Skip to content

Remember me cookie not set when bypassing 2fa in omniauth

Summary

The remember_user_token is not set when Remember me is checked while using an omniauth provider that is configured to bypass two factor (omniauth_allow_bypass_two_factor) and two factor is enabled on the User.

Steps to reproduce

  • Enable 2FA on the User.
  • Configure an omniauth provider.
  • Configure the omniauth provider to bypass two factor (omniauth_allow_bypass_two_factor). See instructions here.
  • Login using the omniauth provider.
  • Restart your browser or delete the _gitlab_session session cookie.

What is the current bug behavior?

You're logged out when restarting your browser, even though you checked Remember me. This is because the remember_user_token cookie is not set.

What is the expected correct behavior?

You should stay logged in when restarting your browser, when you checked Remember me. The remember_user_token cookie should be set.

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

System information
System:		Ubuntu 20.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.7.5p203
Gem Version:	3.1.4
Bundler Version:2.3.15
Rake Version:	13.0.6
Redis Version:	6.2.7
Sidekiq Version:6.4.0
Go Version:	unknown

GitLab information
Version:	15.1.1-ee
Revision:	61c8658b23e
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	12.10
URL:		https://gitlab.cloudbear.it
HTTP Clone URL:	https://gitlab.cloudbear.it/some-group/some-project.git
SSH Clone URL:	git@gitlab.cloudbear.it:some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers: google_oauth2, cloudbear_sso

GitLab Shell
Version:	14.7.4
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 14.7.4 ? ... OK (14.7.4)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
6/2 ... yes
86/3 ... yes
86/4 ... yes
15/5 ... yes
17/6 ... yes
17/7 ... yes
71/8 ... yes
13/10 ... yes
14/11 ... yes
87/12 ... yes
41/13 ... yes
41/14 ... yes
46/15 ... yes
41/16 ... yes
31/17 ... yes
113/18 ... yes
111/19 ... yes
110/20 ... yes
112/21 ... yes
6/22 ... yes
58/23 ... yes
58/24 ... yes
24/25 ... yes
29/26 ... yes
28/27 ... yes
64/28 ... yes
64/29 ... yes
25/30 ... yes
71/31 ... yes
71/32 ... yes
109/33 ... yes
71/34 ... yes
86/35 ... yes
79/36 ... yes
71/37 ... yes
82/38 ... yes
17/39 ... yes
11/40 ... yes
13/41 ... yes
5/42 ... yes
93/50 ... yes
93/51 ... yes
93/52 ... yes
64/53 ... yes
5/54 ... yes
5/55 ... yes
116/56 ... yes
6/57 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.5)
Git user has default SSH configuration? ... yes
Active users: ... 18
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled)


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

I think it might be due to this, which only checks if 2FA is enabled for the user - not if it is bypassed. This means that the 2FA window is not reached, where normally the remember_user_token would be set.