TIQR response problems

basvandervlies · August 1, 2019, 11:01am

I have installed the github master branch to test the TIQR enhancements. I see that the failcounter is not increased anymore when querying for the status.

What I noticed is that when I am using the TIQR token for authentication it sometimes work and other times I get an error message in the TIQR app:

unknown_error

The server returned a response in a format tiqr couldn't understand.  Please contact support
```

In the privacyidea.log:
```
[2019-08-01 11:09:33,198][532][140436160804608][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:09:34,109][532][140436152411904][INFO][privacyidea.lib.tokens.tiqrtoken:345] Response code is not valid
[2019-08-01 11:09:34,133][532][140436152411904][INFO][privacyidea.api.lib.postpolicy:183] We only sign JSON response data.
[2019-08-01 11:09:34,211][532][140436160804608][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
[2019-08-01 11:09:34,212][532][140436160804608][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:09:35,200][532][140436152411904][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
[2019-08-01 11:09:35,200][532][140436152411904][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:09:36,197][532][140436160804608][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
```

I have adde some debugging and looked at the TIQR tokencode:
```
                        r = token.verify_response(
                            challenge=challenge.challenge, passw=passw)
                        if r > 0:
                            res = "OK"
                            # Mark the challenge as answered successfully.
                            challenge.set_otp_status(True)
                            # We have found a valid TiQR token transaction, we break out of the loop
                            log.info("Yes valid response")
                            break
                        else:
                            log.info("Response code is not valid")

I have added some log,info statements and it fails in verifying the response from the phone. I do not know the specs of the TIQR protocol enough to pinpoint the problem. Mostly it happens if QRcode is scanned to late (after 15 seconds). I am using the default settings for a token. Have others encounter this problem?

When this occurs it takes a while before we could use the TIQR token again. It keeps generating the error code in the app and privacyidea log files. I have to wait for the default token validation tme 120 seconds before I can use it again

PS)
Just for the record a valid response is this: (accesing the privacyidea website with TIQR)

-08-01 11:16:27,025][532][140436160804608][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:16:28,029][532][140436152411904][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
[2019-08-01 11:16:28,029][532][140436152411904][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:16:28,635][532][140436160804608][INFO][privacyidea.lib.tokens.tiqrtoken:342] Yes valid response
[2019-08-01 11:16:28,667][532][140436160804608][INFO][privacyidea.api.lib.postpolicy:183] We only sign JSON response data.
[2019-08-01 11:16:29,028][532][140436152411904][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
[2019-08-01 11:16:29,028][532][140436152411904][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:16:29,143][532][140436152411904][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
[2019-08-01 11:16:29,143][532][140436152411904][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:16:29,144][532][140436152411904][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
[2019-08-01 11:16:29,144][532][140436152411904][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:16:29,161][532][140436152411904][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
[2019-08-01 11:16:29,161][532][140436152411904][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'
[2019-08-01 11:16:29,250][532][140436160804608][INFO][privacyidea.lib.user:230] user 'bas' found in resolver 'cua'
[2019-08-01 11:16:29,250][532][140436160804608][INFO][privacyidea.lib.user:231] userid resolved to 'c5d5dc8c-68f7-102c-9f3b-8dcfbd0742f1'

basvandervlies · August 1, 2019, 11:11am

If I read the technical code for TIQR:

https://tiqr.org/tiqr-library-integration-guide-login

section:

If your application supports account blocking after unsuccesful login attempts, it should send an 
attempts left’ as part of the response, so the phone can display a message to the user indicating she 
has only so many retries left. For example if tiqr returns AUTH_RESULT_INVALID_RESPONSE, you 
can send “INVALID_RESPONSE:3” to the phone to indicate there are 3 attempts left. If you block the 
account then you should output “INVALID_RESPONSE:0” which tells the phone the login was invalid and the account is now blocked on the server side.

I have changed the tiqrtoken code to return INVALID_RESPONSE:3 for invalid response

                if challenge.is_valid() and challenge.otp_valid is False:
                    # Challenge is still valid (time has not passed) and no
                    # correct response was given.
                    token = get_one_token(serial=challenge.serial)
                    if token.type.lower() == "tiqr":
                        # We found a TiQR token with a valid challenge with the given transaction ID
                        res = "INVALID_RESPONSE"
                        r = token.verify_response(
                            challenge=challenge.challenge, passw=passw)
                        if r > 0:
                            res = "OK"
                            # Mark the challenge as answered successfully.
                            challenge.set_otp_status(True)
                            # We have found a valid TiQR token transaction, we break out of the loop
                            log.info("Yes valid response")
                            break
                        else:
                            res = "INVALID_RESPONSE:3"
                            log.info("Response code is not valid")
                            break

Then in TIQR app I get:

Wrong PIN

You supplied an incorrect PIN. You have 3 attempts left. Please enter your PIN again. Check the 
verification icon for the last digit.

cornelinux · August 2, 2019, 7:18am

It looks like the response was changed from a simple “INVALID_RESPONSE” to a “INVALID_RESPONSE:n”.

Would you mind to create a pull request for this change at the github repo?

basvandervlies · August 2, 2019, 7:43am

I will submit a pull request for this. We still encounter problems with the TIQR setup. Sometime it works and other times it says I have entered the wrong PIN code. I did not found the problem. It can be in the TIQR app or the PI server.
.
We can also block the id on the phone. Should this number be depended on the failcount of the token and should we increase the failcount for the token if the user supplied the wrong response code?

cornelinux · August 2, 2019, 3:49pm

I do not understand this. Which id on the phone?

Which number?

Yes, this should happen and I think it does happen, when the phone sends a wrong response (for whichever reason) to the privacyIDEA server.

basvandervlies · August 2, 2019, 9:26pm

I try to explain when you enroll the TIQR token you have to scan it on the phone with the TIQR app. When I scan it the identity will be saved and protected by a PIN. This PIN is used to unlock the identity on the phone

Now I want to authenticate against the website. I have to provide the privacyidea PIN to activate the TIQR token code. This will display the QR code. I scan this on the phone and supply the wrong app pincode. Now the response fails, but the failcount of the TIQR token is not increased. Just checked.

with the patch I supply. On the phone app there will be a message the you have supplied the wrong PIN code with a retry count. I propose that this will retry count will be equal maxfail - failcount. This retry count is the patch I propose. As last you can sent INVALID_RESPONSE:0 to the phone:

“INVALID_RESPONSE:0” which tells the phone the login was invalid and the account is now 
blocked on the server side

basvandervlies · August 5, 2019, 2:27pm

I have found the problem with authentication with the TIQR token. The TIQR token generates a 10-bits random string. This string is also send to the TIQR app and both will calculate a response code and this must be equal for successful authentication.

I found it strange that it sometimes worked and other times it just failed. I think the TIQR app stores this random string in a 32 bits int. Max value is then: 2^31 = 2147483648. I think this is not a server problem.

When I generate random values less then this value. The TIQR token and App works as expected.

Reported this issue:

https://github.com/SURFnet/tiqr-client-ios/issues/39

basvandervlies · August 5, 2019, 4:22pm

I made a pull request that fixes the problem with the tiqrtoken and the app:

https://github.com/privacyidea/privacyidea/pull/1771