Open t4moxjc7 opened 8 months ago
varjolintu
commented
8 months ago It would be also nice to report with what browser the problem occurred (some sites might have exceptions for Firefox). The Passkeys support is not yet fully complete, so reports like this were expected. Some of the problems might be possible to fix on the extension side.
varjolintu
commented
8 months ago GitLab does not set rp.id at all, and one check on KeePassXC side fails (the check returns too soon). Eventually this must be fixed on KeePassXC side, but we can also add an exception to the extension.
t4moxjc7
commented
8 months ago It would be also nice to report with what browser the problem occurred (some sites might have exceptions for Firefox). The Passkeys support is not yet fully complete, so reports like this were expected. Some of the problems might be possible to fix on the extension side.
Good thought, I've added the browser for my entries.
varjolintu
commented
8 months ago PayPal says in their FAQ:
Who can set up a passkey? Passkeys are currently available for eligible personal and premier accounts. Passkeys can only be created on devices for which you have set up a screen lock with Chrome (Android or Apple devices) and Safari (Apple devices only) browsers.
It's possible to register a 2FA security key to KeePassXC, but when trying to authenticate it, the request only supports usb, nfc and ble transports. KeePassXC currently requires internal to be in this list.
droidmonkey
commented
8 months ago Seems a little strange to allow registration though? How come there is no constraint on that side?
varjolintu
commented
8 months ago Seems a little strange to allow registration though? How come there is no constraint on that side?
This works because we allow cross-platform authenticators as well, possibly acting as security keys. Microsoft's site is the same, but there's no separate Passkeys section at all. Just a security key option.
klixx23
commented
8 months ago Hello,
i have also found another website
| Browser | Passkey Action | URL | Website error | KeepassXC error | Notes |
|---|---|---|---|---|---|
| Brave | create | https://passkey.org/ | [none] | PassKey created and save in database, but login is not possible |
traviss64
commented
8 months ago My question is how to add passkey on keepass? It only shows an option to "impport passkey" but most sites I use passkey on don't have an option to export passkeys
Edit: Okay had to enable in the extension
Getting error - Origin and RP ID do not match. on techlore forum
luzat
commented
8 months ago I have tried to add a Passkey to coinbase.com using the Firefox browser extension. KeePassXC 2.7.7 added this key to its database, but Coinbase stored it as a security key (just like a YubiKey). Now, when trying to authenticate, Coinbase can't find the security key, possibly because it's requesting only usb and nfc:
{
"challenge": "***",
"enterpriseAttestationPossible": false,
"rpId": "coinbase.com",
"timeout": 30000,
"userVerification": "discouraged",
"allowCredentials": [
{
"id": "***",
"transports": [
"usb",
"nfc"
],
"type": "public-key"
}
]
}After patching kpxcPasskeysUtils.buildCredentialRequestOptions in passkey-utils.js (transports: [...transports, 'internal']) I was able to authenticate with Coinbase again, even though it requested an external key. An advanced option in KeePassXC to allow handling usb and nfc requests would be helpful. Also, the original registration should either not have succeeded or somehow indicated that the key is a Passkey, not a hardware security key.
varjolintu
commented
8 months ago Deleted Namecheap from the list. They only support U2F keys.
varjolintu
commented
8 months ago Seems GitLab is using this extension: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-appid-extension (which we are not handling yet).
varjolintu
commented
8 months ago https://github.com/keepassxreboot/keepassxc-browser/pull/2141 This PR can be tested with the problematic sites.
t4moxjc7
commented
8 months ago keepassxreboot/keepassxc-browser#2141 This PR can be tested with the problematic sites.
I've put test results for my entries (and passkey.org) in the table now - its fixed PayPal and Discourse.
I also removed google from the table as that is now working with the current extension version. Maybe a change on their end or I did something differently.
varjolintu
commented
8 months ago In my own testing Nintendo should be also fixed. For Playstation.com I could not log in even with normal credentials (there's always some error).
