| Warning |
|---|
| title | Duo 'Cancel this Request' issue affecting IdP v4.0.0 and v4.0.1 |
|---|
|
New installs of version 4.0.0 or 4.0.1 of the IdP (or upgrades from new installs of these versions) are missing the CSRF Token on the 'Cancel this Request' hyperlink in the duo.vm velocity template. This must be added manually, see duo-cancel-request. Note, this does not impact on the successful operation of the Duo 2FA process within the iframe. |
...
| Code Block |
|---|
<iframe src="$flowExecutionUrl&_eventId=proceed#parse("csrf/csrf-qparam.vm")"></iframe> |
Hyperlinks
For the same reason as the iFrame source above, if CSRF protection is enabled hyperlinks also require the CSRF token. These can be added using the same conditional velocity logic e.g.
| Code Block |
|---|
<a href="$flowExecutionUrl&_eventId=proceed#if($csrfToken)&${csrfToken.parameterName}=${csrfToken.token}#{else}#end">TEXT</a> |
Note, If you have upgraded to IdP v4.1.0 or later you can use the provided velocity fragment instead:
| Code Block |
|---|
<a href="$flowExecutionUrl&_eventId=cancel#parse("csrf/csrf-qparam.vm")">TEXT</a>
|
Duo 2FA 'Cancel this Request'
...