Passwordless not working on 2024.4.1

it-global-architect commented 6 months ago

Describe the bug Passwordless function is returning Failed to authenticate message. The same passkey works when used in the login > password > WebAuthn flow Passkey from both 1Password and Windows Hello fails on passwordless flow

To Reproduce go to auth.mydomaind click on use a security key Click on sign in 1password popup or choose windows hello (both works for user > pass > WebAuth but fails for passwordless) receive the Failed to authenticate message

Expected behavior Login success

Screenshots

Logs

authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "Task published", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.root.celery", "pid": 45, "request_id": "97a5951066a541a6a42fc5e8d50a2d2c", "schema_name": "public", "task_id": "2dbc009246144425a89610eb2255cb24", "task_name": "authentik.policies.reputation.tasks.save_reputation", "timestamp": "2024-04-29T14:39:21.965867"}
authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 45, "remote": "192.168.50.159", "request_id": "97a5951066a541a6a42fc5e8d50a2d2c", "runtime": 31, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-04-29T14:39:21.971079", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"}
authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 45, "remote": "192.168.50.159", "request_id": "cbd6ab3060b34224bc81ae78c3069bf0", "runtime": 21, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-04-29T14:39:22.011008", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"}
authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 45, "remote": "192.168.50.159", "request_id": "3658aade2d1c43ee8909fc5e6b53cb06", "runtime": 17, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-04-29T14:39:22.054367", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "cbb6c138-60d4-46ca-b4da-fd5266f38253", "task_name": "event_notification_handler", "timestamp": "2024-04-29T14:39:22.088575"}
authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 45, "remote": "192.168.50.159", "request_id": "d9781374e7ff4a6299707aeda21342ea", "runtime": 20, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-04-29T14:39:22.094649", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"}
authentik-worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "e4fd3c4f07c942d6bb5442b407131710", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.097114"}
authentik-worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fc5764d30aaf4032af7dc3a4c2060825", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.097806"}
authentik-worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fa151826cd5147c3818c41880d458a0c", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.098369"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "cbb6c13860d446cab4dafd5266f38253", "task_name": "event_notification_handler", "timestamp": "2024-04-29T14:39:22.099331"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "2dbc0092-4614-4425-a896-10eb2255cb24", "task_name": "save_reputation", "timestamp": "2024-04-29T14:39:22.101521"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "2dbc009246144425a89610eb2255cb24", "task_name": "save_reputation", "timestamp": "2024-04-29T14:39:22.116309"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "e4fd3c4f-07c9-42d6-bb54-42b407131710", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.117588"}
authentik-worker-1      | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-e4fd3c4f07c942d6bb5442b407131710", "timestamp": "2024-04-29T14:39:22.129071"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "e4fd3c4f07c942d6bb5442b407131710", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.130409"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fc5764d3-0aaf-4032-af7d-c3a4c2060825", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.131437"}
authentik-worker-1      | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fc5764d30aaf4032af7dc3a4c2060825", "timestamp": "2024-04-29T14:39:22.140819"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "fc5764d30aaf4032af7dc3a4c2060825", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.142013"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fa151826-cd51-47c3-818c-41880d458a0c", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.143073"}
authentik-worker-1      | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fa151826cd5147c3818c41880d458a0c", "timestamp": "2024-04-29T14:39:22.152936"}
authentik-worker-1      | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fa151826cd5147c3818c41880d458a0c", "timestamp": "2024-04-29T14:39:22.155335"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "fa151826cd5147c3818c41880d458a0c", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.156483"}

Version and Deployment (please complete the following information):

authentik version: 2024.4.1
Deployment: docker-compose

Additional context

{
    "user": {
        "pk": 1,
        "email": "",
        "username": "AnonymousUser",
        "is_anonymous": true
    },
    "action": "login_failed",
    "app": "authentik.events.signals",
    "context": {
        "stage": {
            "pk": "1e3f ... 2",
            "app": "authentik_stages_authenticator_validate",
            "name": "WebAuthn passwordless (custom stage)",
            "model_name": "authenticatorvalidatestage"
        },
        "device": {
            "pk": 11,
            "app": "authentik_stages_authenticator_webauthn",
            "name": "1Password",
            "model_name": "webauthndevice"
        },
        "username": "",
        "device_type": {
            "pk": "b ... d",
            "app": "authentik_stages_authenticator_webauthn",
            "name": "WebAuthn device type 1Password (b  ...   0d)",
            "model_name": "webauthndevicetype"
        },
        "device_class": "webauthn",
        "http_request": {
            "args": {
                "next": "/"
            },
            "path": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/",
            "method": "POST",
            "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"
        }
    },
    "client_ip": "192. ....159",
    "expires": "2025-04-29T14:23:25.006Z",
    "brand": {
        "pk": "f0  ...  5e",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

wgentine commented 6 months ago

same problem here

BeryJu commented 6 months ago

@it-global-architect @wgentine Please have a look at the browser developer console for a more detailed error message

it-global-architect commented 6 months ago

@it-global-architect @wgentine Please have a look at the browser developer console for a more detailed error message

authentik(early): version 2024.4.1, apiBase https://auth.mydomain.com/api/v3 config.ts:89:8 authentik(early): version 2024.4.1, apiBase https://auth.mydomain.com/api/v3 config.ts:89:8 Setting Locale to ... English (en) ak-locale-context.ts:81:20 authentik/ws: connected to wss://auth.mydomain.com/ws/client/ ws.ts:29:20 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/root/config/ middleware.ts:34:16 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/core/brands/current/ middleware.ts:34:16 Retrieving "b5x-stateful-inline-icon" flag errored: timed out - falling back injected.js:4:473899 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/root/config/ middleware.ts:34:16 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/core/brands/current/ middleware.ts:34:16 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F middleware.ts:34:16 authentik/api[authentik-default]: 200 POST https://auth.mydomain.com/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F

it-global-architect commented 6 months ago

@BeryJu I tested on Firefox and Edge. Both no success.

it-global-architect commented 6 months ago

update: tested on iPhone and iPad safari. Same error as on windows browsers

MaxPelly commented 6 months ago

Ifafter getting the failed login you refresh the page and represent the token does it let you in? Could be something similar to #5972

it-global-architect commented 6 months ago

Ifafter getting the failed login you refresh the page and represent the token does it let you in? Could be something similar to #5972

I just tried 5 times refreshing the page and unfortunately no lucky

imightbelosthere commented 6 months ago

Facing the same situation when trying to use a passkey on an android device. Passkey being used "locally" works fine, if I try to use another device as passkey it just errors out and if I retry I get in the same loop as OP. Authentik version 2024.4.2 running on a docker compose deployment. Tested on a Surface Pro X (local Passkey works - Remote doesn't) and Android device (local Passkey works - Remote doesn't).

authentik-automation[bot] commented 4 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

goauthentik / authentik

Passwordless not working on 2024.4.1 #9513