Register a new FIDO2 Authenticator - The request is insecure

[Frikster]

After authenticating and logging in a user using django.contrib.auth I try to register via the /registration/ endpoint. No matter what I do I am always met with a The request is insecure.

I figured the cause might be because I wasn't on HTTPS at first, but after updating that and making sure my CA certificates are valid I still have the same issue.

What else might be causing this issue?

[variable]

The fido protocol requires the connection to be secured using https if you are running django runserver, you can create your self-signed cert, have a look at this:

https://timonweb.com/django/https-django-development-server-ssl-certificate/

after having this done, I could get registration working fine, so I don't know why it wouldn't work for you.

You can try to use chrome developer console to see if the ajax request was done in http or https.

[Frikster]

I followed these instructions to create locally trusted certs and it seems to work so my connection should be secured using https.

I think my problem is a network issue. I am using docker-compose with a nginx server, a django server, and postgres. I'm using a nginx reverse proxy so I think (am unsure) I cannot can use your link since I don't need the django server to serve https since nginx makes sure everything to the client is served in https.

You can try to use chrome developer console to see if the ajax request was done in http or https.

In the network tab after clicking register I can see a request is made to https://app.recce.com/api/registration/request/? (note https) which returns 200 and then the The request is insecure error message appears. Doesn't look like I am getting any error message anywhere in the nginx or django logs during the cert validation.

Maybe related to https://github.com/CZ-NIC/django-fido/issues/88?

[tpazderka]

88 is related to verification of Authenticator metadata and would not cause the issue you are seeing.

I agree with @variable that it looks like an insecure connection somewhere. You can trace the registration process if that provides more information.

[Frikster]

Not sure if this is the correct fix but it appears to work now.

I changed my nginx config so that it uses the same hostname when connecting to Django, so now Django uses that address in the document it sends to the browser to request a new key.

I had further problems that were similarly fixed by making sure my React frontend was not running on https:localhost:3000 (doesn't matter if it is https, didn't work) and deploying it with nginx so that it runs on the same domain as django.

So basically: Same domain all the things and it works.