FIDO2 fails on firefox

[ThePinkUnicorn6]

Describe the bug

When using a fido2 usb device firefox will fail to create a credential on the device, erroring with the following error. NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.

Steps To Reproduce

Steps to reproduce the behavior:

1. Plug usb key into computer, and check it is detected with lsusb.
2. Open firefox and go to https://webauthn.bin.coffee/
3. Press create credential.
4. Enter your fido2 devices pin in the popup that appears
5. Press the button on the key.
6. See error in the box.

Expected behavior

When pressing the button on the device it should create the key on it.

Additional context

The issue only occurs on Nix, when testing this from firefox on Windows and EndevourOS on the same computer it worked without issues, and when using a chromium based browser on nix it also works without issue. When booted into a NixOS live usb the issue still occurred. When using firefox nightly the issue still occurred. Initially posted to https://github.com/NixOS/nixpkgs/issues/290662#issuecomment-1967699520

Notify maintainers

@lovesegfault @mweinelt

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
this path will be fetched (0.00 MiB download, 0.00 MiB unpacked):
  /nix/store/8ckiaa7f3lzzb6mqvr32kavbmwf8s8fg-nix-info
copying path '/nix/store/8ckiaa7f3lzzb6mqvr32kavbmwf8s8fg-nix-info' from 'https://cache.nixos.org'...
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.79, NixOS, 24.05 (Uakari), 24.05.20240224.73de017`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

---

Add a :+1: reaction to issues you find important.

[mweinelt]

Works for me.

[ThePinkUnicorn6]

Hmm strange, does it work for you when using a nixos live usb, and do you have anything in your nix config that would effect this?

[mweinelt]

I just have firefox in my user packages. I'm unable to comfortably try a Live ISO right now due to Secure Boot.

[ThePinkUnicorn6]

It looks like it is just creating the keys that is effected, because after creating the key in chromium logging in through firefox works.

I just have firefox in my user packages. I'm unable to comfortably try a Live ISO right now due to Secure Boot.

Ok understandable. It is possible that it is an issue with my key, as I am using a rpi pico running the pico keys firmware, but that would not make sense as to why it works with firefox on other distros but not NixOS.

[mweinelt]

It is very well possibly that FIDO2 onboarding is still problematic with Firefox. My key was onboarded way back when Firefox did not support it. Must've been during the 112 release series. I also used chromium to get that part done.

[fabianhjr]

Hi @ThePinkUnicorn6,

Could you check if on your configuration.nix you have libu2f-host on your udev rules?

    udev = {
      packages = with pkgs; [ libfido2 fuse ];
    };

libfido has a lot of udev rules for fido2/webauthn hardware under /etc/udev/rules.d/70-u2f.rules

[ThePinkUnicorn6]

Hi @fabianhjr, I gave what you suggested a go but unfortunately it did not make a difference to the result. Thanks for the suggestion though.

[ww-daniel-mora]

I'm getting the same behavior with Firefox on a debian based system but only with Github. Google sites will let me register the security key with the Firefox browser, as will a test site webauthn.io