search

Yubico / python-fido2

Provides library functionality for FIDO 2.0, including communication with a device over USB.
BSD 2-Clause "Simplified" License
432 stars 109 forks source link

How to pass user-verification to get-assertion? Seems like its not working? #132

Closed PranithaReddyAedla closed 2 years ago

PranithaReddyAedla commented 2 years ago

I'm trying to handle user verification cases with FIDO authentication.

    if device is not None:
        print("\nUse USB channel")
        client = Fido2Client(device, origin)
        print(client.info.options) #{'rk': True, 'up': True, 'plat': False, 'clientPin': True, 'credentialMgmtPreview': True}
        if client.info.options.get("uv"):
            print("Authenticator supports User-Verification: "+ client.info.options.get("uv"))
        elif client.info.options.get("clientPin"):
            enter_pin()
            print("Authenticator PIN required")
        else:
            print("PIN not set, won't use")

Passed user verification to get_assertion method both way as shown below, but none of them is working

result = clientdev.get_assertion(
            {
                "rpId": origin,
                "challenge": websafe_decode(challenge),
                "allowCredentials": allow_list,
                "userVerification": "discouraged",
            }, 
            on_keepalive=on_keepalive,
            pin=PIN.pin,
        )
result = clientdev.get_assertion(
            {
                "rpId": origin,
                "challenge": websafe_decode(challenge),
                "allowCredentials": allow_list,
            }, 
            on_keepalive=on_keepalive,
            user_verification="discouraged",
            pin=PIN.pin,
        )

Even after passing user verification discouraged, I am getting this error. (<ERR.BAD_REQUEST: 2>, 'PIN required but not provided).

In IDP for the given origin, user verification is discouraged and it is not asking for the pin for authentication. Need same behavior in my app, I'm doing anything wrong in passing user_verification value or ( #{'rk': True, 'up': True, 'plat': False, 'clientPin': True, 'credentialMgmtPreview': True}) Do we have any issue with this device object created by passing device and okta origin?

dainnilsson commented 2 years ago

It looks like you may be using an old version of python-fido2. Please try with the latest release (0.9.3), or from master. I believe this should be fixed. If not, please re-open the issue.