18f / identity-idp Goto Github PK
View Code? Open in Web Editor NEWLogin.gov Core App: Identity Provider (IdP)
Home Page: https://secure.login.gov/
License: Other
Login.gov Core App: Identity Provider (IdP)
Home Page: https://secure.login.gov/
License: Other
(I work in GSA IT, Office of the CTO. I am submitting this as part of our work to ensure GSA complies with the new Federal Source Code Policy.)
GSA needs to create an inventory of all agency source code, whether open source or closed source. The inventory we create will appear on Code.gov. The inventory will contain basic information about each source code repository, but will not include the source code itself. Please read the implementation guide and use it to submit this repository to the inventory by December 5.
Basically, please do one of the following, the details of which are described in the implementation guide:
.codeinventory.yml
or .codeinventory.json
) to this repository (optionally, use this tool to generate a metadata file)Please ensure that every source code repository under the umbrella of this project (e.g., ckanext-geodatagov) contains its own code inventory metadata file.
Let me know if you would like me to open a PR with an example .codeinventory.yml
file.
Please let me know if you have any questions.
Thanks!
References:
Timer prompt disappears, "enter your paper key" prompt reappears.
"enter your paper key" prompt is gone, I'm looking at the profile page.
SMS OTP is not coming through. Logs are not showing any error. Investigate.
Hi there. I am an approved TSA Pre-check member, and I was trying to check on my account. I received a note from Delta that my name is not matching how it is listed in my known account, and I was trying to verify this. I experienced the following issues when trying to login to view my information. I have still not been able to login to verify my information, see below for exact steps I took.
I completed the following CYCLE 1 6 times before I was provided the 2-factor authentication screen (CYCLE 2). I was only able to get to this screen twice. CYCLE 2 occurred 3 times.
CYCLE 1:
I enter my username (email address) / password on the login screen.
I am directed to https://secure.login.gov/phone_setup to provide my phone number and select if I would prefer to receive a text message or a phone call.
I select Send Security Code and am redirected back to the login screen. I receive the security code, but have no place to enter it.
CYCLE 2:
I enter my username (email address) / password on the login screen.
I am directed to https://secure.login.gov/phone_setup to provide my phone number and select if I would prefer to receive a text message or a phone call.
I select Send Security Code and am redirected to the 2 factor screen: https://secure.login.gov/login/two_factor/sms
I never receive the security code, and am logged out due to time issues.
OS: Mac OS X Version 10.11.6
Browser: Chrome Version 61.0.3163.100
Date/Time: 10/2/17 at 10:30AM EST
URLs:
https://secure.login.gov/
https://secure.login.gov/phone_setup
https://secure.login.gov/login/two_factor/sms
Why: When we imported the code from ICAM, we disabled the queue adapter. This is our chance to start fresh with Sidekiq, which is better than Resque.
I am a government employee working in a facility that does not allow me to have access to my cellphone. Is there a reason that email in addition to text/phone was not included as part of the two-factor login process? Although that wonderful key code works, it is incredibly unwieldy in practice to check on application status' in USAJOBS.GOV (The site I need to use at work). All of my security training is telling me to not write that code down on paper somewhere, its like writing your password on a sticky note. And it shouldn't be saved on my computer either. To compound the issue it changes to something else the next time I login.
I login with my username and password
it gives me the option to use my email on record to confirm
I login with my username and password
it only gives me the option of using my cellphone or a one time password that must be written down and changes everytime I login.
My cellphone is simply not available to me for my entire workday.
Thanks for considering my issue. If this is the wrong project, I will promptly remove this.
On OSX Sierra:
git clone ...
, followed by bin/setup --docker
App visible on localhost:3000
FATAL: database "upaya_development" does not exist
Hi! Before opening a new issue, please make sure it has not already been
reported.
Once you are sure the issue is valid, please fill out the details below.
Thanks!
I registered my email: [email protected], it sent text an I entered it but it will go back to login and say "oops something is wrong" it keeps cycling. Please help.
When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:
Mac OS
Safari
10/2/17 11:50am
To test, replace xit
with it
in home_page_spec.rb
.
Went through the new setup, received a txt with code, but was taken to a login screen. (NEVER provided a screen to enter code)
Now, when I try to login, I get a message "Oops, something went wrong. Please sign in again." . What is that?
