search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
537 stars 179 forks source link

User unable to login #186

Open priyendra opened 4 years ago

priyendra commented 4 years ago

We have been using this awesome tool quite successfully over the past few months and have run into an unexpected problem. A user that we recently added to our g-suite account is not able to log into AWS using this method.

Here's the log for a successful attempt:

INFO:root:aws_google_auth: SAML cache not found
Google username: <REDACTED>
DEBUG:root:aws_google_auth: username is: <REDACTED>
Google Password:
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): accounts.google.com:443
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /o/saml2/initsso?idpid=C047rowan&spid=864219566680&forceauthn=false HTTP/1.1" 302 0
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/saml2/initsso?idpid%3DC047rowan%26spid%3D864219566680%26forceauthn%3Dfalse%26from_login%3D1%26as%3DjudQdS6vhIlXrlhmES5_wg&followup=https://accounts.google.com/o/saml2/initsso?idpid%3DC047rowan%26spid%3D864219566680%26forceauthn%3Dfalse%26from_login%3D1%26as%3DjudQdS6vhIlXrlhmES5_wg&ltmpl=popup&oauth=1&faa=1&sarp=1&scc=1 HTTP/1.1 " 200 None
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "POST /signin/v1/lookup HTTP/1.1" 302 568
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /signin/challenge/pwd/1?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Finitsso%3Fidpid%3DC047rowan%26spid%3D864219566680%26forceauthn%3Dfalse%26from_login%3D1%26as%3DjudQdS6vhIlXrlhmES5_wg&sarp=1&scc=1&checkedDomains=youtube&pstMsg=0&oauth=1&ltmpl=popup&TL=AM3QAYbjwvnAxdxNZ3lU30FbmuPKLNfRafyq9m8ZTN71Xg3Rg2msxV0u-YHDJDu6 HTTP/1.1" 200 None
...
...

Here's the log for an unsuccessful attempt (for the user that is unable to login)

INFO:root:aws_google_auth: SAML cache not found
Google username: <REDACTED>
DEBUG:root:aws_google_auth: username is: <REDACTED>
Google Password:
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): accounts.google.com:443
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /o/saml2/initsso?idpid=C047rowan&spid=864219566680&forceauthn=false HTTP/1.1" 302 0
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/saml2/initsso?idpid%3DC047rowan%26spid%3D864219566680%26forceauthn%3Dfalse%26from_login%3D1%26as%3DxZZiIrXvqJTmu324Qj3SOw&followup=https://accounts.google.com/o/saml2/initsso?idpid%3DC047rowan%26spid%3D864219566680%26forceauthn%3Dfalse%26from_login%3D1%26as%3DxZZiIrXvqJTmu324Qj3SOw&ltmpl=popup&oauth=1&faa=1&sarp=1&scc=1 HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "POST /signin/v1/lookup HTTP/1.1" 200 None
DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "POST /signin/v1/lookup HTTP/1.1" 200 None
Invalid username or password

The first difference in the logs seems to be in the response to the POST /signin/v1/lookup HTTP/1.1 where the successful case returns a 302 whereas the unsuccessful one returns a 200.

As far as I am aware, the only differences between the two cases is that for the successful one, two factor is enabled whereas for the unsuccessful one, two factor is disabled.

Any ideas how to further debug this problem?

priyendra commented 4 years ago

For what its worth, both users are able to log in to the AWS Web Console via the browser (using the same Google/AWS SAML integration). So the problem seems to be in the CLI workflow.

Rukaan commented 4 years ago

Hi, I tried this one, and it works now, might be the same root cause

https://github.com/cevoaustralia/aws-google-auth/issues/179#issuecomment-616475122

stevemac007 commented 4 years ago

Latest build 0.0.36 has the fixed for captcha changes Google made. Please let us know if this resolves your issue.