Can't add/edit/remove WebAuthn Credentials

[llaumgui]

Version

v4.38.0

Deployment Method

Docker

Reverse Proxy

Traefik

Reverse Proxy Version

2.11.0

Description

When I want edit / delete / add a WebAuthn Credentials, I must put my OTP. But when I put it, I have 403 on PUT:/api/user/session/elevation.

Be sure that my OTP allow to logged.

Reproduction

Go to new settings dashboard. Edit / add or delete a WebAuthn Credentials.

Expectations

No response

Configuration (Authelia)

No response

Build Information

docker exec -it auth_authelia authelia build-info
Last Tag: v4.38.0
State: tagged clean
Branch: v4.38.0
Commit: a53395fd7e4f40f0ac26e29a0b722c52c3015a06
Build Number: 27593
Build OS: linux
Build Arch: amd64
Build Compiler: gc
Build Date: Thu, 14 Mar 2024 22:12:25 +1100
Extra: 

Go: 
    Version: go1.22.1
    Module Path: github.com/authelia/authelia/v4
    Executable Path: github.com/authelia/authelia/v4/cmd/authelia
    Settings:
        -buildmode: pie
        -compiler: gc
        -trimpath: true
        DefaultGODEBUG: httplaxcontentlength=1,httpmuxgo121=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1
        CGO_ENABLED: 1
        GOARCH: amd64
        GOOS: linux
        GOAMD64: v1
        vcs: git
        vcs.revision: a53395fd7e4f40f0ac26e29a0b722c52c3015a06
        vcs.time: 2024-03-14T10:49:39Z
        vcs.modified: true
    Dependencies:
        authelia.com/provider/oauth2@v0.0.0-20240313001612-43d016545b81 (h1:BmwFLBmC6kbZC4++6Vzfq19r/xkI7hJ6jiKfmDbSPzc=)
        filippo.io/edwards25519@v1.1.0 (h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=)
        github.com/Azure/go-ntlmssp@v0.0.0-20221128193559-754e69321358 (h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=)
        github.com/Gurpartap/logrus-stack@v0.0.0-20170710170904-89c00d8a28f4 (h1:vdT7QwBhJJEVNFMBNhRSFDRCB6O16T28VhvqRgqFyn8=)
        github.com/andybalholm/brotli@v1.1.0 (h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=)
        github.com/asaskevich/govalidator@v0.0.0-20230301143203-a9d515a09cc2 (h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=)
        github.com/authelia/jsonschema@v0.1.7 (h1:RbtTeTG7GiWIrx2A+3O+b33jr/mLlSmqGYyk1w5gLNA=)
        github.com/authelia/otp@v1.0.0 (h1:X6YeBMb16CkW8fFpLBQc0ams+Ed0zw1R/5pfih/1vLU=)
        github.com/beorn7/perks@v1.0.1 (h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=)
        github.com/boombuler/barcode@v1.0.1 (h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=)
        github.com/cespare/xxhash/v2@v2.2.0 (h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=)
        github.com/davecgh/go-spew@v1.1.1 (h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=)
        github.com/dgraph-io/ristretto@v0.1.1 (h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8=)
        github.com/dgryski/go-rendezvous@v0.0.0-20200823014737-9f7001d12a5f (h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=)
        github.com/dlclark/regexp2@v1.4.0 (h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=)
        github.com/duosecurity/duo_api_golang@v0.0.0-20240205144049-bb361ad4ae1c (h1:xFrCg835Y/ig7iWQqyVmGFG5cd1OztnlN3rF64ltEpY=)
        github.com/dustin/go-humanize@v1.0.1 (h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=)
        github.com/facebookgo/stack@v0.0.0-20160209184415-751773369052 (h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A=)
        github.com/fasthttp/router@v1.5.0 (h1:3Qbbo27HAPzwbpRzgiV5V9+2faPkPt3eNuRaDV6LYDA=)
        github.com/fasthttp/session/v2@v2.5.4 (h1:SeblRaKHYQoVBjJIF1KlZD0F8QX1poA80h/KaLhNo8I=)
        github.com/fsnotify/fsnotify@v1.7.0 (h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=)
        github.com/fxamacker/cbor/v2@v2.6.0 (h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=)
        github.com/go-asn1-ber/asn1-ber@v1.5.5 (h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=)
        github.com/go-crypt/crypt@v0.2.19 (h1:9VFKbVCuWH4cQDbjUA6fGiaHx+w0CXI19rHQGTZqESE=)
        github.com/go-crypt/x@v0.2.13 (h1:YUgKO62hIcPz11ViwHZx89g/OJhOis9+kK13ZunWpS0=)
        github.com/go-jose/go-jose/v4@v4.0.1 (h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=)
        github.com/go-ldap/ldap/v3@v3.4.6 (h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=)
        github.com/go-sql-driver/mysql@v1.8.0 (h1:UtktXaU2Nb64z/pLiGIxY4431SJ4/dR5cjMmlVHgnT4=)
        github.com/go-viper/mapstructure/v2@v2.0.0-alpha.1 (h1:TQcrn6Wq+sKGkpyPvppOz99zsMBaUOKXq6HSv655U1c=)
        github.com/go-webauthn/webauthn@v0.10.2 (h1:OG7B+DyuTytrEPFmTX503K77fqs3HDK/0Iv+z8UYbq4=)
        github.com/go-webauthn/x@v0.1.9 (h1:v1oeLmoaa+gPOaZqUdDentu6Rl7HkSSsmOT6gxEQHhE=)
        github.com/golang-jwt/jwt/v5@v5.2.1 (h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=)
        github.com/golang/glog@v1.2.0 (h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68=)
        github.com/golang/protobuf@v1.5.3 (h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=)
        github.com/google/go-tpm@v0.9.0 (h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=)
        github.com/google/uuid@v1.6.0 (h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=)
        github.com/hashicorp/go-cleanhttp@v0.5.2 (h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=)