With Microsoft I managed to create a Passkey and login normally. After that I tried it again and then it just gave me a OS/browser level popups again. I really don't know why it fails most of the tries.
Wikipedia requires a separate rollout for 2FA with new users, so I didn't manage to test that. I'd like to see some debug data if possible.
(If anyome wants to help the process, enable Debug Logging in the extension and inspect the JavaScript console on the web page during logins. You can find the public key objects there.)
varjolintu
commented
8 months ago For MangaDex (which uses Keycloak), I am unable to set up a passkey since it returns the following:
Security key registration result is invalid. 9: No supported algorithms were provided.
(Note: I can create and use passkeys with GitHub, so I am wondering whether MangaDex's issue is similar to bitwarden/clients#6804 .)
This seems like a Keycloak issue, that is already resolved: https://github.com/keycloak/keycloak/pull/20832 Can you verify if the algorithm identifier is still a string with the site you are using?
varjolintu
commented
8 months ago Can you verify if the algorithm identifier is still a string with the site you are using?
How do I check the algorithm identifier (on Firefox)?
Enable Debug Logging from the browser extension settings and inspect the JavaScript console via Inspect when right-clicking on the web page. It should show you the Public Key object during register (do not paste any ID's or actual data from it here).
varjolintu
commented
8 months ago Is this the information you requested?
[Debug passkeys.js:36] KeePassXC-Browser - publicKey global.js:124:13 (... ... ...) pubKeyCredParams: (6) (... ... ...) global.js:127:17 [Debug keepassxc-browser.js:843] KeePassXC-Browser - No supported algorithms were provided. global.js:124:13
Yes. That object should include the pubKeyCredParams list.
t4moxjc7
commented
8 months ago In my own testing Nintendo should be also fixed. For Playstation.com I could not log in even with normal credentials (there's always some error).
With Microsoft I managed to create a Passkey and login normally. After that I tried it again and then it just gave me a OS/browser level popups again. I really don't know why it fails most of the tries.
Wikipedia requires a separate rollout for 2FA with new users, so I didn't manage to test that. I'd like to see some debug data if possible.
(If anyome wants to help the process, enable Debug Logging in the extension and inspect the JavaScript console on the web page during logins. You can find the public key objects there.)
No luck with Nintendo, but here is the debug output for Wikipedia:
{
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": false,
"userVerification": "preferred"
},
"challenge": "[removed]",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
}
],
"rp": {
"name": "Wikipedia",
"id": "en.wikipedia.org"
},
"timeout": 60000,
"excludeCredentials": [],
"user": {
"displayName": "[removed]",
"id": "[removed]",
"name": "[removed]"
}
}@t4moxjc7 Nintendo.com still works fine for me. The debug output of Wikipedia doesn't show anything strange.
EDIT: And just tested Microsoft again. It let me create a Passkey and even sign-in works without problems.
Ollipop030
commented
8 months ago Nintendo.com still works fine for me. The debug output of Wikipedia doesn't show anything strange.
EDIT: And just tested Microsoft again. It let me create a Passkey and even sign-in works without problems.
Strange, Nintendo doesn´t work for me on Brave Browser, "Passkeys cannot be used on this device."
And Microsoft: I can´t even find where to add passkeys. I can add hardware keys (such as a yubikey). When want to convert my account to a passwordless account, it wants me to scan a qr code via the MS authenticator app.
