Open valluwtf opened 1 week ago
Thanks for reporting this bug on authd and helping to make it better!
You are right, we should reask for device authentication if the local password was correct, but the token was expired.
However, there is also all the case of "I’m logging offline for many months" to take into account, we need to carefully design this. Adding it to the backlog.
Is there an existing issue for this?
Describe the issue
I can successfully login and set a local password. In our Entra application, the token validity is set to only a few hours for testing purposes - so when I try to login on the next day, I get the prompt for local password which is no longer working (which makes sense) and journalctl tells me that my token is invalid. If i type 'r', I can get to the devicelogin again to create a new password.
It would be a lot more useful though, if in this case, I get prompted with a new Entra Login code to authenticate again immediately or at least get a more helpful message instead of 'authentication failure: could not load cached info' which is btw the exact same message I get when I actually have a typo in my password.
// All of this is on ssh login only, no idea what the behaviour is on GDM but I guess it would be similar
Steps to reproduce
When logging in via ssh after a period of time in which the entra token has become invalid, I get asked for my local password on login which does not exist anymore and therefore does not work.
System information and logs
authd version
authd-msentraid broker version
gnome-shell version
Distribution
Logs
authd broker configuration
/etc/authd/brokers.d/msentraid.conf
authd-msentraid configuration
Double check your logs