Please instruct on how to get passed this. My email is now already registered, but can't login.
Hi,
I had already submitted an application through the previous GOES website. I've created a login.gov account but I keep encountering problems logging in. Once I do manage to login, I only see the account settings page (where I get to choose my email address / phone number) and there is no place to view my existing application / interview schedule.
Kind regards,
Mandeep
Hi! Before opening a new issue, please make sure it has not already been
reported.
Once you are sure the issue is valid, please fill out the details below.
Thanks!
When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:
This spec failed intermittently on Travis:
Users::RegistrationsController user updates profile with invalid email and existing mobile
displays error about invalid email
Failure/Error: expect(SmsSenderOtpJob).to_not have_been_enqueued.with(global_id(user))
expected to not enqueue a SmsSenderOtpJob with
[#<RSpec::ActiveJob::Matchers::GlobalID:0x0000000eac50e0 @expected=#<User id: 11],
but enqueued a SmsSenderOtpJob with [{"_aj_globalid"=>"gid://upaya/User/11"}]
# ./spec/controllers/users/registrations_controller_spec.rb:526
It might be advantageous to use HKDF rather than SHA-256 to generate the EncryptionKey hash at https://github.com/18F/identity-idp/blob/master/app/services/user_access_key.rb#L27
The existing pattern is ok. It could be better.
I am unable to manage my application through your new website. It is not allowing me to see anything related to the application and frankly the website crashes and cycles me through the log in and authentication via authentication code several times over before even getting into the limited account screen that I can see.
Please advise how I am supposed to get to my application and scheduled interview.
Thanks
The command produces no errors.
The command fails when attempting to clone the repository [email protected]:18F/identity-equifax-api-client-gem.git
. I'm assuming this is because the repository is private, but it may just be a repository that does not exist in my parallel universe.
A log can be found here: https://gist.github.com/rhencke/0c1addda5c5c5342f92adbd48461cfb8
On https://secure.login.gov/account_reset/request, it says intial confirmation
. It should be initial confirmation
.
Redirect back to https://ttp.cbp.dhs.gov/ with a signed in account
Window appears with "Session: Your session is no longer active. Please log in again."
Screenshot: https://photos.app.goo.gl/RQoiF3YeB4d5tehw9
This is preventing me from applying for Global Entry. Let me know if you need me to capture any other debugging info. Thanks for taking a look!
Copying over this bug from @romnempire at GSA-TTS/identity-site#241 -
I recently made a login.gov account on chrome stable for android 8.1 on a nexus 5x using the gboard as keyboard
Within the account creation flow, once I had been issued a personal key, I was prompted to verify I had saved the key elsewhere by retyping it. I was unable to do so, encountering the same bug multiple times.
I would type several characters, and after a variable number (from 5-10), the field would blank and no characters would show. Backspacing would not work, in this situation, and it would actually add characters. It seemed like if I pressed backspace, it would put the prior state of the field into the field but not remove the future state. (like AABA + C => AABAC + Backspace => AABAAABAC), but I didn’t mess with it enough to verify that.
Eventually I tried copying and pasting the personal key. This worked.
Going by the login spec here: https://github.com/18F/identity-idp/blob/master/docs/encryption-and-key-rotation.md
And the code here: https://github.com/18F/identity-idp/blob/master/app/services/user_access_key.rb
Many aspects of this make no sense to me... IF this is actually what you are doing...
hash(user, password) {
salt = CS-PRNG(160bit)
s = scrypt(salt, password)
z1 = s[0:32]
z2 = s[32:64]
R = CS-PRNG(256bit)
d = HSM(R) XOR ( pad_right(z1, 0x00, 32 bytes))
cek = SHA256(z2 || d)
hash = SHA256(cek)
save_record(user, d, salt, hash)
}
First and foremost, if the HSM operation is to have any meaning, it needs to be in the critical path for encrypting / decrypting data and possibly also calculating the password hash. If you don't need to go through the HSM to perform a decrypt or a hash validation, then obviously the HSM isn't actually securing anything! All it becomes is a source of entropy into the key derivation, but that's more likely to harm than help.
From the specification;
"It is important to note that the HSM factor strengthens the model in a way different than the other two factors, which rely on keeping them secret. Because the HSM is tied to a physical object, brute force attacks on our database would need to happen in proximity to the HSM, i.e., within our AWS environment, which greatly reduces the attack surface. A bad actor with a copy of the database cannot apply their own computing power to brute force cracking of passwords."