CrendKing
commented
8 months ago bitwarden.com doesn't work for me. Error message:
Error creating passkey
There was a problem creating your passkey.Debug output:
{
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": true,
"userVerification": "required"
},
"challenge": "<redacted>",
"extensions": {
"prf": {}
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -257
},
{
"type": "public-key",
"alg": -37
},
{
"type": "public-key",
"alg": -35
},
{
"type": "public-key",
"alg": -258
},
{
"type": "public-key",
"alg": -38
},
{
"type": "public-key",
"alg": -36
},
{
"type": "public-key",
"alg": -259
},
{
"type": "public-key",
"alg": -39
},
{
"type": "public-key",
"alg": -8
}
],
"rp": {
"id": "vault.bitwarden.com",
"name": "Bitwarden"
},
"timeout": 60000,
"excludeCredentials": [],
"user": { <redacted> }
}@CrendKing We don't support the prf extension yet, which is required by Bitwarden's login.
haldi4803
commented
8 months ago And Microsoft: I can´t even find where to add passkeys. I can add hardware keys (such as a yubikey). When want to convert my account to a passwordless account, it wants me to scan a qr code via the MS authenticator app.
It's a little hidden....
https://account.live.com/proofs/manage/additional
Under all your passwords there is a blue + sign which allows to add a new one.
But it only allows for USB or NFC key. neither work with Firefox v123.0.1 and Addon 1.9.0.1 on Windows 10
varjolintu
commented
8 months ago @haldi4803 The next extension update should allow it.
slubman
commented
8 months ago On firefox, I have the same error message as the first poster for discourse forums, when trying to use the created passkey.
Can confirm login now work with KeePassXC-Browser 1.9.0.2
uprprc777
commented
8 months ago I just tried to create a passkey for microsoft.com for more than 10 times. All attempts failed. No KeePassXC prompt but only OS / browser prompts.
Chrome 122.0.6261.129 KeePassXC 2.7.7 KeePassXC-Browser Version: 1.9.0.2 macOS 14.4
BTW, I also tried Strongbox on microsoft.com, not working either.
varjolintu
commented
8 months ago @uprprc777 I have no idea why sometimes it works without any problems, but 90% of the time the OS/browser level popup is shown. The site has no errors in the console to indicate where the possible issue is.
hex-m
commented
8 months ago I got the Origin and RP ID do not match.-Error when I tried to create a Passkey on a Mastodon-Instance. (Firefox 115.8.0esr (64-bit ) on Debian)
I noticed that Mastodon asks for the PIN of the Webauthn-Device first (user_verification). That could be related? https://github.com/mastodon/mastodon/issues/15936
UPDATE: I can confirm that my problem disappeared after the update to 1.9.0.2. Thanks a lot! <3
varjolintu
commented
8 months ago @hex-m Wait for the 1.9.0.2 version of the extension, which is already mentioned in the thread. You didn't mention the version you are using.
To everyone else: please do not report errors if you are still using 1.9.0.1, thanks.
lichwala
commented
8 months ago There is another site with problems on using passkeys in KeePassXC, as described in #10486
varjolintu
commented
8 months ago @t4moxjc7 Have you had the chance to test the sites with 1.9.0.2?
t4moxjc7
commented
8 months ago @t4moxjc7 Have you had the chance to test the sites with 1.9.0.2?
Not yet. I'll try it out.
t4moxjc7
commented
8 months ago Updated table
litcc
commented
8 months ago On March 11th, when the passkey feature was first updated, I was able to successfully add passkey from Microsoft and was able to log in without any problems. And today I can't add it again successfully, the already added passkey can login normally. Not sure what the problem is.
Test Environment 1: KeePassXC - 2.7.7 KeePassXC-Browser - 1.9.0.2 Operating system: Win64 Browser: Microsoft Edge 122.0.0.0
Test Environment 2: KeePassXC - 2.7.7 KeePassXC-Browser - 1.9.0.2 Operating system: Win64 Browser: Chrome/Chromium 122.0.0.0
varjolintu
commented
8 months ago @litcc I have had the same error multiple times. At some point it worked normally, then stopped working. I'll contact Microsoft and see if we could get some help for this issue.
pbulteel
commented
8 months ago I've found another site. Kayak.com support passkeys but give the "Passkeys It looks like your current browser does not support passkeys. You can still add a passkey to your KAYAK account from another device."
