Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unlock account with voice disabled skips authenticator-verification-data step #1468

Open
JeremyGuinn opened this issue Oct 24, 2023 · 6 comments
Labels

Comments

@JeremyGuinn
Copy link

JeremyGuinn commented Oct 24, 2023

Describe the bug

Starting the unlock account flow with an okta environment setup to only use text message for recovery automatically selects SMS and skips the authenticator-verification-data step.

I'm calling the flow as follows:

await okta.idx.unlockAccount({
  username: "my_user",
  authenticator: "phone_number",
});

This successfully starts the flow, and the user is immediately sent the text message. The forgot password flow works correctly, and takes the user to the authenticator-verification-data step.

Looking at the requests, the SDK is automatically adding methodType: 'SMS' to the request, which is causing the API to skip the step. When I test the api directly with the payload only including the identifier and authenticator, it correctly takes me to the authenticator-verification-data step.

Payload results in transition to authenticator-verification-data

{
    "identifier": "user@example.com",
    "authenticator": {
        "id": "{phone_authenticator_id}"
    },
    "stateHandle": "some_long_state_handle"
}

Payload results in transition to challenge-authenticator, and the text was sent without confirmation

{
    "identifier": "user@example.com",
    "authenticator": {
        "id": "{phone_authenticator_id}"
        "methodType": "sms"
    },
    "stateHandle": "some_long_state_handle"
}

Reproduction Steps?

  1. Configure okta policy to disable voice call for recovery and authentication
  2. Call idx.unlockAccount
  3. Call idx.proceed with the username and authenticator as phone_number

SDK Versions

System:
OS: Windows 10 10.0.19044
CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
Memory: 5.66 GB / 31.79 GB
Binaries:
Node: 18.12.1 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.19 - C:\Program Files\nodejs\yarn.CMD
npm: 8.19.2 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Spartan (44.19041.3570.0), Chromium (118.0.2088.57)
npmPackages:
@okta/okta-angular: ^6.2.0 => 6.2.0
@okta/okta-auth-js: ^7.4.2 => 7.4.2

Additional Information?

It looks like the issue is caused here: SelectAuthenticatorUnlockAccount.ts#L44-L52

@denysoblohin-okta
Copy link
Contributor

Thanks for reporting this issue
Internal ref: OKTA-664665

@ultrma
Copy link

ultrma commented Jun 28, 2024

Hi @denysoblohin-okta , is there any update on this issue?

@denysoblohin-okta
Copy link
Contributor

As a workaround you can use low-level API methods like

await authClient.idx.start({
  flow: 'unlockAccount',
});

await authClient.idx.proceed({
  identifier: "user@example.com",
  authenticator: {
    id: "{phone_authenticator_id}"
  },
  step: "select-authenticator-unlock-account",
});

await authClient.idx.proceed({
  authenticator: {
    id: "{phone_authenticator_id}",
    methodType: "sms"
  },
  step: "authenticator-verification-data",
});

instead of using unlockAccount

@ultrma
Copy link

ultrma commented Jul 9, 2024

@denysoblohin-okta , I tried the way you suggested. It still redirects me to code verification page directly.
If I remove the "methodType: 'sms'" in the second idx.proceed call, it prompts the "Send Code" page, but when I click "Send Code" button through my UI, I don't receive any code back for some reason. Any idea?

@denysoblohin-okta
Copy link
Contributor

but when I click "Send Code" button through my UI, I don't receive any code back for some reason.

You mean you don't receive SMS on your phone?
Have tried different accounts with different phone numbers? (to make sure it's not a problem with specific phone number)

@ultrma
Copy link

ultrma commented Jul 10, 2024

@denysoblohin-okta , yes.
And you are right. It's something wrong with my account.
We tried another one and it worked well. We can present "send code" page now.

Thanks for your helping. I really appreciate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants