search

neos-sdi / adfsmfa

MFA for ADFS 2022/2019/2016/2012r2
MIT License
143 stars 52 forks source link

Web enroll MFA does not validate phone number #268

Closed rahmanny closed 2 years ago

rahmanny commented 2 years ago

I am using a custom external provider to send sms. The problem is that users can enter a phone number with an error (an extra digit or not enough) or in the wrong format (our SMS provider requires a format with +) and MFA does not check for this. For example, I enter 1234 image MFA is trying to send SMS to this number image I tried checking the phone number in the PostAuthenticationRequest method, I created a method that checks if the number satisfies our requirements:

public override int PostAuthenticationRequest(AuthenticationContext ctx)
        {         
            if (ctx.UIMode == ProviderPageMode.EnrollPhone &&
                PhoneNumberValidator.ValidatePhoneNumber(ctx.PhoneNumber) == false)
            {
                throw new Exception("Phone number format is invalid");
            }
...

But in this case, MFA gives a default error: image Is it possible to send an error message from the External Provider so that the user can see that he has entered incorrectly?

redhook62 commented 2 years ago

Hi,

the validation is done : Your account is not validated !. it's up to the user to enter your phone correctly, Why ? because it's too complex and too messy to do it with javascript (Hoo! the international phone...)

It's the library LibPhoneNumber which does the verification, refer to its documentation.

We will not make any changes in this direction,

moreover we do not recommend to rely on the phone, too insecure.

regards

rahmanny commented 2 years ago

Hi, I really understand why you didn't implement it. I have a question in another, when throwing an exception in my custom external provider throw new Exception("Phone number format is invalid") Can this message be displayed in the MFA web form instead of the default "Your account is not validated"? Within my process, I can throw exceptions with a more informative message for each type of error.

redhook62 commented 2 years ago

Hi,

Yes, I understand that you want to do something "user friendly", however, for confidentiality reasons and to avoid giving information, we never display the details of errors.

So, to take into account the requests of your users... (also not sure that they understand the message displayed by you...) In a future version, we will add events on validation and errors dispatch. Don't expect this development until next year.

regards