search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.79k stars 927 forks source link

DUO. Can't access when DUO user exists #5400

Open friki67 opened 1 year ago

friki67 commented 1 year ago

Describe your question/ Hello! I'm not sure if this is a bug or I've done something wrong. I'm just testing.

1)Authentik is working great without the 2FA for me. I have only two users, akadmin and myuser 2) I set DUO stage and activate it in the default flow, got the user ID from duo interface for myuser, set it, and try 3) Authentik says "something went wrong". I've searched for it here and found that it could happen for existing users, but it is supposedly fixed. 4) Then I tried using akadmin, and it worked. Authentik communicated with DUO, showed me the QR code, and created a new user for my akadmin Authentik user. 5) Logout 6) Tried to login but then I get the error message (now in my admin user too)

As I only have one application using Authentik (the plan is have all of them), it is no problem to reset Authentik configuration and begin again, but I really like to make it work with DUO

Logs

INF event=/static/dist/assets/fonts/RedHatText/RedHatText-Medium.woff2 host=authentik.mydomain.com logger=authentik.router method=GET remote=<deleted-ip> runtime=1.240 scheme=http size=29049 status=200 timestamp=2023-04-27T07:03:08Z user_agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
INF auth_via=unauthenticated event=/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F host=authentik.mydomain.com logger=authentik.asgi method=POST pid=28 remote=<deleted-ip> request_id=8d5a189af643418ea950c792603e3b7f runtime=160 scheme=https status=302 timestamp=2023-04-27T07:03:15.991593 user= user_agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
INF auth_via=unauthenticated event=/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F host=authentik.mydomain.com logger=authentik.asgi method=GET pid=28 remote=<deleted-ip> request_id=10b468f7efda43c18312ffc9a811e3a5 runtime=75 scheme=https status=200 timestamp=2023-04-27T07:03:16.108734 user= user_agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
INF auth_via=unauthenticated backend=authentik.core.auth.InbuiltBackend event=Successful authentication host=authentik.mydomain.com logger=authentik.stages.password.stage pid=28 request_id=b26ca88cd8614896a4a27b54be480800 timestamp=2023-04-27T07:03:17.893174 user=akadmin
INF auth_via=unauthenticated event=/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F host=authentik.mydomain.com logger=authentik.asgi method=POST pid=28 remote=<deleted-ip> request_id=b26ca88cd8614896a4a27b54be480800 runtime=415 scheme=https status=302 timestamp=2023-04-27T07:03:17.899763 user= user_agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
INF action=configuration_error auth_via=unauthenticated client_ip=<deleted-ip> context={"geo":{"city":"Madrid","continent":"EU","country":"ES","lat":42.0000,"long":-4.0000},"http_request":{"args":{"query":"next=%2F"},"method":"GET","path":"/api/v3/flows/executor/default-authentication-flow/"},"message":"Failed to enroll user: Received 400 Invalid request parameters (username already exists)","user":{"email":"myemail@email.com","pk":1,"username":"akadmin"}} event=Created Event host=authentik.mydomain.com logger=authentik.events.models pid=28 request_id=65b9f2a8433842878c38a810ffe98382 timestamp=2023-04-27T07:03:18.306291 user={"email":"myemail@email.com","pk":1,"username":"akadmin"}
INF auth_via=unauthenticated event=Task published host=authentik.mydomain.com logger=authentik.root.celery pid=28 request_id=65b9f2a8433842878c38a810ffe98382 task_id=8e1a5133-eb2b-4cd6-9eba-060ecf8492ac task_name=authentik.events.tasks.event_notification_handler timestamp=2023-04-27T07:03:18.341357
warning auth_via=unauthenticated event=InvalidStageError('Received 400 Invalid request parameters (username already exists)') flow_slug=default-authentication-flow host=authentik.mydomain.com logger=authentik.flows.views.executor pid=28 request_id=65b9f2a8433842878c38a810ffe98382 timestamp=2023-04-27T07:03:18.361035
INF action=system_exception auth_via=unauthenticated client_ip=<deleted-ip> context={"geo":{"city":"Madrid","continent":"EU","country":"ES","lat":42.0000,"long":-4.0000},"http_request":{"args":{"query":"next=%2F"},"method":"GET","path":"/api/v3/flows/executor/default-authentication-flow/"},"message":"Traceback (most recent call last):\n  File \"/authentik/flows/views/executor.py\", line 296, in get\n    stage_response = self.current_stage_view.get(request, *args, **kwargs)\n                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/authentik/flows/stage.py\", line 93, in get\n    challenge = self._get_challenge(*args, **kwargs)\n                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/authentik/flows/stage.py\", line 163, in _get_challenge\n    challenge = self.get_challenge(*args, **kwargs)\n                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/authentik/stages/authenticator_duo/stage.py\", line 59, in get_challenge\n    self.duo_enroll()\n  File \"/authentik/stages/authenticator_duo/stage.py\", line 52, in duo_enroll\n    raise InvalidStageError(str(exc)) from exc\nauthentik.flows.views.executor.InvalidStageError: Received 400 Invalid request parameters (username already exists)"} event=Created Event host=authentik.mydomain.com logger=authentik.events.models pid=28 request_id=65b9f2a8433842878c38a810ffe98382 timestamp=2023-04-27T07:03:18.366888 user={"email":"","pk":2,"username":"AnonymousUser"}
INF auth_via=unauthenticated event=Task published host=authentik.mydomain.com logger=authentik.root.celery pid=28 request_id=65b9f2a8433842878c38a810ffe98382 task_id=3dbd2399-60fc-4235-a95e-deb668b2810b task_name=authentik.events.tasks.event_notification_handler timestamp=2023-04-27T07:03:18.371617
INF auth_via=unauthenticated event=/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252F host=authentik.mydomain.com logger=authentik.asgi method=GET pid=28 remote=<deleted-ip> request_id=65b9f2a8433842878c38a810ffe98382 runtime=431 scheme=https status=200 timestamp=2023-04-27T07:03:18.379706 user= user_agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
INF auth_via=unau

Version and Deployment (please complete the following information):

Is there something I can do to set off the duo part in the authentik server config files? Or maybe I did something wrong so I have this error when setting up DUO integration.... This could be related to Unable to activate Duo for existing (Duo) Users #1371

BeryJu commented 1 year ago

the duo stage itself is only used to setup authenticator devices, the stage you want to add to flows to validate MFA is the Authenticator validation stage, and in that stage configure the DUO device class to be allowed

friki67 commented 1 year ago

Hello and thank you for your response.

I've begun again from scratch. I don't really understand. There is some guide/tutorial to do it?

If I use mfa, then in "not configured action" I have to set "force the user to configure..."?

Then, what to choose? "setup TOPD..." works, but, where is configured to use my duo account and not any other?

Could you help me to understand what to do to associate my DUO accounts/devices and use 2FA?

friki67 commented 1 year ago

Ok, now I understand that the DUO setup stage is only to assign a DUO user to an Authentik user. Then you "activate" the mfa stage and you have it done. Regards