Unable to get successful EnableTwoFactor using dotnet client
-
Hi,
I'm using FusionAuth 1.21.0, and my app is running on .NET 5/Blazor Server.
I am unable to get a successful response to EnableTwoFactor using the FusionAuth dotnet client.
The first thing I do is GenerateTwoFactorSecret, which I use to create the QR code (using the GoogleAuthenticator NuGet Package by Brandon Potter). The QR code is brought into the authenticator app and I get a code. I validate the code with the QR code package's check method and get a successful validation of the code.
I then try to EnableTwoFactor using the code and the validationSecret (Base64 from GenerateTwoFactorSecret) and no matter what I do I get a 421 error.
The FusionAuthSyncClient is created using the same settings used to generate the secret, so it won't be that. In FusionAuth API settings I have enabled all (get, post, put, patch & delete) temporarily to test for /api/user/two-factor.
The server, desktop and mobile device are all time sync'd within a second of each other.
Here's my code:
async Task GenerateQRCode() { InProgress = true; await Task.Delay(1); FusionAuthSyncClient client = new FusionAuthSyncClient(Configuration["FusionAuthApiKey"], Configuration["FusionAuthAuthority"], Configuration["FusionAuthTenantId"]); var secretResponse = client.GenerateTwoFactorSecret(); if (secretResponse.WasSuccessful()) { verificationSecret = secretResponse.successResponse.secret; TwoFactorAuthenticator tfa = new TwoFactorAuthenticator(); var setupInfo = tfa.GenerateSetupCode(Configuration["Settings:AppName"], emailAddress, verificationSecret, false, 300); QRCodeStr = setupInfo.QrCodeSetupImageUrl; manualEntrySetupCode = setupInfo.ManualEntryKey; QRCodeGenerated = true; } }
GenerateQRCode is called from the HTML form, and once QRCodeGenerated becomes true, then the QR code is displayed.
void Verify2FACode() { TwoFactorAuthenticator tfa = new TwoFactorAuthenticator(); isCorrectPIN = tfa.ValidateTwoFactorPIN(verificationSecret, verificationCode); isPINChecked = true; if (isCorrectPIN) { Enable2FA(); } }
Once the QR code is displayed, and the user has entered the verification code, on submit Verify2FACode is called. If not successful the form is redisplayed notifying that the code was incorrect. If successfully validated, Verify2FACode calls Enable2FA.
void Enable2FA() { FusionAuthSyncClient client = new FusionAuthSyncClient(Configuration["FusionAuthApiKey"], Configuration["FusionAuthAuthority"], Configuration["FusionAuthTenantId"]); Guid guid = new Guid(userID); io.fusionauth.domain.api.TwoFactorRequest requestBody = new io.fusionauth.domain.api.TwoFactorRequest(); requestBody.code = verificationCode; requestBody.delivery = io.fusionauth.domain.TwoFactorDelivery.None; requestBody.secret = verificationSecret; var response = client.EnableTwoFactor(guid, requestBody); // once this works, do some more stuff... }
It's at this point in the code that I'm getting a 421 error.
Here is a list of some of the in memory variables:
So you can see that all the variables in the responseBody match what is passed to it.
Unfortunately FusionAuth doesn't give my any feedback as to what is wrong beyond the code being incorrect (in the docs). It'd be nice if there was a way for me to see what it is expecting based on the secret passed to it.
The only thing I can think of is that the QR code that is being displayed is resulting in an incorrect code and one that does not match what FusionAuth is expecting. I will play with that tomorrow, but in the mean time if anyone has any other suggestions I'd be happy to hear them.
Thanks
Craig -
UPDATE:
I've determined that the NuGet package mentioned above is giving me a different QR code than what FusionAuth would give me if I manually enabled two factor authentication using the same secret.
I've also determined that FusionAuth bases their two factor authentication on TOTP as defined in RFC 6238, so I can only assume that the package I chose is using a different algorithm. I've looked at a the documentation for the NuGet package and it does not mention what algorithm it is using.
I'm going to switch to another QR code generator that does adhere to RFC 6238 and see if that fixes things.
It would be nice of course if when using the FusionAuth API call GenerateTwoFactorSecret that it would also send back an image that can be used in the authenticator app. That would ensure the correct QR code and eliminate the need for an additional package to generate the QR code.
I will update later with my findings.
- Craig
-
UPDATE:
That was what the problem was. I switched from the GoogleAuthenticator NuGet package mentioned in my first post, and I am now using QRCoder, and that seems to have solved the problem.
Regards
Craig -
Thanks @craig-hind , I'll update the documentation to specify that any TOTP generator used for this application should adhere to RFC 6238. Here's a PR: https://github.com/FusionAuth/fusionauth-site/pull/329
It would be nice of course if when using the FusionAuth API call GenerateTwoFactorSecret that it would also send back an image that can be used in the authenticator app. That would ensure the correct QR code and eliminate the need for an additional package to generate the QR code.
I know we're overhauling MFA functionality soon; please feel free to file a bug or add a comment here with this suggestion: https://github.com/FusionAuth/fusionauth-issues/issues/960
-
Thanks @dan
-
@dan said in Unable to get successful EnableTwoFactor using dotnet client:
RFC 6238. H
@dan I am not able delete two-factor for user.
Please help.Below are the steps I am following using fusion auth client 1.43.0
- Generate otp using SendTwoFactorCodeForEnableDisableAsync method of fusion auth client. Note: using only email based otp method.
{
"methodId": "XXXX",
"userId": "00000000-0000-0000-0000-00000000XXXX"
}- Then with the above review code, I am trying to delete two factor for user using DisableTwoFactorAsync, I am getting 421 which means code is not valid. I am not sure what is going wrong. PLEASE HELP ITS URGENT.
-
@tsukhwani said in Unable to get successful EnableTwoFactor using dotnet client:
@dan said in Unable to get successful EnableTwoFactor using dotnet client :
RFC 6238. H
@dan word wipe I am not able delete two-factor for user.
Please help.Below are the steps I am following using fusion auth client 1.43.0
- Generate otp using SendTwoFactorCodeForEnableDisableAsync method of fusion auth client. Note: using only email based otp method.
{
"methodId": "XXXX",
"userId": "00000000-0000-0000-0000-00000000XXXX"
}- Then with the above review code, I am trying to delete two factor for user using DisableTwoFactorAsync, I am getting 421 which means code is not valid. I am not sure what is going wrong. PLEASE HELP ITS URGENT.
Thanks for all the help.
-
@craig-hind I would appreciate it if you could share with us your QRCoder code snippet that solves the problem. You could email it to me ying.morris@gmail.com
Thanking you in advance.