No error message displayed during MFA validator stage when DUO push is denied.

[mclarence]

Describe the bug
No error message displayed during MFA validator stage when DUO push is denied. I expect to see a message saying that the duo push has been denied however it just re-sends the push almost instantly.

When DUO locks the account after multiple failed attempts, authentik will continue to attempt to send the push notification indefinitely until the user closes authentik website. Loading spinner and message "Sending duo push notification" continues to show. In some cases I see the error message for a split second and then goes back to sending the push notification again.

With "Risk-based factor selection" enabled and when the account is locked out in DUO, the authentication logs show "denied - push harassment".

With "Risk-based factor selection" disabled in DUO, authentik will retry indefinitely (sending multiple push notifications) until user approves push or DUO locks out the account automatically after 10 failed authentication attempts. Even with this, authentik still shows no error messages and attempts to send push repeatedly.

Authentik logs correctly show that the duo push has been denied.

To Reproduce
Steps to reproduce the behavior:

1. Create user on DUO admin, send enrollment email, user enrolls and sets up DUO push.
2. Setup DUO authenticator stage.
3. Import users from DUO.
4. Test DUO push. Approve push works as expected. Deny push shows no error message as described above.

Expected behavior
When the user denies the push notification, authentik should return error message indicating that the push has been denied. Authentik should not repeatedly attempt to send the push when the user denies the push.

Screenshots

Every time the loading spinner jumps is when I deny the push on my phone.

Screen.Recording.2024-09-13.184152.mp4

Version and Deployment (please complete the following information):

• authentik version: 2024.8.1
• Deployment: docker-compose