Very long enrollment period for PUSH

Question
1

Hi there,

I am new here. I am trying to set up privacyIDEA so far my experience from the documentation is pretty good, but I have some strange issues with the app, specifically setting up PUSH. TL;DR push works, but the enrollment takes ages. I was already able to crash the app, and sent the related information to netknight, but maybe the community has some feedback.

Installed everything on ArchLinux, as a ordinary user I am running privacyIDEA. I am running behind haproxy, which handles my SSL. What happens? First establish that I am waiting 2 minutes to the enrollment to happen. And I guess it only happens because of the failure, after the ttype/push the app polls every 3 seconds. Obviously I have an opinion about that, but I was actually hoping that this was resolved by the firebase configuration. If for firebase I have not compile my app myself… I guess UnifiedPost would be something that could be seen as “helpful” here, but I actually hoped that the normal app had infrastructure to federate.

INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 17:54:03] "POST /token/init HTTP/1.1" 200 -
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 17:54:03] "GET / HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 17:54:04] "GET /token/?serial=PIPU000021BB HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 17:54:06] "GET /token/?serial=PIPU000021BB HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 17:54:09] "GET /token/?serial=PIPU000021BB HTTP/1.1" 200 -
...
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 17:56:43] "GET /token/?serial=PIPU000021BB HTTP/1.1" 200 -
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 17:56:46] "GET /token/?serial=PIPU000021BB HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/home/skinkie/.local/lib/python3.10/site-packages/jwt/api_jws.py", line 180, in _load
    signing_input, crypto_segment = jwt.rsplit(b'.', 1)
ValueError: not enough values to unpack (expected 2, got 1)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/app.py", line 2464, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/app.py", line 2450, in wsgi_app
    response = self.handle_exception(e)
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/app.py", line 1867, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/app.py", line 1948, in full_dispatch_request
    rv = self.preprocess_request()
  File "/home/skinkie/.local/lib/python3.10/site-packages/flask/app.py", line 2242, in preprocess_request
    rv = func()
  File "/home/skinkie/.local/lib/python3.10/site-packages/privacyidea/api/auth.py", line 403, in decorated_function
    check_auth_token(required_role=["user", "admin"])
  File "/home/skinkie/.local/lib/python3.10/site-packages/privacyidea/api/auth.py", line 423, in check_auth_token
    r = verify_auth_token(auth_token, required_role)
  File "/home/skinkie/.local/lib/python3.10/site-packages/privacyidea/api/lib/utils.py", line 293, in verify_auth_token
    headers = jwt.get_unverified_header(auth_token)
  File "/home/skinkie/.local/lib/python3.10/site-packages/jwt/api_jws.py", line 166, in get_unverified_header
    headers = self._load(jwt)[2]
  File "/home/skinkie/.local/lib/python3.10/site-packages/jwt/api_jws.py", line 183, in _load
    raise DecodeError('Not enough segments')
jwt.exceptions.DecodeError: Not enough segments
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 17:58:11] "POST /ttype/push HTTP/1.1" 200 -
2

Welcome to privacyIDEA.

“Not enough values to unpack” in jwt sounds familiar to me.

What I see: You are running Python 3.10?
privacyIDEA has not unittests for 3.10 - only up to 3.9.
So I do not know if it would work on 3.10 at all.

Also: Please check your version of jwt. It should apply to the requirements.txt file.

3

I have installed the requirements via the requirements.txt method. Is there any way how I can explore what jwt version is in fact used when it is imported? Now ArchLinux does not seem to give met an Python 3.9 option anymore, so I’ll better investigate the reason behind this.

Requirement already satisfied: PyJWT==1.7.1 in ./.local/lib/python3.10/site-packages (1.7.1)

@cornelinux I have compiled the Dart app from github, which does the trick in certainly a shorter time and without the jwt error. So I would not want to exclude the app currently published in the Google Play Store.

INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 21:59:45] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 21:59:48] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 21:59:51] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 21:59:54] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 21:59:56] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 21:59:59] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:02] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:05] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:08] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:11] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:13] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:16] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:19] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:22] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:24] "POST /ttype/push HTTP/1.1" 200 -
INFO:privacyidea.lib.resolvers.PasswdIdResolver:loading users from file /etc/passwd from within '/home/skinkie/.local/bin'
INFO:werkzeug:10.9.0.106 - - [03/Mar/2022 22:00:25] "GET /token/?serial=PIPU00012FFE HTTP/1.1" 200 -
4

Ok, lets close this one by adding some knowledge acquired while debugging the app.

The GET /token/?serial= is called by the webinterface. Important to understand.

The waiting time can be explained by the “Start generating RSA key pair” and “Finished generating RSA key pair”. The JWT error sometimes happens, cannot yet consistently reproduce it.

5

Finally I understood your initial post.

So you are enrolling a push token and just scanned the QR code and you are waiting for something to happen. I did not get this from your initial post.

During enrollment the following happens:
When you scanned the QR code the Smartphone App will generate cryptographic keys. If you have an old device this can take a loooong time. The smartphona has to be able to reach the privacyIDEA server!
https://privacyidea.readthedocs.io/en/latest/policies/enrollment.html#push-registration-url
The URL is contained in the QR code.
If you smartphone is not on the same network, if the SSL certificate is not trusted… it will not work out.
A lot of things can fail.
I would often NOT recommend to use push, because it is very difficult to set up.

Meanwhile the WebUI checks, if the smartphone has finalized the enrollment.
THese are the GET /token requests you are seeing.

It is roughly described here: concept: PushToken · privacyidea/privacyidea Wiki · GitHub

6

Shall I commit a change that would actually inform the user about the different states in the app like “Creating cryptographic keys… please wait.” ?

Lets say, I think the documentation on how to set push up can be improved to match with more recent versions. I think rolling out the new app would also have a positive impact on the user experience (it looks much better, but I think the pull request for an avatar would be something that should be added before and I might suggest some font changes to at least match the more friendly look, like the button bar below.).

7

I do not understand you.
Which new app?

8

GitHub - privacyidea/pi-authenticator: OTP Authenticator App for privacyIDEA Authentication Server looks much better than what is currently in the Play Store :slight_smile:

9

Isn’t that great? Then you can look forward to the future!
One day it will be in the play store - this is how software development works.

PS: Thanks for the design feedback

10

It isn’t hard to compile it, and patch the required firebase stuff. Nice future ahead, even a Dutch translation :wink: