Testing privacyIDEA Push Token

cornelinux · April 17, 2019, 10:56am

Originally published at: https://www.privacyidea.org/testing-privacyidea-push-token/

Today we released version 2.0 of our privacyIDEA Authenticator to the beta test program.

In Version 2.0 the privacyIDEA Authenticator implementes the Push Token. During Rollout the Push Token exchanges assymmetric keys between the privacyIDEA Server and the privacyIDEA Authenticator.

During authentication the privacyIDEA Server sends a cryptographic challenge via Firebase to the smartphone. The privacyIDEA Authenticator verifies the signature of the privacyIDEA Server and asks the user to confirm the login request. The App then signs the challenge and sends it back to the privacyIDEA Server.

The internals are described at our github wiki page.

Join the Beta Test

The privacyIDEA Authenticator 2.0 is available for Android phones at the moment. iOS will follow shortly.

We are happy if you want to participate in the public beta test. Simply go to this site and follow the steps to join the beta test. You can install the privacyIDEA Authenticator 2.0 on your Android device (Minimum version “kitkat” – we do not recommend this! 😉

Set up for your tests

In this blog post we want to give you an overview to get started. For a deeper understanding you can read more about the push token in the online documentation and at github.

Get components

Get privacyIDEA 3.0 and the privacyIDEA Authenticator 2.0.

Network connectivity

Assure, that your smartphone can reach your privacyIDEA server, e.g. by placing your smartphone in the same Wireless LAN like your privacyIDEA Server. The smartphone needs to connect to privacyIDEA during enrollment and during authentication.

Firebase project

In the Firebase console you need to create your own Firebase Cloud Messaging project.

From the console you can download the relevant project information.

![](upload://zxYsedOABn3HRbISn9ofgGCPcO5.png)

The relevant information is the “Web API Key”, “App ID”, “Project ID” and the project number, which is the number part of the “Public-facing name”. Copy these values to create a new provider in privacyIDEA.

Download the file google-services.json an fetch the values “project_number”, “project_id”, “mobilesdk_app_id” and “api_key” from this file.

In addition you need to create a new service account for your Firebase project:

![](upload://e8AugY9XyosVAuwT2E2K2S5GmDI.png)

You can download the settings of this service account in a JSON file, which you need to copy to the privacyIDEA machine and later add in your privacyIDEA SMS Provider in the next step.

Firebase SMS Provider

In privacyIDEA you need to create an “SMS Gateway” of type “Firebase” with the Firebase project you created in the previous step. The privacyIDEA Server will connect to Firebase with this project.

![](upload://gpIhk7udcaO5o3vn4YN7aIZ1h3J.png)

Enter the data and json file, you downloaded from the Firebase console. E.g. the JSON config file needs to be copied to the privacyIDEA Server and you need to specify a local path on the privacyIDEA Server.

Finally you also need to enter the registration URL. This is the URL of the privacyIDEA Server which the privacyIDEA Authenticator contacts during the enrollment process. So you need to be sure, that this URL is in a format (FQDN, IP), which the smartphone can connect to. Unless you know otherwise the path or the URL should be /ttype/push.

Policies

Now you need to configure your privacyIDEA system. You need to create two policies, one for the enrollment and the other one for the authentication.

![](upload://g9eo7H5ime31GpQBaxx76bcOj0r.png)

The enrollment policy contains the name of the Firebase SMS Provider you created in the previous step.

The authentication policy can contain the text, that should be displayed in the notification:

![](upload://afkfjzhXXmnvWGeMtgLn0djMPTE.png)

Testing

You can now test you setup by

Enroll a new Push token and assign it to a user. Give the Push token a PIN.
In your browser you can simply issue an authentication request using the API https://your.privacyidea.server/validate/check?user=testuser&pass=yourpin
You should receive a notification on your enrolled smartphone, which you can confirm.

Your help and feedback

The missing link currently is the Application that is supposed to poll for the confirmed authentication.

We need your feedback, to know on which application we should start working first. As an alternative we are also planning to add a delayed response.

tuxmartin · January 25, 2020, 4:38pm

@cornelinux hi, i have problem with firebase.
If I try to add new firebase integration on page /#/config/smsgateway/edit/ I still see this error:

ERR302: The JSON file is not a valid firebase credentials file.

In /etc/privacyidea/push-test.json I have JSON file downloaded from Firebase web.

I have latest privacyIDEA 3.2.2 from pip.

cornelinux · January 27, 2020, 7:18pm

This is a bit tricky. There are two json files with firebase. Probably you used the project description file.
You need to create a credentials file and use this one at this place.

tuxmartin · January 27, 2020, 8:20pm

@cornelinux I tried both jsons: https://ctrlv.cz/V8Lk and https://ctrlv.cz/YdGL
Still the same error.

budachst · January 28, 2020, 7:16am

Did you create a service account for your firebase instance. I think I did that and downloaded the json for that and provided that to privacyIDEA SMS gateway setup.

tuxmartin · January 29, 2020, 2:02pm

@budachst I still don’t know where to get the JSON.
Could you give me an advice please?

cornelinux · January 29, 2020, 5:56pm

You json file should look like this:

{
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "....",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...==\n-----END PRIVATE KEY-----\n",
  "client_email": "...",
  "client_id": "...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "..."
}

This is the important part:

tuxmartin · January 29, 2020, 6:06pm

After server reboot now it works

Thanks.

tuxmartin · January 29, 2020, 6:23pm

Is possbile to use push token with radius?

root@ovpn-mfa:/# time echo "User-Name=pokus, User-Password=1234" | radclient 127.0.0.1 auth testing123 -x
Sent Access-Request Id 16 from 0.0.0.0:51766 to 127.0.0.1:1812 length 45
	User-Name = "pokus"
	User-Password = "1234"
	Cleartext-Password = "1234"
Received Access-Challenge Id 16 from 127.0.0.1:1812 to 127.0.0.1:51766 length 100
	Reply-Message = "Please confirm the authentication on your mobile device!"
	State = 0x3134333738363039363932393036343839373639
(0) -: Expected Access-Accept got Access-Challenge

|real|0m0.396s|
|---|---|
|user|0m0.022s|
|sys|0m0.004s|

I got Received Access-Challenge instead of access/reject.

tuxmartin · January 29, 2020, 6:27pm

My goal is to use OpenVPN with the privacyIDEA push tokens.

budachst · January 30, 2020, 11:11am

+1 from me… first thing I’d like to integrate with RADIUS as well, that would enable us to secure our Checkpoint VPN with 2FA push tokens.

cornelinux · January 30, 2020, 11:30am

The RADIUS protocol does not support out of band authentication. So this is a legacy application!.

Check the docs here and tell me, what you are missing.

Read the docs here, to understand the flow of the push authentication. Thus you should understand, why default push does not work with RADIUS.