MFA bypassed with browser back button

Kender · April 23, 2020, 2:27pm

I have an application with 3 groups. I register the user via PHP API insert and assign them to a group based on their options

I use the JavaScript widget to allow the user to login with Okta, and I have MFA enabled

If a user logs in with a valid username and password they are redirected to the MFA input. But if they click the back arrow on the browser until they get back to my page then refresh, they are logged into the site without having completed the MFA.

Can anyone verify this is happening on other sites, and if not, tell me what setting I may have misconfigured and if so, is there a fix in the pipe for it.

Side note, on MFA it fires EVERY login attempt, is there a way to only have it occur on NEW or unrecognized devices after the initial success?

Example:
Bob registers and logs in via PC, he successfully completes MFA
Bob logs in from same PC again, he is asked to MFA (this is not desired)
Bob logs in from Tablet, he is asked for MFA (this is correct, as the device is not known)

chu123 · April 23, 2020, 3:12pm

I am not seeing this behavior, but I don’t have the exact same environment. I would look at / can you share your SignOn Policies?

When you register a user, do they then have a session in your PHP application?
Are you using the Hosted or Custom Sign On Widget?
You can use device behaviors to allow customers to “Remember this device” to prevent MFA from occuring each and every time.

Kender · April 23, 2020, 4:08pm

no PHP session set on the site, there are some cookies setting data that is not Okta related on page load (stating not logged in status) and changed after login (using cookies because I can’t get the okta session via php script when using the JS widget)
my widget code is below (mostly taken from Okta docs, changing only success behavior and setting variables for credential info
Thanks

widget code

var redirectUrl = "https://betadomain.com/login/success/";
var oktaDomain  = 'https://okta-domain.oktapreview.com';
var clientId    = "xxXXxxXXxxXXxxXXx";

// taken from Okta docs (with the exception of setting variables above for easier editing from beta to live later (and reusing if needed)
var oktaSignIn = new OktaSignIn({
  baseUrl: oktaDomain,
  clientId: clientId,
  redirectUri: redirectUrl,
  authParams: {
    issuer: oktaDomain + "/oauth2/default",
    responseType: ['token', 'id_token'],
    display: 'page'
  }
});

if (oktaSignIn.token.hasTokensInUrl()) {
  oktaSignIn.token.parseTokensFromUrl(
    function success(res) {
      // The tokens are returned in the order requested by `responseType` above
      var accessToken = res[0];
      var idToken = res[1];

      // Say hello to the person who just signed in:
      console.log('Hello, ' + idToken.claims.email);

      // Save the tokens for later use, e.g. if the page gets refreshed:
      oktaSignIn.tokenManager.add('accessToken', accessToken);
      oktaSignIn.tokenManager.add('idToken', idToken);

      // Remove the tokens from the window location hash
      window.location.hash = '';
    },
    function error(err) {
      // handle errors as needed
      console.error(err);
    }
  );
} else {
  oktaSignIn.session.get(function (res) {
    // Session exists, show logged in state.
    if (res.status === 'ACTIVE') {
      // this connects to my PHP script to set my cookie data after/if login is successful
      $.ajax({
        type: "GET",
        url: '/api/profile_get_user/' + res.login,
        cache: false,
        success: function (data) {
          if (data === 'reload') {
            location.reload();
          }
        }
      });
      return;
    } else {
      // this connects to my PHP script to destroy my cookie data after/if login is not successful
      $.ajax({
        type: "GET",
        url: '/api/profile_get_user/none',
        cache: false,
        success: function (data) {
          if (data === 'reload') {
            location.reload();
          }
        }
      });
    }

    // No session, show the login form
    oktaSignIn.renderEl(
      {el: '#widget-container'},
      function success(res) {
        // Nothing to do in this case, the widget will automatically redirect the user to Okta for authentication, then back to this page if successful
      },
      function error(err) {
        // handle errors as needed
        console.error(err);
      }
    );
  });
}

chu123 · April 23, 2020, 4:40pm

Just a thought - instead of testing for session (res.Status == ACTIVE), could you use the success() function instead? (From looking at this: https://developer.okta.com/code/javascript/okta_sign-in_widget/) ?

Kender · April 23, 2020, 6:28pm

I tried changing my JS to the following based off of the page you sent me to (assuming this is the block you were referring to), and I am only getting the console log fur “run” not a success or error (or else) message.

The page loads, the login form shows, and even after logging in and getting redirected to my success page, the script does not return a successful login message

console.log('run');
oktaSignIn.renderEl({
  el: '#widget-container'
}, function success(res) {
  if (res.status === 'SUCCESS') {
    console.log('success');
    console.log(res);
  } else {
    console.log('else');
    console.log(res);
    // The user can be in another authentication state that requires further action.
    // For more information about these states, see:
    //   https://github.com/okta/okta-signin-widget#rendereloptions-success-error
  }
}, function error(res) {
  console.log('error');
  console.log(res);
});

Kender · April 23, 2020, 6:50pm

It looks like that bit of code was just to “display” the login box if there is no token already set based on the OktaSignIn() response

chu123 · April 23, 2020, 7:04pm

Oops. My apologies…