-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIDO2 endpoint Ingress missing from Helm charts #7889
Comments
OK, I dug into the code and fixed it. TL;DR; The proper title of this Issue should be: Here are the clarifications / resolutions to the three ideas previously posed. Idea 1 - Potentially bad app logic?Nope. The Idea 2 - Potentially bad connectivity between the
|
Describe the bug
I am unable to register FIDO2 keys.
Specifically, Clicking the
Ready
button in Casa'sSecurity Keys and built-in Platform Authenticators
pageresults in an error. (screenshot below)
The same problem occurs in Chrome, Firefox, and Safari.
This is a fresh installation of Janssen using the
v1.0.22
Helm charts (only test users).To Reproduce
Steps to reproduce the behavior:
fido2
authentication script in TUI configExpected behavior
The browser-native FIDO2 device registration flow
Screenshots
Desktop (please complete the following information):
Additional context
The browser debug console shows a successful response to a
POST
to.. but the Response payload was:
The error surfaces itself in the Casa server log, which reports 2 potentially-related issues:
ERROR
from thejans.casa.core.PersistenceService
, which chokes on what might be an incorrect LDAP query; and404
fromio.jans.casa.plugins.authnmethod.service.Fido2Service$Proxy
Casa service log
Analysis
I have three initial ideas about what might be causing this problem.
Idea 1 - Potentially bad app logic?
Interestingly, the non-error (
INFO
) log message:is mixed in with the
ERROR
messages:So, on the one hand, Casa understands that there are no FIDO creds registered for this user, but on the other hand, when it queries the persistence service for any
jansFido2RegistrationEntry
objects (I'm using LDAP), it panics when none are found.This feels at first like a bug in the core Casa application logic for this page - except that surely would have been caught before.
The fact that it fails to find FIDO entries for a given user should not cause an error, right?
Idea 2 - Potentially bad connectivity between the
casa
andfido2
services?Aside from the LDAP-related errors, why the
404
fromio.jans.casa.plugins.authnmethod.service.Fido2Service$Proxy
?Is the Casa service trying to reach the
fido2
service, and some ingress or proxy route is misconfigured?Note that the
/.well-known/fido2-configuration
is reachable as configured.Idea 3 - Malformed LDAP (and/or SQL?) query?
One more thing strikes me as odd: the
baseDN
of that LDAP queryBecause LDAP is dumb, this string actually represents the following hierarchy (the components are reversed!):
It's been a long time since I got my hands dirty with LDAP, but I can't remember ever seeing an
ou
(in this case,fido_register
)embedded below a
person
entry. I don't think it violates any LDAP schema rules, but it does seem like a strange place to put it.Why would each user have their own
fido2_register
ou
entry rather than just a multi-valued attribute?Even more compellingly, the
ou
entriesfido2_register
andfido2_auth
do actually exist already, but in a different place:^^ on the left, you can see the
fido2_register
andfido2_auth
entries undero=jans,ou=fido2
.Any help debuigging this problem will be greatly appreciated.
Thanks in advance!
-b
The text was updated successfully, but these errors were encountered: