Reset_all_user_tokens issue


#1

If passthru:userstore is used in an authentication policy, it appears that reset_all_user_tokens causes a conflict, and denies access. is this by design or a bug? I would expect the behavior to only apply to those with tokens. Thanks


#2

Can you please tell more about the “conflict”, that is caused?
Do you have an error message or/and the output of the privacyidea.log?
Thanks a lot!


#3

In the audit log, I get “Contradicting passthru policies.” for users who do not have a token, and when reset_all_user_token is selected. If I de-select reset_all_user_token, then the users can authenticate. If you need more info, I’m happy to supply it if you can tell me where to look! :slight_smile:
Thanks


#4

This actually happens in privacyidea/lib/policydecorators.py in the auth_user_passthru.
You are running 2.23?
Are you sure, that you only have one passthru policy? This code should only be called if more than one passthru policies match. So please re-check your policies!


#5

correct. 2.23 from the PPA. Correct, I only have the single passthru policy.


#6

Sorry, can not reproduce with policies:

  • scope=AUTH, action=reset_all_tokens
  • scope=AUTH, action=passthru:userstore

/validate/check for a user without a token works out fine.


#7

odd… thank you for checking. I’ll try again tomorrow. are you using one policy or two? I was using a single policy. could that have been my issue?


#8

I am using two policies. Should not matter.

Here is the testcase


with policy “pthru” and “reset_all_tokens”.


#9

I just tested this again. it appears that in a single policy with the following doesn’t work
authentication { "passthru": "userstore", "otppin": "userstore" "reset_all_user_tokens": true }

If I remove { "reset_all_user_tokens": true } from the original policy and create a second policy with authentication { "reset_all_user_tokens": true }, then it seems to work


#10

I am sorry. I absolutely can not reproduce this.
You need to take a look into your privacyidea.log.
Or use privacyidea-diag, you may have a rathe special combination of configurations.


#11

thanks for taking a look. my setup is pretty vanilla, but I am using AD/LDAP as my userstore. It’s not a blocker for my POC. I"ll do what you suggest. Thanks again!


#12

Just for the record: The error indeed seems like privacyIDEA wrongly concludes there are conflicting policies. This should only happen if there are multiple policies with the same priority that disagree on the value of the “passthru” action. So it definitely shouldn’t happen if you only have one policy. :-/ Would be really interesting if we would be able to reproduce this.