search

OneIdentity / safeguard-ps

One Identity Safeguard PowerShell scripting resources
Apache License 2.0
22 stars 27 forks source link

Connect-Safeguard -Browser (w/ 2FA) sporadically throws Unable to access token #527

Closed azirish1998 closed 2 months ago

azirish1998 commented 2 months ago

Version 7.5.146913

I keep getting an error trying to run Connect-Safeguard -Browser to complete 2FA Half the time this completes successfully, but the other half I get "Unable to access token" after successfully completing 2FA and closing the browser window.

I've done a little debugging and the error is coming from Get-RstsTokenFromBrowser when it attempts to convert the OATH2 token to access token. The response from /RSTS/oath2/token is

{ "error": "invalid_request", "error_description": "Code was already redeemed.", "success": false }

Kevin-Andrew commented 2 months ago

Are you running Safeguard as a cluster? How many nodes? Is the cluster behind a load balancer?

azirish1998 commented 2 months ago

I'm just an end user, so I'm not sure what the deployment looks like unfortunately. I would assume there is a large cluster and it is definitely behind a load balancer.

Kevin-Andrew commented 2 months ago

Okay, can you check with your IT staff and see if/how the load balancing is configured. You may need to have "sticky sessions" enabled.

Or another option might be to ask if they can tell you the IP address or DNS name to a single node of the cluster, not the load balancer IP/DNS.

You could do a quick lookup yourself:

nslookup <your safeguard DNS name>

If it comes back with multiple IP address, then your company has "DNS load balancing" set up. If it comes back with one IP address, then you'll have to still check with your IT staff.

My hunch is that with a cluster behind a load balancer, for example, the request for the primary authentication is going to one node of the cluster and caching the token, but then the request for the MFA is being load balanced to another node of the cluster, which won't have that token.

Once you are completely authenticated, Safeguard will distribute your final authentication token throughout the cluster such that any of your requests will work against any node of the cluster. But in terms of the initial authentication, in order to help prevent reply attacks and other things, we don't have it sharing the cache.

azirish1998 commented 2 months ago

Thanks for your suggestions. I was able to get a different VIP from our admin that resolves to the same host and I haven't had any further issues.