search

MichaelGrafnetter / webauthn-interop

Passkeys/FIDO2/WebAuthn .NET Library for Windows Desktop and CLI Applications
MIT License
12 stars 2 forks source link

Readme / docs #21

Open JMarkstrom opened 4 hours ago

JMarkstrom commented 4 hours ago

Hi Michael, Having installed v. 1.0.3 (passkey module only) and running command:

Register-Passkey -UserId 'username@domain.com' -DisplayName 'YubiKey 5C NFC'

Getting error:

ParentContainsErrorRecordException: Exception calling "Create" with "1" argument(s): "Illegal Base64URL string! (Parameter 'input')"

In readme.md you state:

The DSInternals.Passkeys PowerShell module uses the DSInternals.Win32.WebAuthn library...

Should I understand this as I might be missing a dependency or that it is incorporated already in the PS module?

Environment:

Thank you in advance,

aseigler commented 4 hours ago

That's this: https://x.com/alexseigler/status/1857127079705497882?t=lDqE2WGLCZavRrhX0qN5uQ&s=19

MSFT broke the API by adding an extra 0 at the end of some credentialId strings. I am trying to find someone who can find someone who can fix it.

JMarkstrom commented 4 hours ago

I just retested using the Yubico "PoC" scripts and I can successfully create, register and authenticate. But yes, I see there's a 0 at the end of the credential id now:

XDjx9wXDrVWBmE2MbPSkXdeMERfv6gN98uxavJ0ZrSyT8jYUs2BHKjAmh4P_T3Av0

I will pass your Twitter post along.

aseigler commented 4 hours ago

I just retested using the Yubico "PoC" scripts and I can successfully create, register and authenticate. But yes, I see there's a 0 at the end of the credential id now:

XDjx9wXDrVWBmE2MbPSkXdeMERfv6gN98uxavJ0ZrSyT8jYUs2BHKjAmh4P_T3Av0

I will pass your Twitter post along.

It will work if you don't already have any authenticators registered on the account. The issue is with the credentialId being non-base64 in the excludeCredentials.

JMarkstrom commented 4 hours ago

OK, I have passed it along. Note that my test user has multiple FIDO2 authenticators already however.

aseigler commented 3 hours ago

OK, I have passed it along. Note that my test user has multiple FIDO2 authenticators already however.

Yes, it kind of depends. Not all of the credentials are broken. The ones that are 44 chars are fine, the ones that are 64 chars got padded with a extra 0 for some reason so they are now 65 chars which is illegal (len % 4 = 1 is never OK). I think the length might vary based on the YK firmware revision. The older ones seem shorter and the newer ones seem like they are 64 chars (base64url with no padding).

That's the pattern I noticed. Thankfully I have a database with thousands of registered users and key data, which made the pattern pretty easy to spot.