Hello Everyone,
I am posting this here in case anyone has the same problem I just had.
Since a few hours, Yubico auth stopped working. The PrivacyIdea log file shows:
[2019-03-12 14:14:13,665][46127][140072170755840][ERROR][privacyidea.lib.tokens.yubicotoken:181] The hash of the return from the yubico authentication server (https://api.yubico.com/wsapi/2.0/verify) does not match the data!
[2019-03-12 14:14:13,665][46127][140072170755840][ERROR][privacyidea.lib.tokens.yubicotoken:184] The returned nonce does not match the sent nonce!
[2019-03-12 14:14:13,665][46127][140072170755840][WARNING][privacyidea.lib.tokens.yubicotoken:195] failed with u’MISSING_PARAMETER’
I am not sure about the root cause at this point, but according to my tests, it is an issue with the way the request is formatted by PrivacyIdea: a curl to the yubico API returns a valid answer whereas the PrivacyIdea request fails.
I have found the following (quite gross but functional) patch:
in the file /opt/privacyidea/privacyidea-venv/lib/python2.7/site-packages/privacyidea/lib/tokens/yubicotoken.py
Comment lines 161 and 162:
# r = requests.post(yubico_url,
# data=p)
Add this immediately below, with the same indentation:
request_string = “{0}?id={1}&nonce={2}&otp={3}”.format(yubico_url,apiId, nonce, anOtpVal)
r = requests.post(request_string)
Restart PrivacyIdea (identify the PID with ps, then use 'kill -HUP $pid)
Restart Apache (systemctl restart apache2)
And now the request works.