Registering YubiKey 5 Nano fails at organization site
Categories
(Core :: DOM: Web Authentication, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox122 | --- | affected |
People
(Reporter: mike, Assigned: jschanck)
References
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0
Steps to reproduce:
I use Firefox to perform FIDO2/WebAuthn/USB authentication with a YubiKey to use services provided by my organization. I recently received a YubiKey 5 Nano (Type A USB), having previously used YubiKey Security Key Series (FIDO2-only) devices. I found that I could not use Firefox to associate this new YubiKey 5 Nano with my account.
I am using firefox-119.0-5.fc39.x86_64 on Fedora Linux 39.
Actual results:
First, I signed into my organization using an older YubiKey. Then, I tried to enroll my new YubiKey as an alternative security key. The process started, but when I touched the new YubiKey to enroll it, the authentication panel displayed by Firefox said "The operation either timed out or was not allowed."
I do not think the operation "timed out", because I quickly touched the YubiKey. This leaves "not allowed". I cannot see what prevented the operation.
Something that is interesting is that Firefox's inspector did not indicate any network traffic happened between when I was prompted to touch the YubiKey and when I received the error message after touching it. This seems to indicate something went wrong between Firefox and the YubiKey rather than something the server denied.
I did visit YubiKey's test site, and it seemed to have no trouble communicating with the YubiKey through Firefox. Odd.
The closest experience I can find on the Internet that is similar to mine is this one:
https://github.com/goauthentik/authentik/issues/5599
Some other things I tried was to add a PIN to the YubiKey/FIDO2 and deactivating the non-FIDO2 features of the YubiKey. This actions did not help.
Eventually, I found that I was able to register the YubiKey by following the same process with Chromium (chromium-118.0.5993.117-1.fc39.x86_64).
Expected results:
The site should have registered my new YubiKey.
|
||
Comment 1•8 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
Assignee | |
Comment 2•7 months ago
|
||
After registering the key with Chromium, were you able to use it from Firefox?
My guess is that we're failing to handle some (atypical) argument that your organization is passing to navigator.credentials.create.
If you're comfortable using the devtools debugger, you could get a copy of the arguments by setting a breakpoint on the call to navigator.credentials.create(args) on the registration page. Once you hit the breakpoint, switch over to the console and type JSON.stringify(args) (replacing "args" with whatever variable is actually used in the call to navigator.credentials.create).
You should get something like:
{"publicKey":{"rp":{"name":"webauthn.io","id":"webauthn.io"},"user":{"id":{"0":100,"1":71,"2":86,"3":122,"4":100,"5":65},"name":"test","displayName":"test"},"challenge":{},"pubKeyCredParams":[{"type":"public-key","alg":-7},{"type":"public-key","alg":-257}],"timeout":60000,"excludeCredentials":[],"authenticatorSelection":{"residentKey":"preferred","requireResidentKey":false,"userVerification":"preferred"},"attestation":"none","extensions":{"credProps":true}},"signal":{}}
I'm primarily interested in the "pubKeyCredParams", "authenticatorSelection", "attestation", and "extensions" fields.
Yes. Once I register the YubiKey using Chromium I can use it to authenticate from Firefox.
I tried to gather the information you requested.
First, I used the devtools search feature to find calls to navigator.credentials.create(...). I found
navigator.credentials.create({
publicKey: options,
signal: this.webauthnAbortController && this.webauthnAbortController.signal
})"
at line 79 in webpack://OktaSignIn/src/v2/view-builder/views/webauthn/EnrollWebauthnView.js. I set a breakpoint.
