Hi Hernan,
Of course, you are correct; I'm not sure how I didn't remember this before.
In OAuth, a refresh token is a single-use token. When it is used, the current one is expired (removed from DB) and a new one is created. This is done for security and (as far as I know) is not configurable behaviour.
An access token has a relatively short lifetime. When it expires, the refresh token is used to get a new access token.
It's also quite common for applications to discard access tokens when they terminate and use refresh token on restart to get a new one.
The above behaviour means that when you restore a DB backup, any OAuth client that has performed a refresh since the backup will no longer have a valid refresh token. There's no way to recover this without user re-authorizing the client. For an MMFA authenticator, this means re-registering the authenticator. Obviously the older the backup, the more clients will be affected.
Sorry to be the bearer of bad news but I think that your users are going to need to delete and re-register their authenticators. I don't see any other option.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Mon June 21, 2021 05:08 PM
From: Hernan Dario Arredondo Rivera
Subject: (MMFA) After restoring a export of the HVDB the users can't use the Verify Mobile App
Hi Jon, thanks for your response.
It's not a data problem or a import problem, all the export and import process goes as expected with no errors. In fact, the problem it's that the refresh token send by the phone does not match with the token stored in the HVDB. I think this is because the refresh token change every time the user ask for a new auth token. So, when I restore the, let's said "old" DB backup, the users cannot use the Verify App cause the refresh token has been changed during the time between the backup and the restoration. It's this correct or a expected behavior?
It's there a way when the refresh token remains the same for all the auth grant time?
In case that help, this it's the config of my API Definition on ISAM:
------------------------------
Hernan Dario Arredondo Rivera
Original Message:
Sent: Sun June 20, 2021 03:44 AM
From: Jon Harry
Subject: (MMFA) After restoring a export of the HVDB the users can't use the Verify Mobile App
Hi Hernan,
My guess, based on getting an error on the initial account screen, is that MMFA app is not able to query transactions.
Usually I'd ask about connectivity here but given the DB change it's more likely a data issue (as you said).
When an authenticator registers it gets an OAuth grant with an access token and refresh token. You'd see the error you're getting if the grant is missing or refresh token is expired.
Can you use admin or end user tools to check for grants? You should be able to see tokens and expiry dates.
Did you see any errors in DB2 logs for the import? Maybe that would point to an issue that prevented data from importing correctly?
In the end though I suspect you're going to need a support ticket to resolve this. They will be able to analyse the DB and figure out what is missing.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Sat June 19, 2021 04:23 PM
From: Hernan Dario Arredondo Rivera
Subject: (MMFA) After restoring a export of the HVDB the users can't use the Verify Mobile App
Hi all!
Right now I'm facing a problem with our MMFA implementation.
We had a failure a few days ago that corrupt the internal HVDB database of our ISAM cluster. Due to this failure we opt to finally move the HVDB DB out of the cluster.
The latest backup of this database it's from a previous snapshot take like a month ago on the primary master appliance. The import of the DB using the scripts provided by the export process works just fine in a DB2 11 database. But now, after the import none of the users that have enrolled their phones can use the 2FA, the ISAM send the request to the enrolled mobile, but this never reach the phone.
This it's the image of an affected user:
It's there any way to recover from this situation?
Any help will be appreciated.
Best Regards,
Hernan
------------------------------
Hernan Dario Arredondo Rivera
------------------------------