Skip to content

MFA: Change GenerateSecretKey Response code from 403 to 201#1496

Open
asmithakarun wants to merge 2 commits into
ibm-openbmc:1210from
asmithakarun:mfa_GenSecretKeyRespCode
Open

MFA: Change GenerateSecretKey Response code from 403 to 201#1496
asmithakarun wants to merge 2 commits into
ibm-openbmc:1210from
asmithakarun:mfa_GenSecretKeyRespCode

Conversation

@asmithakarun

Copy link
Copy Markdown
Contributor

GenerateSecretKeyRequired error response should behave similar to that of PasswordChangeRequired.

cmjishnu and others added 2 commits June 29, 2026 22:59
GenerateSecretKeyRequired should behave similar to
PasswordChangeRequired.
Expecting 201 status code instead of 403

Change-Id: Iec6c925f04584b2cdd93aec743b04d6a8dbde4bc

Signed-off-by: Jishnu CM <jishnunambiarcm@duck.com>
Co-authored-by: Jishnu CM <jishnunambiarcm@duck.com>
GenerateSecretKeyRequired should behave similar to PasswordChangeRequired.
Expecting 201 status code instead of 403.

Tested by

curl --insecure -X POST -D headers.txt https://${bmc}/redfish/v1/SessionService/
Sessions -H "Content-Type: application/json" -d '{"UserName":"MFAUser",
"Password":"0penBmc0"}' -I
HTTP/1.1 201 Created
Allow: GET, HEAD, POST
OData-Version: 4.0
X-Auth-Token: PwGj0UUtSefbWsczZC2C
Location: /redfish/v1/SessionService/Sessions/OZvC3sXnEU
Strict-Transport-Security: max-age=31536000; includeSubdomains
Pragma: no-cache
Cache-Control: no-store, max-age=0
X-Content-Type-Options: nosniff
Content-Type: application/json
Date: Tue, 03 Mar 2026 12:35:22 GMT
Content-Length: 1493

Signed-off-by: cmjishnu <cmjishnu@gfwa166.aus.stglabs.ibm.com>
Co-authored-by: cmjishnu <cmjishnu@gfwa166.aus.stglabs.ibm.com>
@asmithakarun

Copy link
Copy Markdown
Contributor Author

Tested By:

  • Created read-only user
  • Enabled MFA for all users (system-wide config)
  • When readonly user logs in, GenerateSecretKeyRequired is sent back in redfish response along with session creation details, and verified that the return code is 201
Note: Unnecessary use of -X or --request, POST is already inferred.
* Host r<...>:443 was resolved.
...
* using HTTP/1.x
> POST /redfish/v1/SessionService/Sessions HTTP/1.1
> Host: rain71bmc.aus.stglabs.ibm.com
> User-Agent: curl/8.7.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 51
> 
* upload completely sent off: 51 bytes
< HTTP/1.1 201 Created
< Allow: GET, HEAD, POST
...
{
  "@Message.ExtendedInfo": [
    {
      "@odata.type": "#Message.v1_1_1.Message",
      "Message": "The Time-based One-Time Password (TOTP) secret key for this account must be generated before access is granted.  Perform the GenerateSecretKey action at URI '/redfish/v1/AccountService/Accounts/readonly_test' and retain the secret key from the response.",
      "MessageArgs": [
        "/redfish/v1/AccountService/Accounts/readonly_test"
      ],
      "MessageId": "Base.1.19.GenerateSecretKeyRequired",
      "MessageSeverity": "Critical",
      "Resolution": "Generate secret key for this account by performing the `GenerateSecretKey` action on the referenced URI and retaining the secret key from the action response to produce a Time-based One-Time Password (TOTP) for the `Token` property in future session creation requests."
    }
  ],
  "@odata.id": "/redfish/v1/SessionService/Sessions/<>",
  "@odata.type": "#Session.v1_7_0.Session",
  "ClientOriginIPAddress": "9.5.7.19",
  "Description": "Manager User Session",
  "Id": "SqDPklcEVk",
  "Name": "User Session",
  "Roles": [
    "ReadOnly"
  ],
  "UserName": "readonly_test"
* Connection #0 to host rain71bmc.aus.stglabs.ibm.com left intact
}```

@asmithakarun

Copy link
Copy Markdown
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants