search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
925 stars 263 forks source link

Failed to enroll a FIDO authenticator (TouchID) #386

Open mamash opened 1 year ago

mamash commented 1 year ago

Hoping this is just something I'm missing.

Expected Behavior

Authenticate against Okta using a Macbook TouchID.

Current Behavior

Fails to either:

  1. Use the existing TouchID profile in the Okta method list (currently in use to authenticate against Okta for web-based services)
  2. Enroll the TouchID using --action-setup-fido-authenticator (used a working 'token:hardware: YUBICO' method here)
$ gimme-aws-creds --action-setup-fido-authenticator
*** Registering a new fido authenticator in Okta.

*** Note that webauthn authenticators must be allowed for this operation to succeed.
*** You may be prompted for MFA more than once for this run.

Using password from keyring for XXX
Multi-factor Authentication required.
Pick a factor:
[0] token:hardware: YUBICO
[1] webauthn: MacBook Touch ID
[2] webauthn: Authenticator
[3] webauthn: YubiKey 5 with NFC
[4] token:software:totp( OKTA ) : XXX
Selection: 0
Enter verification code:
Exception in thread Thread-6 (_make_credential):
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/client.py", line 510, in make_credential
    att_obj, extension_outputs = self._do_make_credential(
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/client.py", line 584, in _ctap2_make_credential
    att_obj = self.ctap2.make_credential(
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/ctap2/base.py", line 785, in make_credential
    return self.send_cbor(
           ^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/ctap2/base.py", line 675, in send_cbor
    raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x11 - CBOR_UNEXPECTED_TYPE

(further exceptions omitted)

Steps to Reproduce (for bugs)

  1. gimme-aws-creds --action-configure
  2. gimme-aws-creds --action-setup-fido-authenticator

As mentioned, the TouchID is already set up in Okta and works. (However, saml2aws doesn't support it as a method. Was hoping 'gimme-aws-creds' would.)

Your Environment

kholia commented 1 year ago

This issue is solved in PR https://github.com/Nike-Inc/gimme-aws-creds/pull/366.