Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault 1.11.2 Okta login on UI does not create or allow use to input nonce #16955

Closed
eightseventhreethree opened this issue Aug 31, 2022 · 2 comments
Closed

Vault 1.11.2 Okta login on UI does not create or allow use to input nonce #16955

eightseventhreethree opened this issue Aug 31, 2022 · 2 comments
Labels
auth/okta ui

Comments

@eightseventhreethree
Copy link

eightseventhreethree commented Aug 31, 2022
edited

Describe the bug
A use logging in on the UI with Okta login mechanism is never prompted or able to input a nonce. On the Vault CLI the nonce is generated for the user, however on the UI it's not and throws the following error after the user accepts the Okta Push.

"Authentication failed: nonce must be provided during login request when presented with number challenge"

To Reproduce
Steps to reproduce the behavior:

  1. Configure Okta Auth
  2. Go to UI
  3. Select Okta as the login type
  4. Type username and password in
  5. Wait for Okta Push
  6. Accept Okta Push
  7. The following error is returned at the top of the login view: Authentication failed: nonce must be provided during login request when presented with number challenge"

Expected behavior
Either the UI generates a nonce on the backend similar to the functionality of the CLI, or the user is prompted to enter one under the optional box. The former is the most user friendly and expected since it would match the functionality of the CLI.

Environment:

  • Vault Server Version (retrieve with vault status):
❯ vault status | egrep -i '(build|version)'
Version                  1.11.2
Build Date               2022-07-29T09:48:47Z
  • Vault CLI Version (retrieve with vault version):
❯ vault version
Vault v1.11.2 (3a8aa12eba357ed2de3192b15c99c717afdeb2b5), built 2022-07-29T09:48:47Z
  • Server Operating System/Architecture:
    Running in Vault container.
    Vault server configuration file(s):
disable_mlock = true
ui = true
default_lease_ttl = "720h"
max_lease_ttl = "8760h"

listener "tcp" {
  tls_disable = 0
  address = "[::]:8200"
  cluster_address = "[::]:8201"
  tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
  tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
  tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
  proxy_protocol_behavior = "use_always"
}

storage "dynamodb" {
  ha_enabled = "true"
  region     = "xxxxx"
  table      = "xxxxxx"

  autopilot {
    cleanup_dead_servers = "true"
    last_contact_threshold = "200ms"
    last_contact_failure_threshold = "10m"
    max_trailing_logs = 250000
    min_quorum = 5
    server_stabilization_time = "10s"
  }
}

seal "awskms" {
  region     = "xxxxxx"
  kms_key_id = "xxxxxx"
}

service_registration "kubernetes" {}
log_level = "Warn"

Additional context
Likely related code path: a970427
@HridoyRoy HridoyRoy added the ui label Aug 31, 2022
@eightseventhreethree
Copy link
Author

I believe this was fixed in: #15998

Going to test and report back.

@zofskeez
Copy link
Contributor

Thanks for the report @eightseventhreethree. This feature was added in version 1.12 via the PR you referenced.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/okta ui
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@HridoyRoy @eightseventhreethree @zofskeez @hsimon-hashicorp