OTP NotBefore should use UTC time

ubccr / mokey

FreeIPA self-service account management portal

BSD 3-Clause "New" or "Revised" License

194 stars 46 forks source link

OTP NotBefore should use UTC time #124

Closed fajo-de closed 1 month ago

fajo-de commented 1 year ago

When a user adds an OTP token, the application will set NotBefore on the token. If the server running MoKey 6.3 has a time zone other than UTC configured it will cause the wrong start date/time to be set in IPA.

This most probably is caused by MoKey using time.Now() instead of time.Now().UTC() when setting the start time.

fajo-de commented 1 year ago

As a workaround simply add the below to the service config /etc/default/mokey:

TZ=UTC

aebruno commented 1 month ago

I'm unable to reproduce this. When mokey adds an OTP token the date time is set correctly in freeipa. The resulting token will look like this:

  Unique ID: xxxx
  Type: TOTP
  Description: mytoken
  Owner: username
  Validity start: 20241023153503Z

It does not appear freeipa supports timezones in the validity start (not before) dates. For example:

$ ipa otptoken-add --not-before='2024-10-23T19:43:08-04:00'
ipa: ERROR: invalid 'not_before': does not match any of accepted formats: %Y%m%d%H%M%SZ, %Y-%m-%dT%H:%M:%SZ, %Y-%m-%dT%H:%MZ, %Y-%m-%dZ, %Y-%m-%d %H:%M:%SZ, %Y-%m-%d %H:%MZ

Mokey and freeipa will use the timezone of the system, so just ensure both freeipa servers and mokey server are set to the same timezone. Mokey uses time.Now() which returns the current local time. Closing this out but feel free to re-open if I'm missing something here. Thanks!

fajo-de commented 1 month ago

Hi, both, Mokey and IPA servers are configured to use CE(S)T and the issue was reproducable. What TZ where your server running under when you tried to reproduce this issue?

aebruno commented 1 month ago

Tested with EDT. But not sure this matters as the timezone is not stored in freeipa.

artem-sidorenko commented 1 week ago

@aebruno I can still reproduce this issue with latest freeipa on almalinux 9 with CET +0100 and mokey 0.6.4.

If I take a look to the otp.go, the validation is also done with UTC.

I can't find anything regarding the timezone used in freeipa in the schemes/docs, however if I set the OTP via mokey and I can' login via freeipa as well and see the time difference of minus one hour. If set the OTP via FreeIPA and try to set the ipatokennotbefore via WebUI, I see the UTC format in the web form (everything is CET +1, my web browser too)

Screenshot 2024-11-18 at 14 46 13

As TOTP uses UTC I guess there is a high possibility that ipa is using UTC for before/after fields too