to authenticate due to him not having a token. You can not do the authentication with the new token, which was just created.

But maybe we get a nice idea here.

Kind regards
Cornelius

vjr · September 27, 2017, 7:04am

Hi Cornelius,
that’s a pity, however thanks for your fast reaction and all the work you do on PrivacyIdea!

cornelinux · April 25, 2018, 12:43pm

Hi @vjr,

in the current version 2.22 we added the dynamic email and sms token.
Exactly what you wanted.

Kind regards
Cornelius

vjr · April 25, 2018, 2:18pm

Hi Cornelinux,
thanks for remembering this issue, our project is currently on hold, but if it gets started again, I will give privacyidea another try.
Keep up the good work!
Vojta