Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unlock account with voice disabled skips authenticator-verification-data step #1468

Open
JeremyGuinn opened this issue Oct 24, 2023 · 1 comment
Open

Unlock account with voice disabled skips authenticator-verification-data step #1468

JeremyGuinn opened this issue Oct 24, 2023 · 1 comment
Labels
bug

Comments

@JeremyGuinn
Copy link

JeremyGuinn commented Oct 24, 2023
edited

Describe the bug

Starting the unlock account flow with an okta environment setup to only use text message for recovery automatically selects SMS and skips the authenticator-verification-data step.

I'm calling the flow as follows:

await okta.idx.unlockAccount({
  username: "my_user",
  authenticator: "phone_number",
});

This successfully starts the flow, and the user is immediately sent the text message. The forgot password flow works correctly, and takes the user to the authenticator-verification-data step.

Looking at the requests, the SDK is automatically adding methodType: 'SMS' to the request, which is causing the API to skip the step. When I test the api directly with the payload only including the identifier and authenticator, it correctly takes me to the authenticator-verification-data step.

Payload results in transition to authenticator-verification-data

{
    "identifier": "user@example.com",
    "authenticator": {
        "id": "{phone_authenticator_id}"
    },
    "stateHandle": "some_long_state_handle"
}

Payload results in transition to challenge-authenticator, and the text was sent without confirmation

{
    "identifier": "user@example.com",
    "authenticator": {
        "id": "{phone_authenticator_id}"
        "methodType": "sms"
    },
    "stateHandle": "some_long_state_handle"
}

Reproduction Steps?

  1. Configure okta policy to disable voice call for recovery and authentication
  2. Call idx.unlockAccount
  3. Call idx.proceed with the username and authenticator as phone_number

SDK Versions

System:
OS: Windows 10 10.0.19044
CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
Memory: 5.66 GB / 31.79 GB
Binaries:
Node: 18.12.1 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.19 - C:\Program Files\nodejs\yarn.CMD
npm: 8.19.2 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Spartan (44.19041.3570.0), Chromium (118.0.2088.57)
npmPackages:
@okta/okta-angular: ^6.2.0 => 6.2.0
@okta/okta-auth-js: ^7.4.2 => 7.4.2

Additional Information?

It looks like the issue is caused here: SelectAuthenticatorUnlockAccount.ts#L44-L52
@denysoblohin-okta
Copy link
Contributor

Thanks for reporting this issue
Internal ref: OKTA-664665

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JeremyGuinn @denysoblohin-okta