        github.com/hashicorp/go-retryablehttp@v0.7.5 (h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=)
        github.com/iancoleman/orderedmap@v0.3.0 (h1:5cbR2grmZR/DiVt+VJopEhtVs9YGInGIxAoMJn+Ichc=)
        github.com/jackc/pgpassfile@v1.0.0 (h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=)
        github.com/jackc/pgservicefile@v0.0.0-20221227161230-091c0ba34f0a (h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=)
        github.com/jackc/pgx/v5@v5.5.5 (h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=)
        github.com/jackc/puddle/v2@v2.2.1 (h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=)
        github.com/jmoiron/sqlx@v1.3.5 (h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=)
        github.com/klauspost/compress@v1.17.6 (h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2eRGjI=)
        github.com/knadh/koanf/maps@v0.1.1 (h1:G5TjmUh2D7G2YWf5SQQqSiHRJEjaicvU0KpypqB3NIs=)
        github.com/knadh/koanf/parsers/yaml@v0.1.0 (h1:ZZ8/iGfRLvKSaMEECEBPM1HQslrZADk8fP1XFUxVI5w=)
        github.com/knadh/koanf/providers/confmap@v0.1.0 (h1:gOkxhHkemwG4LezxxN8DMOFopOPghxRVp7JbIvdvqzU=)
        github.com/knadh/koanf/providers/env@v0.1.0 (h1:LqKteXqfOWyx5Ab9VfGHmjY9BvRXi+clwyZozgVRiKg=)
        github.com/knadh/koanf/providers/posflag@v0.1.0 (h1:mKJlLrKPcAP7Ootf4pBZWJ6J+4wHYujwipe7Ie3qW6U=)
        github.com/knadh/koanf/v2@v2.1.0 (h1:eh4QmHHBuU8BybfIJ8mB8K8gsGCD/AUQTdwGq/GzId8=)
        github.com/mattn/go-sqlite3@v1.14.22 (h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=)
        github.com/mitchellh/copystructure@v1.2.0 (h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=)
        github.com/mitchellh/mapstructure@v1.5.0 (h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=)
        github.com/mitchellh/reflectwalk@v1.0.2 (h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=)
        github.com/mohae/deepcopy@v0.0.0-20170929034955-c48cc78d4826 (h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=)
        github.com/ory/herodot@v0.10.3-0.20230807143059-27cd6936499b (h1:AEUyF55UrqTuhJh72I9azACdJrRrDBBjK/XWgVxuQvY=)
        github.com/ory/x@v0.0.616 (h1:iaojp7MvFW1cdirSZFK/XeuJvyhUEVXQdY61bmIOkzk=)
        github.com/philhofer/fwd@v1.1.2 (h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=)
        github.com/pkg/errors@v0.9.1 (h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=)
        github.com/pmezard/go-difflib@v1.0.0 (h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=)
        github.com/prometheus/client_golang@v1.19.0 (h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=)
        github.com/prometheus/client_model@v0.5.0 (h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=)
        github.com/prometheus/common@v0.48.0 (h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=)
        github.com/prometheus/procfs@v0.12.0 (h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=)
        github.com/redis/go-redis/v9@v9.5.1 (h1:H1X4D3yHPaYrkL5X06Wh6xNVM/pX0Ft4RV0vMGvLBh8=)
        github.com/savsgio/gotils@v0.0.0-20240303185622-093b76447511 (h1:KanIMPX0QdEdB4R3CiimCAbxFrhB3j7h0/OvpYGVQa8=)
        github.com/sirupsen/logrus@v1.9.3 (h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=)
        github.com/spf13/cobra@v1.8.0 (h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=)
        github.com/spf13/pflag@v1.0.5 (h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=)
        github.com/stretchr/testify@v1.9.0 (h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=)
        github.com/tinylib/msgp@v1.1.9 (h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=)
        github.com/trustelem/zxcvbn@v1.0.1 (h1:mp4JFtzdDYGj9WYSD3KQSkwwUumWNFzXaAjckaTYpsc=)
        github.com/valyala/bytebufferpool@v1.0.0 (h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=)
        github.com/valyala/fasthttp@v1.52.0 (h1:wqBQpxH71XW0e2g+Og4dzQM8pk34aFYlA1Ga8db7gU0=)
        github.com/wneessen/go-mail@v0.4.1 (h1:m2rSg/sc8FZQCdtrV5M8ymHYOFrC6KJAQAIcgrXvqoo=)
        github.com/x448/float16@v0.8.4 (h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=)
        golang.org/x/crypto@v0.21.0 (h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=)
        golang.org/x/net@v0.22.0 (h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=)
        golang.org/x/oauth2@v0.18.0 (h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=)
        golang.org/x/sync@v0.6.0 (h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=)
        golang.org/x/sys@v0.18.0 (h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=)
        golang.org/x/term@v0.18.0 (h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=)
        golang.org/x/text@v0.14.0 (h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=)
        google.golang.org/genproto/googleapis/rpc@v0.0.0-20231106174013-bbf56f31fb17 (h1:Jyp0Hsi0bmHXG6k9eATXoYtjd6e2UzZ1SCn/wIupY14=)
        google.golang.org/grpc@v1.59.0 (h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=)
        google.golang.org/protobuf@v1.33.0 (h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=)
        gopkg.in/yaml.v3@v3.0.1 (h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=)

