Show offline-password caching notice after Entra login#1613
Conversation
|
GDM now shows this message before the |
|
SSH login shows this It's printed twice (which we should fix), and add a line separator or somehow emphasize it, or make it harder to miss; because it shows up before the SSH login text fills the terminal @copilot investigate why the |
... Fixed in 7081af0. The notice was being shown once by the native PAM flow itself and then a second time by the module’s generic auth-return message path. The follow-up change stops re-emitting granted success notices for clients that already display or defer them, so SSH should now show it once and GDM should no longer surface it during authentication. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 002-entra-password-mfa-auth #1613 +/- ##
===============================================================
- Coverage 87.03% 86.86% -0.17%
===============================================================
Files 123 123
Lines 8352 8377 +25
Branches 111 111
===============================================================
+ Hits 7269 7277 +8
- Misses 1027 1044 +17
Partials 56 56 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
nooreldeenmansour
force-pushed
the
copilot/wip-add-caching-indicator
branch
2 times, most recently
from
d4a92e7 to
7a0109c
Compare
nooreldeenmansour
changed the title
nooreldeenmansour
force-pushed
the
copilot/wip-add-caching-indicator
branch
2 times, most recently
from
deb0469 to
3aab8d1
Compare
nooreldeenmansour
force-pushed
the
002-entra-password-mfa-auth
branch
3 times, most recently
from
27a6aea to
e853b98
Compare
nooreldeenmansour
force-pushed
the
002-entra-password-mfa-auth
branch
4 times, most recently
from
509900b to
a1e0379
Compare
nooreldeenmansour
force-pushed
the
copilot/wip-add-caching-indicator
branch
from
3aab8d1 to
827736a
Compare
nooreldeenmansour
force-pushed
the
002-entra-password-mfa-auth
branch
2 times, most recently
from
2639346 to
b91ee52
Compare
nooreldeenmansour
force-pushed
the
copilot/wip-add-caching-indicator
branch
2 times, most recently
from
58f158e to
49c71ba
Compare
| // response after the user's password is cached locally (during the Entra | ||
| // password + MFA flow), letting them know they can subsequently log in | ||
| // offline. It is broker-owned so it can be localized independently of authd. | ||
| const cachedPasswordMessage = "Your password was cached for offline login." |
There was a problem hiding this comment.
I don't like the term "cached" in that message. Claude agrees (without me biasing it, I just asked it what it thinks about the existing message):
To a non-technical user, "cached" is vague — it doesn't convey what happened (their Entra password is now their local login password) or why it matters (they can log in without a network).
However, the alternatives it provides are quite long. So before proposing something, I'd like to know for how long this message is displayed.
There was a problem hiding this comment.
Agreed; happy to change the message.
For GDM, it lasts around 3 seconds, and for SSH, it lasts around a second (but the other message Creating directory .... is barley noticable as well for SSH/native logins)
There was a problem hiding this comment.
For GDM, it lasts around 3 seconds
then it indeed shouldn't be too long. how about "Your Entra password now works for offline login."?
There was a problem hiding this comment.
I like it, the fact that we don't say "local password" (I think we have already dropped that term in #1520?)
We could also go with "Offline login is enabled with your Entra password."
Edit: yes, we currently use Enter your password instead of Enter your local password as suggested in #1520 (comment)
There was a problem hiding this comment.
We could also go with "Offline login is enabled with your Entra password."
I'd be fine with that as well. Choose whichever you prefer.
Edit: yes, we currently use Enter your password instead of Enter your local password as suggested in #1520 (comment)
Yeah, that's actually the more important UX improvement. Even without this message, the user will likely just enter their Entra password without questioning it - in contrast to the "Enter your local password" prompt.
There was a problem hiding this comment.
Valid point. Entra Multifactor Authentication is a better name for the flow; however, in the placeholder holders, we should keep using the "Entra Password"
I think you may include that as part of #1614, we can discuss it further there
There was a problem hiding this comment.
oh and another problem. Both "Your Entra password now works for offline login." and "Offline login is enabled with your Entra password." are not accurate when force_access_check_with_provider = true, because then offline login is not possible. (Side note: it's also not possible when local_password = false, but then we shouldn't even store the hashed the password and omit the message altogether)
Given that and the fact that we still call it "Local password" in the selection prompt, maybe it is actually better to use "local password" in the message instead of "offline login". Something like "Your Entra password is now your local password too."
There was a problem hiding this comment.
in the placeholder holders, we should keep using the "Entra Password"
do you mean in the prompt "Enter your Entra ID password"? then I agree. or is there any other place where we use placeholders?
There was a problem hiding this comment.
maybe it is actually better to use "local password" in the message instead of "offline login". Something like "Your Entra password is now your local password too."
Agreed, let's not do complex logic to handle the message depending on whether the user has which config property.. or not
nooreldeenmansour
force-pushed
the
copilot/wip-add-caching-indicator
branch
5 times, most recently
from
034f640 to
80fad75
Compare
The Entra password+MFA login failed with "invalid character 'Y' looking
for beginning of value" after a successful grant. The broker emitted the
success message as a bare string while the consumer (dataToMsg) expects
a {"message": ...} envelope, so the PAM client's parse aborted an
already-granted login.
Forward a consistent {userinfo, message} envelope from IsAuthenticated
so consumers always parse the same shape regardless of whether the broker
attached a notice. Encode IAResponse.Msg as {"message": ...} matching
the format used for non-granted replies. Non-string values in the broker's
message field are treated as absent rather than rejected, so a malformed
cosmetic field never blocks an already-granted login at the broker boundary.
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
A cosmetic notice attached to a granted IAResponse must never abort an already-granted login. Treat a parse error on the Msg field as a warning and fall back to showing no notice. Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
After the Entra password+MFA flow caches the user's password for offline login, the user had no indication that their local password was set to their Entra password Attach a broker-owned notice to the granted response so it surfaces through the PAM conversation. The notice lives in the broker — the component that knows when caching occurred — rather than being hardcoded in authd. Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Native (SSH, non-TTY) clients receive the granted message twice: once through nativeModel.sendInfo and again through the PAM TextInfo conversation echo in sendReturnMessageToPam. GDM and interactive- terminal clients do not go through the native sendInfo path, so they must keep receiving the echo. Suppress the redundant PAM-conversation echo only for Native clients by returning false from shouldSendAuthMessage when clientType == Native and the response is a success. Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
nooreldeenmansour
force-pushed
the
copilot/wip-add-caching-indicator
branch
from
80fad75 to
2a1b9de
Compare
UDENG-10797
After the Entra password+MFA flow caches the user's password for offline login,
users had no indication that their local password was set to their Entra password
(#1520 discussion).
Changes
broker: Attaches a broker-owned caching notice to the granted response so itsurfaces through the PAM conversation. The notice lives in the broker — the component
that knows when caching occurred.
broker/pam: Normalizes the granted-message envelope. Granted responses wereemitting the notice as a bare string instead of the
{"message": ...}envelope everyconsumer expects, aborting already-granted logins with
invalid character 'Y'. Non-stringmessage values are treated as absent rather than rejecting the login.
pam: Fixes a double-echo on native clients (SSH).Nativeclients were printingthe notice twice — once via
nativeModel.sendInfoand again viasendReturnMessageToPam.GDM and interactive-terminal clients do not go through the native sendInfo path and
continue to receive the notice through the PAM conversation.