Single registered 2FA method not used as default #8345
Description
Version
v4.38.17, v4.38.16
Deployment Method
Kubernetes
Reverse Proxy
Traefik
Reverse Proxy Version
No response
Description
When registering a TOTP the default method of the user won't be set to it by default, even when:
default_2fa_methodis set to'','webauthn'or'totp'- It is the only registered method
After logging in again the User will be prompted to register a 2FA again, even though it has been registered.
This leads to confusion and unintuitive behavior regarding thedefault_2fa_methodfield.
Using the Methods Button and selecting the registered Method does work.
The behavior with WebAuthn is as expected, mostly. We have not yet been able to reproduce the bug here reliably.
Reproduction
- Log in using your Credentials
- Register a 2FA using TOTP
- Don't select a default method
- Open Test or Application
Expectations
Since only one 2FA Method is registered, it's expected that that one should be chosen to login.
Configuration (Authelia)
No response
Build Information
Last Tag: v4.38.17
State: tagged clean
Branch: v4.38.17
Commit: 592ab519b4167dfe4462ee0a613d38d3e4b8efa0
Build Number: 35061
Build OS: linux
Build Arch: amd64
Build Compiler: gc
Build Date: Thu, 31 Oct 2024 09:37:31 +1100
Extra:
Go:
Version: go1.23.2
Module Path: github.com/authelia/authelia/v4
Executable Path: github.com/authelia/authelia/v4/cmd/autheliaLogs (Authelia)
time="2024-11-27T14:53:16Z" level=debug msg="Loaded Configuration Sources" files="[/configuration.yaml]" filters="[template]"
time="2024-11-27T14:53:16Z" level=debug msg="Logging Initialized" fields.level=debug file= format=json keep_stdout=true
time="2024-11-27T14:53:16Z" level=debug msg="Process user information" gid=0 gids="1,2,3,4,6,10,11,20,26,27" name=root uid=0 username=root
time="2024-11-27T14:53:16Z" level=warning msg="Configuration: access_control: no rules have been specified so the 'default_policy' of 'two_factor' is going to be applied to all requests"
time="2024-11-27T14:53:16Z" level=info msg="Authelia v4.38.17 is starting"
time="2024-11-27T14:53:16Z" level=info msg="Log severity set to debug"
{"level":"debug","msg":"Registering client apache_test with policy two_factor (two_factor)","time":"2024-11-27T14:53:16Z"}
{"level":"debug","msg":"Registering client admin_web_dev with policy two_factor (two_factor)","time":"2024-11-27T14:53:16Z"}
{"level":"debug","msg":"Registering client admin_web_live with policy two_factor (two_factor)","time":"2024-11-27T14:53:16Z"}
{"level":"info","msg":"Storage schema is being checked for updates","time":"2024-11-27T14:53:16Z"}
{"level":"info","msg":"Storage schema is already up to date","time":"2024-11-27T14:53:16Z"}
{"level":"debug","msg":"LDAP Supported OIDs. Control Types: 1.3.6.1.4.1.4203.1.9.1.1, 2.16.840.1.113730.3.4.18, 2.16.840.1.113730.3.4.2, 1.3.6.1.4.1.4203.1.10.1, 1.3.6.1.1.22, 1.2.840.113556.1.4.319, 1.2.826.0.1.3344810.2.3, 1.3.6.1.1.13.2, 1.3.6.1.1.13.1, 1.3.6.1.1.12. Extensions: 1.3.6.1.4.1.1466.20037, 1.3.6.1.4.1.4203.1.11.1, 1.3.6.1.4.1.4203.1.11.3, 1.3.6.1.1.8","time":"2024-11-27T14:53:16Z"}
{"level":"debug","msg":"ntp provider: startup check skipped as it is disabled","time":"2024-11-27T14:53:16Z"}
{"level":"info","msg":"Listening for non-TLS connections on '[::]:9091' path '/'","server":"main","service":"server","time":"2024-11-27T14:53:16Z"}
{"level":"info","msg":"Startup complete","time":"2024-11-27T14:53:16Z"}
{"level":"info","msg":"Listening for non-TLS connections on '[::]:9959' path '/metrics'","server":"metrics","service":"server","time":"2024-11-27T14:53:16Z"}
{"level":"debug","method":"POST","msg":"Mark 1FA authentication attempt made by user 'testuser'","path":"/api/firstfactor","remote_ip":"10.0.3.219","time":"2024-11-27T14:54:03Z"}
{"level":"debug","method":"POST","msg":"Successful 1FA authentication attempt made by user 'testuser'","path":"/api/firstfactor","remote_ip":"10.0.3.219","time":"2024-11-27T14:54:04Z"}
{"error":"no TOTP configuration for user","level":"error","method":"GET","msg":"Error occurred retrieving TOTP configuration for user 'testuser': error occurred retrieving the configuration from the storage backend","path":"/api/secondfactor/totp","remote_ip":"10.0.3.219","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_sign_totp.go","Line":44,"Name":"TimeBasedOneTimePasswordGET"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/require_auth.go","Line":19,"Name":"Require1FA.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":54,"Name":"handleRouter.(*BridgeBuilder).Build.func6.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":65,"Name":"SecurityHeadersCSPNone.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":105,"Name":"SecurityHeadersNoStore.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":30,"Name":"SecurityHeadersBase.func1"},{"File":"github.com/fasthttp/router@v1.5.2/router.go","Line":441,"Name":"(*Router).Handler"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/log_request.go","Line":14,"Name":"handleRouter.LogRequest.func40"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/metrics.go","Line":23,"Name":"handleRouter.NewMetricsRequest.func42.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/errors.go","Line":38,"Name":"RecoverPanic.func1"},{"File":"github.com/valyala/fasthttp@v1.57.0/server.go","Line":2385,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.57.0/workerpool.go","Line":225,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.57.0/workerpool.go","Line":197,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1700,"Name":"goexit"}],"time":"2024-11-27T14:54:07Z"}
{"id":"f04281dd-e34a-481c-9f52-cfb2541b95f9","level":"debug","method":"POST","msg":"Sending an email to user to confirm identity for session elevation","path":"/api/user/session/elevation","remote_ip":"10.0.3.219","signature":"864717a46e015a2da747bda66cf298f686b3c2b0dec1daf99e76820732c72c542f1f344bbd3d33f4ef1edec1cc8e913bf9aab56e0c3ac6afa307d672d7cd16b8","time":"2024-11-27T14:54:09Z","username":"testuser"}
{"level":"debug","method":"POST","msg":"Getting user details for notification","path":"/api/secondfactor/totp/register","remote_ip":"10.0.3.219","time":"2024-11-27T14:54:36Z"}
{"level":"debug","method":"POST","msg":"Getting user addresses for notification","path":"/api/secondfactor/totp/register","remote_ip":"10.0.3.219","time":"2024-11-27T14:54:36Z"}
{"level":"debug","method":"POST","msg":"Sending an email to user testuser (\"Test User\" \u003ctest@example.org\u003e) to inform them of an important event.","path":"/api/secondfactor/totp/register","remote_ip":"10.0.3.219","time":"2024-11-27T14:54:36Z"}Logs (Proxy / Application)
No response
Documentation
No response
Generative AI
No
Pre-Submission Checklist
-
I agree to follow the Code of Conduct
-
This is a bug report and not a support request
-
I have read the security policy and this bug report is not a security issue or security related issue
-
I have either included the complete configuration file or I am sure it's unrelated to the configuration
-
I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant
-
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
-
I have checked for related proxy or application logs and included them if available
-
I have checked for related issues and checked the documentation