Yubico auth not working since a few hours: Quickfix

dcclabau · March 12, 2019, 6:38pm

Hello Everyone,

I am posting this here in case anyone has the same problem I just had.

Since a few hours, Yubico auth stopped working. The PrivacyIdea log file shows:
[2019-03-12 14:14:13,665][46127][140072170755840][ERROR][privacyidea.lib.tokens.yubicotoken:181] The hash of the return from the yubico authentication server (https://api.yubico.com/wsapi/2.0/verify) does not match the data!
[2019-03-12 14:14:13,665][46127][140072170755840][ERROR][privacyidea.lib.tokens.yubicotoken:184] The returned nonce does not match the sent nonce!
[2019-03-12 14:14:13,665][46127][140072170755840][WARNING][privacyidea.lib.tokens.yubicotoken:195] failed with u’MISSING_PARAMETER’

I am not sure about the root cause at this point, but according to my tests, it is an issue with the way the request is formatted by PrivacyIdea: a curl to the yubico API returns a valid answer whereas the PrivacyIdea request fails.

I have found the following (quite gross but functional) patch:
in the file /opt/privacyidea/privacyidea-venv/lib/python2.7/site-packages/privacyidea/lib/tokens/yubicotoken.py

Comment lines 161 and 162:
# r = requests.post(yubico_url,
# data=p)

Add this immediately below, with the same indentation:
request_string = “{0}?id={1}&nonce={2}&otp={3}”.format(yubico_url,apiId, nonce, anOtpVal)
r = requests.post(request_string)

Restart PrivacyIdea (identify the PID with ps, then use 'kill -HUP $pid)
Restart Apache (systemctl restart apache2)

And now the request works.

dcclabau · March 12, 2019, 7:02pm

UPDATE: Cleaner patch
On line 162 just replace “data=p” with “params=p”.

cornelinux · March 12, 2019, 10:17pm

Thanks a lot for the post.

While it does only makes limited sense:
See: http://docs.python-requests.org/en/master/user/quickstart/#make-a-request

A POST requests requires data to be passed in the payload.
In your first patch you added the data as parameters to the URL, just like it needs to be done with a GET request.
Also your second patch add the data as params which is supposed to be only passed to a GET request.

So there are two possibilities:

There is a bug in the requests library that changes the behaviour. Did you update your environment, before the problem occurred?
Yubico updated their auth server in a way to not work compliant to http standards.

Again, thanks a lot for bringing this up.

dcclabau · March 13, 2019, 12:43pm

Hello Cornelius,

The Yubico website states the request must be “an HTTPS GET call”.

https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html

However a POST was working until yesterday morning. I have not updated UCS in the meantime.

Regards,

cornelinux · March 13, 2019, 10:22pm

Interesting, Yubico.
I added an issue:https://github.com/privacyidea/privacyidea/issues/1500
Thanks!