search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
538 stars 180 forks source link

Support for yubikey or google titan? #135

Closed Colgaton closed 4 years ago

Colgaton commented 5 years ago

I have the google titan key setup for mfa and I'm getting the following error. Any plan to support it?

ERROR:root:No JSON object could be decoded Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/aws_google_auth/init.py", line 72, in cli process_auth(args, config) File "/usr/lib/python2.7/site-packages/aws_google_auth/init.py", line 212, in process_auth google_client.do_login() File "/usr/lib/python2.7/site-packages/aws_google_auth/google.py", line 259, in do_login sess = self.handle_sk(sess) File "/usr/lib/python2.7/site-packages/aws_google_auth/google.py", line 364, in handle_sk challenges = json.loads(challenges_txt) File "/usr/lib/python2.7/json/init.py", line 339, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/json/decoder.py", line 364, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode raise ValueError("No JSON object could be decoded") ValueError: No JSON object could be decoded

mfulleratlassian commented 5 years ago

I took some time to look at this today. It appears that at some point/some setups the input form element of (name="id-challenge") returns JSON, but it does not return JSON when using a YubiKey

Redacted example:

<input jsname="wCVnAe" name="id-challenge" type="hidden" value="<redacted>qLBl7hmVSRt3KzgRMzKaqkwn68XK2tD5JFeqxVDA4jLIxIo4/3dtIL/yrzzcyhZspU19def7AN9crpReSk0Xk53JGrLqdq1Oq6iFd+gdem4WXM+qMwuC7XU5hzpE5bnzD5+WJg6uvSZY/v0SODOhpT16rkq2U20GaZIQnUqpX2K34UrUaAqssmXpMsMa/2NhtkJ0W1ITzhcCx3ebxh2tdCQkJF5BB0ifxFVHF2WL1Sa7Hl3zQdVR8sjFOxvfHm7M7DoaQ4B5dtlZpzTTZ6WEA96lGy/nD4FfzcUyj/Q1CrFtak2aL7HrHg4qSmEH/ReYtEuYOGExuZ03UgVAVaRAwDKBoKlNSn8t3ZWUlCf/sYk2zUSm6E518YpRvlp8MQSmFV43pxzUA7IH4o/RV9NN7f8Qi2d7hlkBzhBywrdet4jn+PLeT1JHh1VU="/>

This value base64 decodes to binary which does not represent anything obvious to me. Without an understanding how to decode/translate this challenge I am unfamiliar with, it is impossible to create the needed data for the u2f function calls to sign the challenge.

If anyone has any ideas?

zsiddique commented 5 years ago

I am seeing this same issue but using Pixel 2 as the u2f device. So It's not just exclusive to YubiKey.

mhumeSF commented 5 years ago

dupe https://github.com/cevoaustralia/aws-google-auth/issues/128

adcreare commented 5 years ago

So I've worked through what was going on here. Short story there is a PR that works for me - keen for feedback to see if this works for others: https://github.com/cevoaustralia/aws-google-auth/pull/136 See https://github.com/cevoaustralia/aws-google-auth/issues/128 for the longer story

mhenniges commented 5 years ago

Hi @stevemac007 , sorry to be a squeaky wheel about this; the latest version of @adcreare 's PR 136 https://github.com/cevoaustralia/aws-google-auth/pull/136 seems to work for everybody now. Are you comfortable merging this in? I'm eager to roll this out to my users but need this fix in for them first. Thank you for everything!

ruimarinho commented 5 years ago

Working fine for me as well.

stevemac007 commented 4 years ago

Merged and released as part of v0.0.32