But to be clear, if you have 'd', 'salt', and 'hash', you can brute force attack passwords as;
s = scrypt(salt, password)
h = SHA256(SHA256(s[32:64] || d))
h =? hash
Now, if you were not storing 'd' in the user record, you might think to store what you call 'R' in the user record. Then you would have to go through the HSM as part of each login to derive the correct 'd' and 'cek' which is how it's supposed to work.
But even that design is still not good enough. You don't want to allow an attacker to pull 'R' from your database, send it through the HSM just once, and then be able to start brute forcing the password forever from there on out. If you're going to pay for an HSM, and if your going to call it for each password verification, then you better make sure an attacker is also required to call the HSM for each attempt they make at cracking a password. Which means you send your password hash (or something derived from it) through the HSM, not just a random 'R'!
I suspect this is probably waaaay out of scope, but just because it won't do much good sitting in my own brain:
For more resiliency, might be interesting down the road to actually offer to [postal] mail a recovery code to a "friend or family member who keeps well-maintained records". I imagine it might involve entering a simple, low-entropy password. This could be used in combination with the mailed recovery code, in order to log in if someone loses their phone and files.
This is perhaps much more interesting to me personally, as I'm interesting in decentralized identity systems. I'd like to think this might be the seed of a way to make these more resilient in a world where there might be zero official recourse in drastic circumstances (eg. losing phone in boating accident, files in a house fire, or neighborhood in a tsunami, and things like that...!).
Can probably copy over Vagrantfile and script/bootstrap.sh from save-ferris
Down the road, I imagine service providers might want to know the political districts (city/state districts, etc.) that a verified address falls under, without needing access to the full address. For example, if a site wants to mediate interactions between citizen and state representatives, login.gov justs need to relay enough info so that the site can verify that a user is a citizen of the state.
This information corresponds to the "Division" object in the OpenCivicData (OCD) standard.
It would be great if, during verification, the exact address could be resolved to these divisions at the city/state/federal level, and attributes could be added for each.
I haven't used this API, but if Google is a sufficiently reliable source, they offer an endpoint that will return OCD divisions by address:
https://developers.google.com/civic-information/docs/v2/representatives/representativeInfoByAddress
cc: @datamade
Account history shows text indicating I changed my password.
Account history shows "translation missing: en.event_types.password_changed".
None. The one-time security code when creating an account can only be reproduced if I create another account.
I expect to receive only one SMS with the one-time security code.
I receive an SMS with the one-time security code for creating my account every five minutes or so, despite the fact that I have used the code and created my account.
When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:
Just now, 8/22/17 7:54am CT, was the last time I received the SMS that keeps repeating. It's been coming repeatedly since I created the account earlier today.
I tried to login into login.gov using Firefox (ver 52.3.0) and could not get past the create a login screen for the login name and password (the site would not progress to the next screen, but instead would stay stuck on the same login creation screen)
I then tried to login using IE (ver 11.0.9600) and had success in getting past the login and password creation screens. The program then prompted me to verify my account by sending me an email or a text to my phone. I entered my mobile phone number and got the verification code as expected. BUT the login,gov website had another thing in mind, Instead of progressing to a login verification code text entry screen, the site reported a TIME-OUT warning stating "For your security, we clear what you entered if you don't move to a new page within 8 minutes." I DID NOT delay for more than 8 minutes. The delay was more like 20 seconds.
Note, the login.gov site seems to respond better to IE or maybe another browser, but not so well with Firefox.
Heyo! Currently, key material is generated locally and deployed to a prod(ish) server as a file on the filesystem.
I was hoping to suggest two changes relating to this:
_BASE64
for better handling these config keys.As for why we'd even base64 encode in this specific case (the key material), I prefer that just because it renders more clearly as one line in .env
file in the heroku config
output.
This begs another question (2): whether it might make sense to formally use a suffix for config keys that are base64 encoded. This would help the app know how to handle them more generally, and would also hint the validator on what needs to be checked (See #913)
Happy to make this issue only about (1), since this might be conflating things ;)
While onboarding, I've been following the directions on getting this app going in the README. I found a few things that could use some updating:
I seemed to need to start redis and postgres separately, rather than together, as shown.
