Issue with guacamole-auth-totp and MariaDB

["J.T. Moore" <jt...@outlook.com>]

I've run into a strange issue trying to use TOTP 1.2.0 with a MaraiDB 10.3 database server on Centos 8.2 with Tomcat 9.0. Authentication works as expected using Guacamole 1.2.0 with JDBC authentication and Maria without the TOTP module installed. However, when the TOTP module is installed, no users are able to successfully enroll for TOTP authentication. The enrollment QR code is displayed as expected and I can see where guac-totp-key-secret=new_key_value and guac-totp-key-confirmed=false attributes are correctly inserted to the guacamole_user_attribute table for the user at the start of the enrollment process. However, when the user enters the authentication code, the "verification failed" message is always displayed.

I added some debug logging to guacamole-client-1.2.0/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java to gather some more information. From that, I found that when the getKey() method is called, the if (secret == null) condition is always matched. So, a new secret is then generated during each attempt verify the authentication code. However, since the user and server are using different keys at that point, the generated authentication codes don't match.

Unfortunately, I did not check to see what context.self().getAttributes() was returning, but I expect it was possibly not returning either of the user attributes.

I have since replaced MariaDB server 10.3 with MySQL community server 8.0.21 and that allowed me to get the TOTP module working.

So, this looks like a possible bug when reading values from guacamole_user_attribute if MariaDB is used.

JT Moore