search

fedora-infra / noggin

Self-service user portal for open-source communities to use over FreeIPA.
MIT License
109 stars 58 forks source link

Unable to change reset password on noggin with otp enabled #1428

Open rrotondo opened 2 months ago

rrotondo commented 2 months ago

Hi, I have a server with noggin attached to a freeipa server. I reset password for a user who has OTP enabled. He can successfully log in but when it's forced to change password he can't. I tried myself. If in the "current password" field I put the temporary password I got the error: 

[Mon Jul 08 15:34:02.670812 2024] [wsgi:error] [pid 16867:tid 16875] [remote HIDDEN:36792] ipa: INFO: WSGI change_password.__call__:
[Mon Jul 08 15:34:02.672335 2024] [wsgi:error] [pid 16867:tid 16875] [remote HIDDEN:36792] ipa: INFO: WSGI change_password: start password change of user 'rotondo'
[Mon Jul 08 15:34:02.678140 2024] [wsgi:error] [pid 16867:tid 16875] [remote HIDDEN:36792] ipa: INFO: 200 Success: The old password or username is not correct.

I made a second attempt filling with "temporary password+OTP token". In this case the log is slightly different, but the result the same

INFO: WSGI change_password.__call__:
[Mon Jul 08 15:34:54.387324 2024] [wsgi:error] [pid 16866:tid 16874] [remote HIDDEN:41326] ipa: INFO: WSGI change_password: start password change of user 'rotondo'
[Mon Jul 08 15:34:54.441850 2024] [wsgi:error] [pid 16866:tid 16874] [remote HIDDEN:41326] ipa: ERROR: change_password: cannot change password of 'rotondo': Insufficient access:  Invalid credentials
[Mon Jul 08 15:34:54.442326 2024] [wsgi:error] [pid 16866:tid 16874] [remote HIDDEN:41326] ipa: INFO: 200 Success: Could not change the password

The only way to make password reset work is to force, from admin interface, the usage of simple "Password" method against "Two factor authentication (password + OTP)"

On the other hand, I tried to change password from the user interface. In that case there is a form for the OTP and there is no problem to change password. So my question is:

Could you fix the interface for the password reset and give the possibility to specify OTP token even in case of password expired?

Thank you in advance.

Riccardo

github-actions[bot] commented 1 week ago

This issue is stale because it has been open for 60 days with no activity.