Open robincafolla opened 3 years ago
I'm not 100% sure here, but don't you still have to put in your username/email + password first?
Hence you get the unknown user?
Failed login detected - Username[unknown] ClientAddress[192.168.122.1]
Sorry - close by mistake - I'll re-open and wait for your repsonse.
In this instance I was pre-authenticated with the external OAuth provider.
When I clicked the Login with OAuth
button the system redirected me to the oauth provider, which checked my session, saw I was logged in and redirected me back to the Rocket Chat login end point with an auth token. At that point Rocket Chat fails as it is configured to require 2fa but isn't redirecting the user to a screen where they can input the 2fa code that's been emailed to them (or showing the user a message to say the code has been sent).
I get the exact same error with Rocket.Chat 3.15.0
using a custom oauth provider. Please let me know what information I can provide so we can get to the bottom of this, because it blocks all our users from being able to use Rocket.Chat.
Oh, I'm sorry, I don't have the exact same problem. I do get the screen to enter the code, but I do not get the email... I'll investigate a bit if it's maybe just our email settings that are wrong.
But the logs do show the same exception as in this issue's description.
I configured SMTP correctly. The test email worked, but I still didn't get any 2fa TOTP token emails for my user.
To circumvent the problem I disabled Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In
(available in admin settings, under Accounts -> Two Factor Authentication) and now at least logging in with OIDC works. I think 2FA responsibility should lie with the OIDC provider rather than Rocket.Chat in our case, so I'm OK with that solution.
Hey, we are experiencing exactly the same problems like OP described. Were on v4.1.1 (Docker) and MongoDB 4.2.17 (wiredTiger).
I am also interested in helping investigating that, just tell me what should/must be tested.
@debdutdeb We are also experiencing this on the RC 4.3.3 Enterprise version.
Email2fa option has the issue as depicted by the video of the original poster of this issue. The user logs in via custom Oauth provider and gets redirected back to login screen normally after successfully doing so. At this point the user should be shown the email2fa dialog to type in the code from the email. (This email they do receive in our case as usual.)
The dialog is not shown and the only option for the user is to try login again, and the result is exactly what we see in the video.
Normal Two-Factor authentication via TOTP
dialog works fine with Custom Oauth provider.
Two-Factor authentication via Email
dialog does not.
I can confirm that the problem also persists in RC 4.4.2 . This seems to happen to SAML-Logins as well. I did some digging in a development environment and found out the following:
In https://github.com/RocketChat/Rocket.Chat/blob/a523503195f843f20ee6784039d250d9ad239dee/client/lib/2fa/process2faReturn.ts#L36 the client-side 2fa process is handled (a modal is opened to let the user enter the 2fa code). However when that call comes from an Oauth or SAML Login emailOrUsername
is undefined
and since Meteor.user()
is also undefined
before the login (which makes sense) the variable props looks something like this:
props = {
'email',
undefined
};
Thus the method assertModalProp()
throws the above described Error Invalid Two Factor method
. A quick and dirty fix is to disable the call to assertModalProp()
. I tested this in a dev environment and 2fa worked with Oauth after that. However clicking on "Resend Mail" leads to an error. My guess is that there is a reason this method exists and we shouldn't just skip it.
I did check the Oauth login code if there is a way to provide emailOrUsername
but I'm not at all proficient in JS/TS and got lost somewhere in the rabbit hole of overwritten functions.
Description:
If both custom oauth and 2fa (email) are enabled a user logging in will go through the oauth flow and be emailed an authentication code, but no input screen will be presented to use the 2fa code. They will not be able to login.
Steps to reproduce:
Expected behavior:
User authenticates via OAuth and is then shown a 2fa screen to input the code they are emailed
Actual behavior:
The user authenticates via OAuth, and the 2fa code is emailed to them, but no screen is presented to input the code.
Server Setup Information:
Client Setup Information
Relevant logs:
The following exception is generated in the rocketchat logs:
Workarounds