With the breakpoint triggered, I ran the following in the console:
JSON.stringify(this.options)
This produced the following output (pretty printed using jq):
{
"settings": {
"interstitialBeforeLoginRedirect": "DEFAULT",
"routes": {
"": "defaultAuth",
"*wildcard": "defaultAuth"
},
"features": {
"rememberMyUsernameOnOIE": true,
"engFastpassMultipleAccounts": true,
"consent": true
}
},
"appState": {
"currentAuthenticator": {
"contextualData": {
"activationData": {
"rp": {
"name": "[REDACTED]"
},
"user": {
"displayName": "W. Michael Petullo",
"name": "[REDACTED]",
"id": "[REDACTED]"
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
}
],
"challenge": "[REDACTED]",
"attestation": "direct",
"authenticatorSelection": {
"userVerification": "preferred",
"requireResidentKey": false
},
"u2fParams": {
"appid": "[REDACTED]"
},
"excludeCredentials": [
{
"type": "public-key",
"id": "[REDACTED]"
},
{
"type": "public-key",
"id": "[REDACTED]"
}
]
}
},
"type": "security_key",
"key": "webauthn",
"id": "[REDACTED]",
"displayName": "Security Key or Biometric",
"methods": [
{
"type": "webauthn"
}
]
},
"authenticators": {
"value": [
{
"type": "security_key",
"key": "webauthn",
"id": "[REDACTED]",
"displayName": "Security Key or Biometric",
"methods": [
{
"type": "webauthn"
}
],
"allowedFor": "sso"
}
]
},
"authenticatorEnrollments": {
"value": [
{
"type": "email",
"key": "okta_email",
"id": "[REDACTED]",
"displayName": "Email",
"methods": [
{
"type": "email"
}
]
},
{
"type": "password",
"key": "okta_password",
"id": "[REDACTED]",
"displayName": "Password",
"methods": [
{
"type": "password"
}
]
},
{
"type": "security_key",
"key": "webauthn",
"id": "[REDACTED]",
"displayName": "Security Key By Yubico with NFC Black",
"credentialId": "[REDACTED]",
"methods": [
{
"type": "webauthn"
}
]
},
{
"type": "security_key",
"key": "webauthn",
"id": "[REDACTED]",
"displayName": "Security Key By Yubico with NFC Black",
"credentialId": "[REDACTED]",
"methods": [
{
"type": "webauthn"
}
]
}
]
},
"enrollmentAuthenticator": {
"type": "security_key",
"key": "webauthn",
"id": "[REDACTED]",
"displayName": "Security Key or Biometric",
"methods": [
{
"type": "webauthn"
}
]
},
"app": {
"name": "okta_enduser",
"label": "Okta Dashboard",
"id": "DEFAULT_APP"
},
"authentication": {
"protocol": "URL",
"request": {}
}
},
"currentViewState": {
"rel": [
"create-form"
],
"name": "enroll-authenticator",
"relatesTo": {
"type": "object",
"value": {
"contextualData": {
"activationData": {
"rp": {
"name": "[REDACTED]"
},
"user": {
"displayName": "W. Michael Petullo",
"name": "[REDACTED]",
"id": "[REDACTED]"
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
}
],
"challenge": "[REDACTED]",
"attestation": "direct",
"authenticatorSelection": {
"userVerification": "preferred",
"requireResidentKey": false
},
"u2fParams": {
"appid": "[REDACTED]"
},
"excludeCredentials": [
{
"type": "public-key",
"id": "[REDACTED]"
},
{
"type": "public-key",
"id": "[REDACTED]"
}
]
}
},
"type": "security_key",
"key": "webauthn",
"id": "[REDACTED]",
"displayName": "Security Key or Biometric",
"methods": [
{
"type": "webauthn"
}
]
}
},
"href": "https://[REDACTED]/idp/idx/challenge/answer",
"method": "POST",
"produces": "application/ion+json; okta-version=1.0.0",
"value": [
{
"name": "credentials",
"type": "object",
"form": {
"value": [
{
"name": "attestation",
"label": "Attestation",
"required": true,
"visible": false
},
{
"name": "clientData",
"label": "Client Data",
"required": true,
"visible": false
}
]
},
"required": true
},
{
"name": "stateHandle",
"required": true,
"value": "[REDACTED]",
"visible": false,
"mutable": false
}
],
"accepts": "application/json; okta-version=1.0.0",
"uiSchema": [
{
"name": "credentials.attestation",
"label": "Attestation",
"required": true,
"visible": false,
"label-top": true,
"multirowError": true,
"data-se": "o-form-fieldset-credentials.attestation",
"type": "text"
},
{
"name": "credentials.clientData",
"label": "Client Data",
"required": true,
"visible": false,
"label-top": true,
"multirowError": true,
"data-se": "o-form-fieldset-credentials.clientData",
"type": "text"
}
]
},
"model": {},
"optionUiSchemaConfig": {
"formName": "enroll-authenticator"
}
}
|
|
Assignee | |
Comment 4•7 months ago
|
||
Thanks, that's very helpful. I think this has been resolved upstream in https://github.com/mozilla/authenticator-rs/pull/320. We'll have a fix in Firefox soon.
|
|
Assignee | |
Comment 5•7 months ago
|
||
Depends on D195024
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3781ba6d64fe test case for missing credential id in CTAP 2.0 get response. r=keeler
I tried 122.0a1 (2023-11-30) (64-bit) on Linux, and I still received the error "The operation either timed out or was not allowed." Perhaps you meant for me to wait for tomorrow's nightly, which I will try as well.
|
||
Comment 9•7 months ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 10•7 months ago
|
||
The proposed fix from Bug 1867353 should have been in the 2023-11-30 nightlies (the patch I attached to this bug is just a test case). But yes please try again today. I'll re-open the bug for now.
|
|
||
Updated•7 months ago
|
|
|
Assignee | |
Comment 11•5 months ago
|
||
I'm assuming that this is fixed, please clone this bug if it's not.
Description
•