TIQR Authentication Fail counter increase if we query the status

I have a question I am following the doc:

This behaviour can also be triggered if we login via webinterface. After we enter then pincode it will display QRcode and regular reload the page. When the page reloads it willt trigger an fail and this number increases rapidly and will shown hit the max fail counter.

[2019-06-14 00:12:03,619][9160][139842900588288][ERROR][privacyidea.lib.auditmodules.sqlaudit:256] DATA: {'success': True, 'client': 'โ”‚ยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยท
145.XXX.XXX.XXX', 'client_user_agent': 'firefox', 'privacyidea_server': 'surfsara.nl', 'action': 'POST /auth', 'action_detail':โ”‚ยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยทยท
 '', 'info': 'internal admin', 'user': '', 'realm': '', 'administrator': 'pi_admin', 'policies': 'cua_webui,cua_webui'} 

This is can be also be triggered on the command line:

  • curl -X POST 'https:/surfsara.nl/validate/check?user=bas&pass=01234'
  • curl -X GET 'https://surfsara.nl/validate/check?user=bas&pass=&transaction_id=139842900588288'
{                                                                                                                               "detail": {
"message": "Response did not match the challenge.", 
"serial": "TiQR00004EE3", 
"threadid": 139842900588288, 
"type": "tiqr"                                                                    
  "id": 1,                                                                             
  "jsonrpc": "2.0",
  "result": {                                
    "status": true,              
    "value": false                               
  "time": 1560464269.7498221,
  "version": "privacyIDEA 3.0.1",
  "versionnumber": "3.0.1",  
  "signature": "rsa_sha256_pss:0187c3c6e5a3146f0def80901a25fa407b17aae60111dcd0095cc6533be7b6690e180b348961cbc555fe501559dcd9c0860866b

Due this queries we hit the max fail counter rapidly. Is this known or did we something wrong in our setup?

I do not know if this the right approach but I have changed the tiqrtoken.py code. If the transaction_id is valid but the user has not yet responded, reset the fail counter. This works in my environment:
function: check_challenge_response

               if challengeobject.is_valid():
                    log.info("HvB reset")

wrote a patch:

1 Like

This was fixed in PR https://github.com/privacyidea/privacyidea/pull/1698
It will be released with privacyIDEA 3.1.
Thanks a lot for bringing this up.