I needed to install rvm/rbenv, the proper ruby, and npm, and maybe the bundler gem to get the setup script to work. I think it would be good to at least mention this.
It would be good to have some documentation about why there are two different methods for running the app (docker vs local machine). If it were me, I'd choose one and get everybody using that so that we would have less moving parts to support/document, but I don't know the background here.
Hi! Before opening a new issue, please make sure it has not already been
reported.
Once you are sure the issue is valid, please fill out the details below.
Thanks!
Go to your settings page with the hopes of migrating your 2FA authentication app to a new phone.
Have a way that's readily understandable to do that.
See a "Disable" button and, when clicking that, getting put into a flow that does help "set up" 2FA as if it was your first time. Confusing and hidden! The button probably needs to be renamed to "Update"?
User is able to log into website
This error message:
When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:
Version 61.0.3163.100
9:57am, October 2, 2017
Dependabot couldn't resolve your project's dependencies as it couldn't access identity-proofer-gem.
You can grant Dependabot access to identity-proofer-gem by adding the repository here. We'll automatically close this issue and kick off another update run once permission is granted.
Any plans for Node/JS library?
A Meteor.js Auth package would be awesome
The setup script command doesn't seem to work:
run 'bin/rake db:environment:set RAILS_ENV=test db:reset'
$ rake db:environment:set RAILS_ENV=test db:reset
+ bundle exec rake db:environment:set RAILS_ENV=test db:reset
warning: parser/current is loading parser/ruby23, which recognizes
warning: 2.3.3-compliant syntax, but you are running 2.3.5.
warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
rake aborted!
ActiveRecord::NoDatabaseError: FATAL: database "upaya_test" does not exist
/Users/andrewbrody/.rbenv/versions/2.3/bin/bundle:22:in `load'
/Users/andrewbrody/.rbenv/versions/2.3/bin/bundle:22:in `<main>'
PG::ConnectionBad: FATAL: database "upaya_test" does not exist
/Users/andrewbrody/.rbenv/versions/2.3/bin/bundle:22:in `load'
/Users/andrewbrody/.rbenv/versions/2.3/bin/bundle:22:in `<main>'
Tasks: TOP => db:environment:set
(See full trace by running task with --trace)
Running without the db:environment:set
seems to work?
$ rake RAILS_ENV=test db:reset
+ bundle exec rake RAILS_ENV=test db:reset
warning: parser/current is loading parser/ruby23, which recognizes
warning: 2.3.3-compliant syntax, but you are running 2.3.5.
warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
Dropped database 'upaya_test'
Created database 'upaya_test'
-- enable_extension("plpgsql")
-> 0.0469s
-- create_table("app_settings", {:force=>:cascade})
-> 0.0475s
-- create_table("authorizations", {:force=>:cascade})
-> 0.0379s
-- create_table("events", {:force=>:cascade})
-> 0.0249s
-- create_table("identities", {:force=>:cascade})
-> 0.0575s
-- create_table("otp_requests_trackers", {:force=>:cascade})
-> 0.0296s
-- create_table("profiles", {:force=>:cascade})
-> 0.0542s
-- create_table("service_provider_requests", {:force=>:cascade})
-> 0.0211s
-- create_table("service_providers", {:force=>:cascade})
-> 0.0278s
-- create_table("users", {:force=>:cascade})
-> 0.0710s
-- create_table("usps_confirmation_codes", {:force=>:cascade})
-> 0.0204s
-- create_table("usps_confirmations", {:force=>:cascade})
-> 0.0103s
-- add_foreign_key("events", "users")
-> 0.0100s
I entered my email address, then received confirmation email (confirmed), then proceeded to create a password website, then I click on the checkbox to 'show my password 2 times' after this I proceeded to next step, and received an error message 'oopss something went wrong'
To continue to another application.
I got returned to the main login screen and cannot login or create new account, I get returned to the main screen every time. I might have to delete cookies to continue.
When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:
I tried to bundle install, and am getting the following error:
Fetching https://github.com/amoose/simple_form.git
error: object 0b19ab36fd8bb641c20610e6b8ea11c7eb480057: zeroPaddedFilemode: contains zero-padded file modes
fatal: Error in object
fatal: index-pack failed
I think there's something wrong with that repo; I've tried to clone it standalone, but get the same error.
