Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Teleport fails to restart if OIDC user has MFA #6695

Closed
stevenGravy opened this issue May 2, 2021 · 3 comments
Closed

Teleport fails to restart if OIDC user has MFA #6695

stevenGravy opened this issue May 2, 2021 · 3 comments
Assignees
@awly @russjones
Labels
blocker Blocker for the milestone bug mfa Issues related to Multi Factor Authentication
Milestone
6.2 "Buffalo"

Comments

@stevenGravy
Copy link
Contributor

Description

What happened:

A MFA device is added to a OIDC user. If Teleport is restarted after that OIDC user expires Teleport will fail to start, at least for the sqllite storage option.

INFO [AUTH]      Updating cluster configuration: AuthPreference(Type="oidc",SecondFactor="u2f"). auth/init.go:292
INFO [AUTH]      Created namespace: "default". auth/init.go:299
ERROR: initialization failed
cannot itemTo user "[email protected]" without primary item "params"

What you expected to happen:

No failure to start if MFA stored for OIDC/SAML users.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

  1. Configure MFA in Teleport with u2f such as adding this to the auth_service
  authentication:
   type: oidc
   second_factor: u2f
   u2f:
      app_id: https://teleport.example.com:3080
      facets:
      - https://teleport.example.com:3080
      - https://teleport.example.com
      - teleport.example.com:3080
      - teleport.example.com
  1. Add a OIDC connector such as Auth0
    3.Login via OIDC with a user with a role that as a low ttl (30m).
  2. add a MFA to that user.
  3. Log out
  4. Confirm the user has been removed from the list of users after a certain time
  5. Restarted Teleport

Server Details

  • Teleport version (run teleport version): 6.1.3
  • Server OS (e.g. from /etc/os-release): ubuntu
  • Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): AWS ec2
  • Additional details:
@stevenGravy stevenGravy added bug mfa Issues related to Multi Factor Authentication labels May 2, 2021
@stevenGravy
Copy link
Contributor Author

@awly fyi

@klizhentas klizhentas added this to the 6.2 "Buffalo" milestone May 2, 2021
@klizhentas klizhentas added the P1 label May 2, 2021
@klizhentas klizhentas added the blocker Blocker for the milestone label May 2, 2021
@stevenGravy
Copy link
Contributor Author

the workaround is to remove any /web/users entries for non local users.
image

@awly awly self-assigned this May 4, 2021
@awly awly mentioned this issue May 7, 2021
Merged
@awly
Copy link
Contributor

awly commented May 14, 2021

Will be fixed in 6.2

@awly awly closed this as completed May 14, 2021
@webvictim webvictim mentioned this issue Feb 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@awly awly

@russjones russjones

Labels
blocker Blocker for the milestone bug mfa Issues related to Multi Factor Authentication
Projects
None yet
Milestone
6.2 "Buffalo"
Development

No branches or pull requests
4 participants
@klizhentas @awly @russjones @stevenGravy