Multi factor authentication always redirect to /login even when using correct code for /second-factor

spring-projects / spring-security-samples

1.45k stars 706 forks source link

Multi factor authentication always redirect to /login even when using correct code for /second-factor #148

Closed alishir closed 9 months ago

alishir commented 1 year ago

I just launched the multi-factor example, login with user@example.com and password, generate the TOTP code with oathtool --totp "80ed266dd80bcd32564f0f4aaa8d9b149a2b1eaa" command and enter the code, but I redirected to /login.

The problem exists on Chrome browser, with Firefox it works fine.

sugarjig commented 9 months ago

I'm seeing the same. In Chrome, I get redirected to /login after entering the correct TOTP code. In Firefox, I make it to the /third-factor page. (Aside: I get redirected to /error?continue after entering smith.)

I don't know if it's related, but I notice in both browsers that /favicon.ico is redirected to /login. This was previously called out in #63. This is despite the fact that this line is present in the code:

.requestMatchers("/favicon.ico").permitAll()

I also notice that sending a POST to /login results in a response with a different JSESSIONID value in the cookie than what previously obtained from the initial request. Is that how Spring Security is supposed to work?

sugarjig commented 9 months ago

In case it helps anyone in the future, I was able to solve the error after the /third-factor page. I came across this issue: https://github.com/spring-projects/spring-security/issues/12635#issuecomment-1468046651, which led me to add

.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()

inside authorizeHttpRequests.

sugarjig commented 9 months ago

This also appears to have fixed the issue with favicon.ico. I'm getting a 404 instead of a 302.

sugarjig commented 9 months ago

And it fixed the issue in Chrome!

sugarjig commented 9 months ago

I have created a branch in my fork of the repo. TBH I don't know Spring Security well enough to know if this is an acceptable solution. Is this worthy of a PR?

marcusdacoregio commented 9 months ago

Thanks everyone, this has been fixed via https://github.com/spring-projects/spring-security-samples/commit/345bd64cf7e019d3b9ea3c799c6af70b38924c58 and merged into 6.1.x, 6.2.x and main.

sugarjig commented 9 months ago

@marcusdacoregio Thanks. It looks like your fix helped with the second factor, but now the third factor is redirecting to the error page.

marcusdacoregio commented 9 months ago

@sugarjig, sorry for the trouble. I'll try to take a look at it next week.

marcusdacoregio commented 9 months ago

@sugarjig how did you reproduce it? I couldn't have the same result on my side, when I provided incorrect information it redirects my to /login as expected.

sugarjig commented 9 months ago

@marcusdacoregio I just tried it again in Chrome. The first time failed, but then a second and third try succeeded. Each try was in a fresh incognito window. Not quite sure what's going on, but it's likely on my end!