Desktop: Cannot login with mattermost v4 and u2f enabled

Created on 10 Feb 2018  路  16Comments  路  Source: mattermost/desktop

Summary
U2F auth fails because some files cannot be found.

Steps to reproduce

Login with u2f enabled, get greeted with the following:
screenshot from 2018-02-10 14-54-34

All Platforms Electron Feature Priorit4

Most helpful comment

In my understanding, "hardware token" means U2F device.

Correct.

So "keys" seems to mean pin code of authenticator apps, but I could use it in gitlab.com with v4.0.0 app.

U2F Devices allow to login via U2F javascript API, or alternatively (if device is lost or unavailable) via regular authenticator PIN code. Yubikeys generate that PIN/token on request as well, so there's no need to touch the actual recovery keys generated during 2FA setup process.

When using mattermost-desktop 4.0.0, the following happens:

  • "Mattermost" login is displayed. Choose "Sign in with [Gitlab]"
  • Gitlab login page is displayed. Sign in with username and password.
  • now, 2FA device would be requested or the PIN/token is entered after choosing "Sign in with token"
  • instead, for a split second, the 2FA form is displayed, but that is replaced immediately by the error message from first screenshot ("ERR_NOT_IMPLEMENTED (-11)", "You can reach chrome-extension:/..../u2f-comms.html from a browser window")
  • the actual page seems to be still active in the background, as after ~10 seconds a redirect back to the Gitlab login page happens.

See Gitlab documentation as well: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#logging-in-with-2fa-enabled

mattermost-desktop 3.7.1 allows the login process without issues, although the U2F device is not usable (which is fine, as login via PIN/token is working as expected)

As I personally have no experience with chromium/electron, I can only suspect that electron has a issue with the U2F communications code. 3.7.1 did work fine, so something changed here with the update to 4.0.0.

All 16 comments

@apollo13 Does this login method work on the browser, say Chrome?

@jasonblais It did work at this point in the browser (I've since disabled it). If you look at the URL referenced in the screenshot it seems as if the binary misses the u2f-comms.html file?

@yuya-oc Did we ever support u2f? Mattermost doesn't officially support it.

@apollo13 Has this worked for you before, or was it the first time you tried the desktop app?

@jasonblais It worked before in the sense that it realized that u2f wouldn't work and it did ask me for the OTP codes from Google authenticator IIRC.

EDIT:// Oh I understand your confusion now, I am logging in via OAUTH and Gitlab where I enabled u2f

U2F is not implemented in Electron. https://github.com/electron/electron/issues/3226

But recently it seems that Brave web browser adds it via Chromium extension. https://github.com/brave/browser-laptop/pull/10530 Possibly their approach might make sense.

@apollo13 Does this block your or your team's work? I assume you have U2F requirement standard across your other apps and services?

@jasonblais Yes, we have been evaluating U2F but did put the full deployment on hold for now. Note that the main issue here is not that U2F does not work (we'd appreciate if it would though) but rather that you cannot login at all.

Same problem here: With Mattermost Client 3.x, login via Gitlab and 2FA at Gitlab did work (not with the hardware token, but with keys), now I receive the same ERR_NOT_IMPLEMENTED as in the screenshot.
Android App (Beta) is working fine.

I could login to gitlab.com with 2FA (6-digit pin code) on v4.0.0. (For now I have no Mattermost instance that login via GitLab is enabled. So I added the gitlab url as a server to the app.)

@antondollmaier Would you explain more about your problem? In my understanding, "hardware token" means U2F device. So "keys" seems to mean pin code of authenticator apps, but I could use it in gitlab.com with v4.0.0 app.

In my understanding, "hardware token" means U2F device.

Correct.

So "keys" seems to mean pin code of authenticator apps, but I could use it in gitlab.com with v4.0.0 app.

U2F Devices allow to login via U2F javascript API, or alternatively (if device is lost or unavailable) via regular authenticator PIN code. Yubikeys generate that PIN/token on request as well, so there's no need to touch the actual recovery keys generated during 2FA setup process.

When using mattermost-desktop 4.0.0, the following happens:

  • "Mattermost" login is displayed. Choose "Sign in with [Gitlab]"
  • Gitlab login page is displayed. Sign in with username and password.
  • now, 2FA device would be requested or the PIN/token is entered after choosing "Sign in with token"
  • instead, for a split second, the 2FA form is displayed, but that is replaced immediately by the error message from first screenshot ("ERR_NOT_IMPLEMENTED (-11)", "You can reach chrome-extension:/..../u2f-comms.html from a browser window")
  • the actual page seems to be still active in the background, as after ~10 seconds a redirect back to the Gitlab login page happens.

See Gitlab documentation as well: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#logging-in-with-2fa-enabled

mattermost-desktop 3.7.1 allows the login process without issues, although the U2F device is not usable (which is fine, as login via PIN/token is working as expected)

As I personally have no experience with chromium/electron, I can only suspect that electron has a issue with the U2F communications code. 3.7.1 did work fine, so something changed here with the update to 4.0.0.

I can confirm the bug. 2FA code screen is not popping up anymore if you have a U2F device configured. As stated, instead appears the error page. I think something change in the mattermost electron code on how to deal with the redirection sent by gitlab to enter the 2FA code when U2F is not supported by the browser. It was working on 3.7.x.

Delete the U2F device in Gitlab, and everything working again (without hardware token of course).

Exactly the same problem than @antondollmaier (thanks btw for the detailed reporting).

I'm fine too with falling back to app 2FA.

@jasonblais They are different from this issue.

Just I got my Yubikey, so now I can know what is actually happening. After the error, GitLab correctly falls back to PIN code 2FA at background renderer. So we should ignore the error in the error handler.

Unfortunately Brave browser's approach looks like its own extension mechanism (they are using the fork of Electron). So we can't support U2F devices for now, but the original problem would be solved by ignoring the error.

I created a PR for this. Wondering if you could test the latest build with your 2FA flow.
https://circleci.com/gh/yuya-oc/desktop/680#artifacts

Closed via #733

Was this page helpful?
0 / 5 - 0 ratings