Let's turn off server tokens for secure.login.gov
Following headers are being emitted:
X-Powered-By: Phusion Passenger
Server: nginx + Phusion Passenger
server tokens off in nginx/conf is a place to start
Hello,
We've tried to activate your repository on Depfu and got permission errors when running Bundler. That most likely means you have dependencies in your Gemfile that refer to private Github repos.
In order to fix the issue, please give our Github App access to all private Github repos used in your Gemfile. You can do that the same way you activated this repo in the first place:
https://github.com/apps/depfu/installations/new
Once we have access, everything should start automatically.
Please let us know by sending an email to [email protected].
This is an automated issue by Depfu. You're getting it because someone configured Depfu to automatically update dependencies on this project.
https://github.com/18F/identity-idp/blob/master/app/views/verify/activated.html.slim#L6
This route idv_url
no longer exists, and so an error is thrown. Seems it was changed to verify_url
, but that would result in a loop on this page, so I'm not sure what it should be ;)
./bin/setup --docker
web service running on port 3000
When docker-compose is spinning up the containers, I get this error message:
[...snipped part above that is working...]
Status: Downloaded newer image for postgres:latest
Creating identityidp_redis_1 ...
Creating identityidp_db_1 ...
Creating identityidp_db_1
Creating identityidp_redis_1 ... done
Dropped database 'upaya_development'
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Network is unreachable
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
Couldn't drop database 'upaya_development'
rake aborted!
PG::ConnectionBad: could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Network is unreachable
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
Operating system (Windows 7, Mac OS X Yosemite 10.10.5, etc.)
CentOS7
Docker version 18.01.0-ce, build 03596f5
docker-compose version 1.17.0, build ac53b73
Hi Ya'll! 👋
Saw this new project and thought it might be useful as a CI integration for login.gov:
https://security.googleblog.com/2016/12/project-wycheproof.html
https://github.com/google/wycheproof
Happy Holidays!
If I submitted a PR for using bundle exec rackup config.ru $PORT
, would y'all accept that? Assuming that's what's being used in production, so wondering if we might as well standardize on that.
IGNORE THIS. was opened accidentally :)
Only the :user role should be supported at the moment
See app/models/authorization.rb
Out of date reference on login.gov help page: "This week, login.gov saw higher than expected volume which caused downtime and delays for many users. "
Hi! Before opening a new issue, please make sure it has not already been
reported.
Once you are sure the issue is valid, please fill out the details below.
Thanks!
Please forgive me for creating an Issue, but I've been pulling my hair out trying to test another rest service that is strictly TLS 1.2 (and may be a consideration for this IdP).
When using Locust to test another rest service that is strictly TLS 1.2, I experience a high error rate (Locust Empty Response). Has this been encountered using locust to test this service, when this service is limited to TLS 1.2 on the web servers?
@konklone I have additional information to share, but, related to a service in a closed repo.
Thanks in advance!
To make sure we start off with a clean codebase
Dependabot couldn't resolve your project's dependencies as it couldn't access identity-equifax-api-client-gem.
You can grant Dependabot access to identity-equifax-api-client-gem by adding the repository here. We'll automatically close this issue and kick off another update run once permission is granted.
I know that you guys are definitely not interested in supporting others running your code, but I was wondering whether you might have any quick pointers on what envvars and services must run on prod environment. (In particular, I'm trying to get it running on heroku, but that's not so much important.)
Right now, these were my assumptions:
Procfile.production
without the mail
process..env.production
with:
RAILS_ENV=production
smtp_settings
for sendgridheroku local -f Procfile.production -e .env.production
This is what I get (the url show that i was running rack, but same experience when running default webrick rails server):
Hi! Before opening a new issue, please make sure it has not already been
reported.
Once you are sure the issue is valid, please fill out the details below.
Thanks!
Attempting to login to https://ttp.cbp.dhs.gov
Click [Log In] > Consent > Sign in
The system asks for Email address.
The old site https://goes-app.cbp.dhs.gov/ requires a User ID.
Attempt to use email address associated to the User ID and enter password.
Try resetting password. Use the reset process.
Expect to log in successfully or receive email to reset password.
Password fails.
No email is received to reset password. Sent email from another account and received test emails. The process is not sending the password reset link.
When submitting a bug report, it's helpful to include any details that may be
necessary to reproduce the bug, including:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.