search

gravitee-io / issues

Gravitee.io - API Platform - Issues
64 stars 26 forks source link

Internal server error on FIDO2 factor when attestation set to 'none' #8783

Closed exalate-issue-sync[bot] closed 1 year ago

exalate-issue-sync[bot] commented 1 year ago

#7967

Expected Behavior

As a user, I should be able to successfully register and sign in using FIDO2 factor

Current Behavior

Given I have set Attestation Conveyance Preference = none in web auth
And I am trying to register FIDO2 factor
Then I am getting internal server error

Possible Solution

Steps to Reproduce (for bugs)

  1. Go to Settings > WebAuthn > Attestation Conveyance Preference > select None
  2. Create a user
  3. Enable FIDO2 factor and disable all other MFA
  4. Initiate a login flow
  5. Skip passwordless
  6. Register for MFA - FIDO2 on the device using finger print
exalate-issue-sync[bot] commented 1 year ago

Oliver Matthews commented: leleueri

commented [on Jul 4|https://app.zenhub.com/workspaces/graviteeio---access-management-5b17f74af58c642fb89cc49f/issues/gravitee-io/issues/7967#issuecomment-1173746323]

Edit

{noformat}11:44:49.938 [vert.x-eventloop-thread-0] [] ERROR i.g.a.g.h.r.r.h.w.WebAuthnRegisterHandler - Unexpected exception io.vertx.ext.auth.webauthn.impl.attestation.AttestationException: AAGUID is not 00000000-0000-0000-0000-000000000000! at io.vertx.ext.auth.webauthn.impl.attestation.NoneAttestation.validate(NoneAttestation.java:46) at io.vertx.ext.auth.webauthn.impl.WebAuthnImpl.verifyWebAuthNCreate(WebAuthnImpl.java:535) at io.vertx.ext.auth.webauthn.impl.WebAuthnImpl.authenticate(WebAuthnImpl.java:382) at io.vertx.reactivex.ext.auth.authentication.AuthenticationProvider.authenticate(AuthenticationProvider.java:178) at io.gravitee.am.gateway.handler.root.resources.handler.webauthn.WebAuthnRegisterHandler.registerV1(WebAuthnRegisterHandler.java:185) at io.gravitee.am.gateway.handler.root.resources.handler.webauthn.WebAuthnRegisterHandler.register(WebAuthnRegisterHandler.java:81) at io.gravitee.am.gateway.handler.root.resources.handler.webauthn.WebAuthnRegisterHandler.handle(WebAuthnRegisterHandler.java:69) at io.gravitee.am.gateway.handler.root.resources.handler.webauthn.WebAuthnRegisterHandler.handle(WebAuthnRegisterHandler.java:44) at io.vertx.reactivex.ext.web.Route$1.handle(Route.java:181) at io.vertx.reactivex.ext.web.Route$1.handle(Route.java:179) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:126) at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201) at io.vertx.reactivex.ext.web.RoutingContext.next(RoutingContext.java:139) at io.gravitee.am.gateway.handler.root.resources.handler.webauthn.WebAuthnAccessHandler.handle(WebAuthnAccessHandler.java:52) at io.gravitee.am.gateway.handler.root.resources.handler.webauthn.WebAuthnAccessHandler.handle(WebAuthnAccessHandler.java:34) at io.vertx.reactivex.ext.web.Route$1.handle(Route.java:181) at io.vertx.reactivex.ext.web.Route$1.handle(Route.java:179) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:126){noformat}

exalate-issue-sync[bot] commented 1 year ago

Oliver Matthews commented: This is a known issue that selecting {{Attestation Conveyance Preference}} to {{None}} throws "AAGUID is not 00000000-0000-0000-0000-000000000000!" error.

It seems our implementation is as per the document and the device should not populate the aaguid. But in this case the device (for an example the mac I am using) is generating the aagid. As a result the vertx library throwing the error.

We should handle the error more gracefully rather than the service not unavailable error.