search

okta / okta-auth-js

The official js wrapper around Okta's auth API
Other
450 stars 265 forks source link

Unlock account with voice disabled skips authenticator-verification-data step #1468

Open JeremyGuinn opened 12 months ago

JeremyGuinn commented 12 months ago

Describe the bug

Starting the unlock account flow with an okta environment setup to only use text message for recovery automatically selects SMS and skips the authenticator-verification-data step.

I'm calling the flow as follows:

await okta.idx.unlockAccount({
  username: "my_user",
  authenticator: "phone_number",
});

This successfully starts the flow, and the user is immediately sent the text message. The forgot password flow works correctly, and takes the user to the authenticator-verification-data step.

Looking at the requests, the SDK is automatically adding methodType: 'SMS' to the request, which is causing the API to skip the step. When I test the api directly with the payload only including the identifier and authenticator, it correctly takes me to the authenticator-verification-data step.

Payload results in transition to authenticator-verification-data

{
    "identifier": "user@example.com",
    "authenticator": {
        "id": "{phone_authenticator_id}"
    },
    "stateHandle": "some_long_state_handle"
}

Payload results in transition to challenge-authenticator, and the text was sent without confirmation

{
    "identifier": "user@example.com",
    "authenticator": {
        "id": "{phone_authenticator_id}"
        "methodType": "sms"
    },
    "stateHandle": "some_long_state_handle"
}

Reproduction Steps?

1) Configure okta policy to disable voice call for recovery and authentication 2) Call idx.unlockAccount 3) Call idx.proceed with the username and authenticator as phone_number

SDK Versions

System: OS: Windows 10 10.0.19044 CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz Memory: 5.66 GB / 31.79 GB Binaries: Node: 18.12.1 - C:\Program Files\nodejs\node.EXE Yarn: 1.22.19 - C:\Program Files\nodejs\yarn.CMD npm: 8.19.2 - C:\Program Files\nodejs\npm.CMD Browsers: Edge: Spartan (44.19041.3570.0), Chromium (118.0.2088.57) npmPackages: @okta/okta-angular: ^6.2.0 => 6.2.0 @okta/okta-auth-js: ^7.4.2 => 7.4.2

Additional Information?

It looks like the issue is caused here: SelectAuthenticatorUnlockAccount.ts#L44-L52

denysoblohin-okta commented 11 months ago

Thanks for reporting this issue Internal ref: OKTA-664665

ultrma commented 3 months ago

Hi @denysoblohin-okta , is there any update on this issue?

denysoblohin-okta commented 3 months ago

As a workaround you can use low-level API methods like

await authClient.idx.start({
  flow: 'unlockAccount',
});

await authClient.idx.proceed({
  identifier: "user@example.com",
  authenticator: {
    id: "{phone_authenticator_id}"
  },
  step: "select-authenticator-unlock-account",
});

await authClient.idx.proceed({
  authenticator: {
    id: "{phone_authenticator_id}",
    methodType: "sms"
  },
  step: "authenticator-verification-data",
});

instead of using unlockAccount

ultrma commented 3 months ago

@denysoblohin-okta , I tried the way you suggested. It still redirects me to code verification page directly. If I remove the "methodType: 'sms'" in the second idx.proceed call, it prompts the "Send Code" page, but when I click "Send Code" button through my UI, I don't receive any code back for some reason. Any idea?

denysoblohin-okta commented 3 months ago

but when I click "Send Code" button through my UI, I don't receive any code back for some reason.

You mean you don't receive SMS on your phone? Have tried different accounts with different phone numbers? (to make sure it's not a problem with specific phone number)

ultrma commented 3 months ago

@denysoblohin-okta , yes. And you are right. It's something wrong with my account. We tried another one and it worked well. We can present "send code" page now.

Thanks for your helping. I really appreciate.