WebAuthn Fails (Anonymous User Error) on Safari 17.4

[Junto026]

When logging in using a passkey (WebAuthn), the login fails with "Failed to authenticate" error.

To Reproduce

1. Use Safari 17.4, macOS Sonoma 14.4
2. Go to Authentik login page
3. Click "Use a security key" login option (Passwordless 2FA with WebAuthn must be configured in Authentik)
4. Authenticate using the macOS passkey authentication pop-up
5. Authentik reports "Failed to authenticate" error

Login continues to work normally on my other devices, including Safari and macOS running older versions of both. I updated macOS today, which leads me to suspect something related to the latest macOS / Safari version.

Expected behavior Authentication succeeds and the Authentik workflow continues.

Screenshots

Logs Docker log output:

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "/if/flow/authentication-passwordless/?next=%2F", "host": "login.mydomain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 61, "remote": "10.0.0.100", "request_id": "47935c58b9c2471c8d3c85d9d1dac6a7", "runtime": 44, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-03-09T23:30:31.531425", "user": "", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15"}

{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 60, "remote": "10.0.0.100", "schema_name": "public", "scheme": "ws", "timestamp": "2024-03-09T23:30:31.677211", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15"}

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "f(exec): Found existing plan for other flow, deleting plan", "flow_slug": "authentication-passwordless", "host": "login.mydomain.com", "level": "warning", "logger": "authentik.flows.views.executor", "other_flow": "ee5fa17848b1482d8832e66b3234828f", "pid": 61, "request_id": "ed3dd28d78c1421886bd9ee5b175d0c1", "schema_name": "public", "timestamp": "2024-03-09T23:30:31.740609"}

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "/api/v3/flows/executor/authentication-passwordless/?query=next%3D%252F", "host": "login.mydomain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 61, "remote": "10.0.0.100", "request_id": "ed3dd28d78c1421886bd9ee5b175d0c1", "runtime": 65, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-03-09T23:30:31.789417", "user": "", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15"}

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "/api/v3/flows/executor/authentication-passwordless/?query=next%3D%252F", "host": "login.mydomain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 61, "remote": "10.0.0.100", "request_id": "7e92b37f16cd4936bd264c4c2cad56d4", "runtime": 49, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-03-09T23:30:31.923942", "user": "", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15"}

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "Assertion failed", "exc": "InvalidAuthenticationResponse('User verification is required but user was not verified during authentication')", "host": "login.mydomain.com", "level": "warning", "logger": "authentik.stages.authenticator_validate.challenge", "pid": 61, "request_id": "3f069d3f5ddd412c9e28f8a7f47341a7", "schema_name": "public", "timestamp": "2024-03-09T23:30:33.716705"}

{"action": "login_failed", "auth_via": "unauthenticated", "client_ip": "10.0.0.100", "context": {"device": {"app": "authentik_stages_authenticator_webauthn", "model_name": "webauthndevice", "name": "WebAuthn Device", "pk": 7}, "device_class": "webauthn", "http_request": {"args": {"next": "/"}, "method": "POST", "path": "/api/v3/flows/executor/authentication-passwordless/", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15"}, "stage": {"app": "authentik_stages_authenticator_validate", "model_name": "authenticatorvalidatestage", "name": "webauthn-authentication-stage", "pk": "9e9817cf7a2f4437a6d47558b1e1fc42"}, "username": ""}, "domain_url": "login.mydomain.com", "event": "Created Event", "host": "login.mydomain.com", "level": "info", "logger": "authentik.events.models", "pid": 61, "request_id": "3f069d3f5ddd412c9e28f8a7f47341a7", "schema_name": "public", "timestamp": "2024-03-09T23:30:33.724748", "user": {"email": "", "is_anonymous": true, "pk": 1, "username": "AnonymousUser"}}

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "Task published", "host": "login.mydomain.com", "level": "info", "logger": "authentik.root.celery", "pid": 61, "request_id": "3f069d3f5ddd412c9e28f8a7f47341a7", "schema_name": "public", "task_id": "7f676ac64bdd4696835801d7722db387", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2024-03-09T23:30:33.791517"}

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "Task published", "host": "login.mydomain.com", "level": "info", "logger": "authentik.root.celery", "pid": 61, "request_id": "3f069d3f5ddd412c9e28f8a7f47341a7", "schema_name": "public", "task_id": "5d6632abbbd147b4ae03929bbe4473be", "task_name": "authentik.policies.reputation.tasks.save_reputation", "timestamp": "2024-03-09T23:30:33.814117"}

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "/api/v3/flows/executor/authentication-passwordless/?query=next%3D%252F", "host": "login.mydomain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 61, "remote": "10.0.0.100", "request_id": "3f069d3f5ddd412c9e28f8a7f47341a7", "runtime": 239, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-03-09T23:30:33.898880", "user": "", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15"}

{"auth_via": "unauthenticated", "domain_url": "login.mydomain.com", "event": "/api/v3/flows/executor/authentication-passwordless/?query=next%3D%252F", "host": "login.mydomain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 61, "remote": "10.0.0.100", "request_id": "db7c58b827bd4f5381e2633896c639ed", "runtime": 35, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-03-09T23:30:33.986108", "user": "", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15"}

Authentik event log:

Context { "stage": { "pk": "9e9817cf7a2f4437a6d47558b1e1fc42", "app": "authentik_stages_authenticator_validate", "name": "webauthn-authentication-stage", "model_name": "authenticatorvalidatestage" }, "device": { "pk": 7, "app": "authentik_stages_authenticator_webauthn", "name": "WebAuthn Device", "model_name": "webauthndevice" }, "username": "", "device_class": "webauthn", "http_request": { "args": { "next": "/" }, "path": "/api/v3/flows/executor/authentication-passwordless/", "method": "POST", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15" } } User { "pk": 1, "email": "", "username": "AnonymousUser", "is_anonymous": true }

Version and Deployment (please complete the following information):

• authentik version: 2024.2.2
• Deployment: docker-compose with Docker Desktop for macOS.

[Junto026]

I solved this by changing the Authenticator Validation Stage settings. Instead of using WebAuthn User verification "User verification must occur" I changed it to "User verification is preferred if available, but not required".

It seems Safari is not forcing the user verification every time like it was before.