KeePassXC - 2.7.7 KeePassXC-Browser - 1.9.0.2 Operating System: Pop!_OS 22.04 LTS Browser: Google Chrome 123.0.6312.86
piyushgarg
commented
7 months ago Error::: No Supported Algorithms were provided error coming with this server.
{
"attestation": "none",
"authenticatorSelection": {
"userVerification": "required"
},
"challenge": "<hidden>",
"pubKeyCredParams": [
{
"alg": "-7",
"type": "public-key",
"id": null
},
{
"alg": "-257",
"type": "public-key",
"id": null
}
],
"rp": {
"id": "internal.identity.server.com",
"name": "unique server id"
},
"timeout": 30000,
"excludeCredentials": [],
"user": {
"displayName": "user name",
"id": "user id",
"name": "user email id"
}
}@piyushgarg That's logical because the "alg" is returned as a string and not as an integer. The server does not respect the specification.
droidmonkey
commented
7 months ago I was looking at this for 10 minutes and couldn't figure out why it was broken, makes total sense now. We could "detect" this situation though (QJsonValue::isString()) and do a QString::toInt() instead. I wish Qt would just do this on the fly... or at least have an API to "convertInt" or something.
varjolintu
commented
7 months ago @droidmonkey We could also do this on the extension side where we wrap the object for transfer using JavaScripts's Number(). This way we could still keep KeePassXC side compliant with the specification.
piyushgarg
commented
7 months ago @piyushgarg That's logical because the
"alg"is returned as a string and not as an integer. The server does not respect the specification.
Is there a way to overcome this and try it out. I am not sure how many invalid servers we will get.
varjolintu
commented
7 months ago @piyushgarg That's logical because the
"alg"is returned as a string and not as an integer. The server does not respect the specification.Is there a way to overcome this and try it out. I am not sure how many invalid servers we will get.
It's not possible right now. I suggest contacting the server admin and take care of possible updates. At least older versions of Keycloak has exactly this kind of bug with passkeys.
varjolintu
commented
7 months ago I've found another site. Kayak.com support passkeys but give the "Passkeys It looks like your current browser does not support passkeys. You can still add a passkey to your KAYAK account from another device."
KeePassXC - 2.7.7 KeePassXC-Browser - 1.9.0.2 Operating System: Pop!_OS 22.04 LTS Browser: Google Chrome 123.0.6312.86
Kayak.com has restricted the access for passkeys to certain browsers (like Chrome and Safari on iOS).
droidmonkey
commented
7 months ago Kayak.com has restricted the access for passkeys to certain browsers (like Chrome and Safari on iOS).
Im so glad we got so much crap for being marginally non-compliant with the spec on our first release (UV)... 😵💫
piyushgarg
commented
7 months ago Thanks @varjolintu , I am able to get past the crap by making the following temporary changes until the upstream server fixes it.
...
publicKey.extensions = pkOptions?.extensions;
publicKey.pubKeyCredParams = pkOptions?.pubKeyCredParams;
for (let i = 0; i < publicKey.pubKeyCredParams.length; i++) {
publicKey.pubKeyCredParams[i].alg = Number(publicKey.pubKeyCredParams[i].alg);
}
publicKey.rp = pkOptions?.rp;
...@piyushgarg Already made a hotfix for this: https://github.com/keepassxreboot/keepassxc-browser/pull/2161
thecodrr
commented
7 months ago Is prf support planned in the near/distant future?
varjolintu
commented
7 months ago Is
prfsupport planned in the near/distant future?
It's on my TODO list, but I cannot promise anything.
juanhs12
commented
7 months ago zoho.com it is not working with keepassXC, but it is working with others passkeys, like proton pass.
varjolintu
commented
7 months ago @juanhs12 Thanks for reporting. I was able to fix it, and it will work with the next extension release.
Not working
Restrictions
Instructions
Enable Debug Logging from the extension settings and see if the Web Developer / JavaScript console has any error messages. That is helpful for detecting possible errors.