Logs (Authelia)

time="2024-03-14T14:41:05+01:00" level=error msg="Error occurred validating user session elevation One-Time Code challenge for user 'XXXXXX': error occurred retrieving the code challenge from the storage backend" error="the code didn't match any recorded code challenges" method=PUT path=/api/user/session/elevation remote_ip=X.X.X.X stack="github.com/authelia/authelia/v4/internal/handlers/handler_session_elevation.go:271 UserSessionElevationPUT\ngithub.com/authelia/authelia/v4/internal/middlewares/require_auth.go:19            Require1FA.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                  handleRouter.(*BridgeBuilder).Build.func6.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:56                 SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:82                 SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:12                 SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/delay.go:14                   handleRouter.handleRouter.ArbitraryDelay.func11.func12\ngithub.com/fasthttp/router@v1.5.0/router.go:441                                    (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14             handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/metrics.go:23                 handleRouter.NewMetricsRequest.func42.1\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38                  RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.52.0/server.go:2374                                 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:224                              (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:196                              (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                                           goexit"

Logs (Proxy / Application)

No response

Documentation

No response

Pre-Submission Checklist

• [X] I agree to follow the Code of Conduct

• [X] This is a bug report and not a support request

• [X] I have read the security policy and this bug report is not a security issue or security related issue

• [X] I have either included the complete configuration file or I am sure it's unrelated to the configuration

• [X] I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant

• [X] I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

• [X] I have checked for related proxy or application logs and included them if available

• [X] I have checked for related issues and checked the documentation

[glime-ai[bot]]

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

---

Based on the information provided, it seems like you're encountering an issue with session elevation via One-Time Password (OTP) when trying to modify WebAuthn credentials, resulting in a 403 error. This error is specifically mentioned in the logs as "the code didn't match any recorded code challenges," indicating a mismatch or an issue with the OTP validation process.

Given the context, here are a few steps and considerations to troubleshoot and potentially resolve the issue:

1. Ensure Correct OTP Entry: Double-check that the OTP entered is correct and generated for the current time window. OTPs are time-sensitive, and even slight discrepancies in system time between your device and the server can cause validation failures.

2. System Time Synchronization: Ensure that the system time on the server hosting Authelia and your OTP-generating device (usually a smartphone) are synchronized. Time drift can lead to OTP mismatches. You can use NTP (Network Time Protocol) services to keep the server time accurate.

3. Check Authelia Configuration: Review your Authelia configuration for any misconfigurations, especially around the second factor authentication settings. The Time-based One Time Password documentation might provide additional insights into configuration options and requirements.

4. Review Proxy Configuration: Since you're using Traefik as a reverse proxy, ensure that it's correctly configured to work with Authelia. Misconfigurations in the proxy can lead to various issues, including session handling and authentication flow disruptions. The Traefik integration guide on Authelia's documentation might offer useful configuration examples and tips.

5. Consult Authelia's Documentation and Community: If the issue persists, consider reaching out to the Authelia community or consulting the documentation for further assistance. There might be known issues or additional troubleshooting steps available that could help resolve your specific problem.

6. Check for Authelia Updates: Ensure that you're running the latest version of Authelia. If you're not, consider upgrading since the issue you're facing might have been addressed in a newer version.

If after following these steps the issue remains unresolved, providing more detailed logs, configuration snippets (with sensitive information redacted), and any additional context about your setup could help in diagnosing the problem more effectively.

This comment was generated by Glime.

[james-d-elliott]

What do you mean OTP? Are you entering the code that was emailed to you?

[llaumgui]

I have already OTP configured. I use my application for that. My webauthn device is flagged legacy and I would like delete and add after the same key.

[james-d-elliott]

Use the emailed one time code as you're prompted. Feel free to open a discussion instead of an issue if you need help.

[llaumgui]

Hi,

Thx, in fact, is a sender SMTP issue. Just that is not clear in the log reading.

Thx, you can close.