Google Cloud Platform Duo requests

[Pedro Oliveira]

Hello all,

We use DUO for our 2FA needs and have the Google Cloud Platform application setup through it. It works great and is setup correctly as far as we can tell.

I have been having an issue with a few users over the past month or two. Users who have no real reason to access GCP are getting DUO prompts for access. The odd thing about it is the prompts come up every 5 minutes on the clock. I've ruled out anything malicious (to the best of my ability) and just can't figure out what is causing this. I have noticed that if I reboot there computers, it stops. Also clearing the cache in chrome also stops this. I suspect it is a user accessing a google service like Youtube while logged in with their company credentials (or possibly not) and at one point google starts sending some kind of request through DUO. I'm shooting in the dark here but I think the approach or logic behind this is valid. 

Just wondering if anyone can point me in the right direction? 

Thank you!

[Alexis (Google Cloud Support)]

Hi,

I think your issue might be related to what we call a "refresh token"[1].  Normally the tokens are renewed in the background of the code with the server and this is seamless for the user. When a session expires, the background code it suppose to keep track of that and ask for a refresh token from the server in order to reset slightly before the expiration of the session and continue seamlessly. 

In this case, if you're clearing cache and restarting computer, you're also essentially clearing the session and asking for a new token but as part of a new handshake rather than a continued refresh token for the same session. Your flow might be missing the "refresh token" or something of equivalent. I don't think it will help to provide you best coding practices from Google because it's the DUO service/workflow that chooses how to renew those tokens and it's their ask on how to code it to make it fit their service. You should check their documentation. However, if it's a standardized workflow (whichever it is), you can look it up publicly. 

Please keep in mind, I'm only going on a hunch for this refresh token hypothesis, due to little info and unsupported product, I am not sure. Hopefully this should unblock you. If no one else can help, please also try a DUO forum since it's related to their product. They must have best coding practices from their own service, depending on the technologies they use. Thank you.

[1] https://stackoverflow.com/questions/38986005/what-is-the-purpose-of-a-refresh-token#:~:text=Refresh%20Tokens%20are%20credentials%20used,with%20identical%20or%20narrower%20scope.

[Pedro Oliveira]

Hello,

Thank you for your reply! Your hunch does make sense. 

I'm also going to take you up on your advice and post this in the DUO forum.

Thanks,

Pedro