Bug 1912387

Summary: [TOTP/RHSSO] - Two factor authentication while accepting missing parameters fails on authentication
Product: Red Hat Satellite Reporter: Omkar Khatavkar <okhatavk>
Component: AuthenticationAssignee: Rahul Bajaj <rabajaj>
Status: CLOSED NOTABUG QA Contact: Omkar Khatavkar <okhatavk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.9.0CC: mhulan, oezr, rabajaj
Target Milestone: 6.9.0Keywords: Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-02 11:33:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Omkar Khatavkar 2021-01-04 10:53:29 UTC 
Description of problem:
[TOTP/RHSSO] - Hammer Auth Login Oauth is not working for TOTP users, This works fine with --two-factor 

Version-Release number of selected component (if applicable):
Satellite 6.9 Snap7

How reproducible:
always

Steps to Reproduce:
1. Setup the Satellite with RHSSO and try

hammer> auth login oauth
Openidc Provider Token Endpoint: https://rhsso.redhat.com/auth/realms/satqe/protocol/openid-connect/token
Client ID: satellite.redhat.com-foreman-openidc
Username: foobar
Password: 
401 Unauthorized


Actual results:
Login is not working 

Expected results:
Login should work, or if the not correct message should be mentioned  

Additional info:
Comment 2 Ondřej Ezr 2021-01-21 09:53:49 UTC 
Created redmine issue https://projects.theforeman.org/issues/31698 from this bug
Comment 5 Rahul Bajaj 2021-02-01 06:34:31 UTC 
Hello,

After updating my hammer instance and hammer-cli-foreman instance, I was trying to reproduce the issue and looks like everything is working fine.

```
[vagrant@centos7-hammer-devel hammer-cli-foreman]$ hammer auth login oauth --two-factor
Openidc Provider Token Endpoint: https://keycloak.example.org/auth/realms/hammer-cli/protocol/openid-connect/token
Openidc Provider Authorization Endpoint: https://keycloak.example.org/auth/realms/hammer-cli/protocol/openid-connect/auth
Client ID: rest-api-client
Redirect URI: urn:ietf:wg:oauth:2.0:oob
Enter URL in browser: https://keycloak.example.org/auth/realms/hammer-cli/protocol/openid-connect/auth?response_type=code&client_id=rest-api-client&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=openid
Code: f34f8433-65a8-4309-a989-a1b7d6483c92.26a4bf95-04e4-4886-9394-d993c2ddd694.319510a3-b275-415e-957a-53a3059b51e0
Successfully logged in as 'rabajaj'.
```

@Omkar can you test again and if you are still facing the issue please provide me with a reproducer.

Thank you,
Comment 6 Rahul Bajaj 2021-02-02 11:33:37 UTC 
Hello, 

I just noticed the original issue raised, the steps mentioned:

```
hammer> auth login oauth
Openidc Provider Token Endpoint: https://rhsso.redhat.com/auth/realms/satqe/protocol/openid-connect/token
Client ID: satellite.redhat.com-foreman-openidc
Username: foobar
Password: 
401 Unauthorized
```

Now, CAC card and TOTP are two-factor authentication methods and we support only two-factor authentication with RHSSO. The above steps is missing that parameter and therefore the issue. Even, if you wish to not use the --two-factor method, you will have to use a user that does not have OTP biding to it.

This is NOTABUG, I am closing this issue, if you think otherwise, feel free to open the BZ.

Thank you,