search

privacyidea / keycloak-provider

:lock: OTP Two Factor Authentication Provider for Keycloak to run with privacyIDEA
Apache License 2.0
78 stars 23 forks source link

Support multiple WebAuthn challenges #84

Closed rtheys closed 2 years ago

rtheys commented 2 years ago

Hi,

I'm using Keycloak 15 with keycloak-provider 1.0.0 (also have this issue with 0.6.1).

When I configure two webauthn tokens for a user and then try to login on keycloak as that user, the dialog will show that the webauthn triggers are there, but when I press the webauthn key that was added last, it does not work. Only the first added webauthn key works.

Below are the logs on the keycloak server. The logs show login with the first-registered webauthn token. I believe the issue is with the javascript code as the response from the second-registered key does not seem to be processed.

After pressing the key as instructed by the browser, the web developer console logs the following error:

Uncaught (in promise) DOMException: An attempt was made to use an object that is not, or is no longer, usable

So I believe there's an error in the javascript code somewhere.

Regards, Rik

2021-12-01 10:57:14,906 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: Sending to /auth
2021-12-01 10:57:14,906 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: username=trigger-admin
2021-12-01 10:57:14,907 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: password=************************
2021-12-01 10:57:14,907 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: realm=esat.kuleuven.be
2021-12-01 10:57:15,492 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: Sending to /validate/triggerchallenge
2021-12-01 10:57:15,492 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: user=u0045469
2021-12-01 10:57:15,492 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-3) PrivacyIDEA SDK: realm=esat.kuleuven.be
2021-12-01 10:57:15,605 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://sso-test.esat.kuleuven.be/...) PrivacyIDEA SDK: /validate/triggerchallenge:
{
  "detail": {
    "attributes": {
      "hideResponseInput": true,
      "img": "static/img/FIDO-U2F-Security-Key-444x444.png",
      "webAuthnSignRequest": {
        "allowCredentials": [
          {
            "id": "teDWJ1BG-luk4QVS5o6MTi_r9XsiFb8rAfmSdIu8F6OH1p1isbgcXDH-J3iYKvBgfqnCp7mNmKQ_vkcJ_MTmxA",
            "transports": [
              "usb",
              "ble",
              "nfc",
              "internal"
            ],
            "type": "public-key"
          }
        ],
        "challenge": "D1VCRmG9CuOCvRaTv4m_lT9kcmC8A_isGtb1h6-RoLo",
        "rpId": "sso-test.esat.kuleuven.be",
        "timeout": 60000,
        "userVerification": "preferred"
      }
    },
    "message": "Please confirm with your WebAuthn token (FT FIDO), Please confirm with your WebAuthn token (Yubico U2F EE)",
    "messages": [
      "Please confirm with your WebAuthn token (FT FIDO)",
      "Please confirm with your WebAuthn token (Yubico U2F EE)"
    ],
    "multi_challenge": [
      {
        "attributes": {
          "hideResponseInput": true,
          "img": "",
          "webAuthnSignRequest": {
            "allowCredentials": [
              {
                "id": "JDs6AUjsJrdUj2VwL2filamsXHYTbuLlfwsq6OpFPnWFAlC48MWomdyghMiT8nT3Ghb-qZCpBjWQ20afs9nbfJvVQu-fDZUXkbiFZ_e9LrcseASlJ4Rcqcb0uTkZP5Pa",
                "transports": [
                  "usb",
                  "ble",
                  "nfc",
                  "internal"
                ],
                "type": "public-key"
              }
            ],
            "challenge": "D1VCRmG9CuOCvRaTv4m_lT9kcmC8A_isGtb1h6-RoLo",
            "rpId": "sso-test.esat.kuleuven.be",
            "timeout": 60000,
            "userVerification": "preferred"
          }
        },
        "message": "Please confirm with your WebAuthn token (FT FIDO)",
        "serial": "WAN0000E49C",
        "transaction_id": "06403856893216203841",
        "type": "webauthn"
      },
      {
        "attributes": {
          "hideResponseInput": true,
          "img": "static/img/FIDO-U2F-Security-Key-444x444.png",
          "webAuthnSignRequest": {
            "allowCredentials": [
              {
                "id": "teDWJ1BG-luk4QVS5o6MTi_r9XsiFb8rAfmSdIu8F6OH1p1isbgcXDH-J3iYKvBgfqnCp7mNmKQ_vkcJ_MTmxA",
                "transports": [
                  "usb",
                  "ble",
                  "nfc",
                  "internal"
                ],
                "type": "public-key"
              }
            ],
            "challenge": "D1VCRmG9CuOCvRaTv4m_lT9kcmC8A_isGtb1h6-RoLo",
            "rpId": "sso-test.esat.kuleuven.be",
            "timeout": 60000,
            "userVerification": "preferred"
          }
        },
        "message": "Please confirm with your WebAuthn token (Yubico U2F EE)",
        "serial": "WAN0001F2C0",
        "transaction_id": "06403856893216203841",
        "type": "webauthn"
      }
    ],
    "serial": "WAN0001F2C0",
    "threadid": 139932789683968,
    "transaction_id": "06403856893216203841",
    "transaction_ids": [
      "06403856893216203841",
      "06403856893216203841"
    ],
    "type": "webauthn"
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": 2
  },
  "time": 1638352635.5786781,
  "version": "privacyIDEA 3.6",
  "versionnumber": "3.6",
  "signature": "rsa_sha256_pss:75bc8354d86f717e93a11b738addcfc45c90669c207412b05a9cbfec50d3edbf73261b396bb91d5c312b37db8cfbabb3b5760468834e4bb5b4555b64bb7ac969566eb4b01c1c3cc8f477c71df2128fcb94d0c38e771f8f0fe066ce4659694eecc7cc0dd9ce03532facf83023f84f32da050f5bdb78c344af1c47bcb6fb890b2969378fdbdd9abfc0a90b46e5943209d4449be10bca44d9d78a2bf4488bd55fd6fec1f16a41d9f5d80db7c65b12ff43c8ae5e29f555e5a50c196607abe5f146d0de45b8c58bde8d982906394e2a831ad1669087eddb4600a37ca7137790937805ef8bf46ac82c2c685f60f5394c2fd9c5f2a5de7f432d370b49742dc1f0fc61a9"
}
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: Sending to /validate/check
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: user=u0045469
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: transaction_id=06403856893216203841
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: pass=
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: realm=esat.kuleuven.be
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: credentialid=JDs6AUjsJrdUj2VwL2filamsXHYTbuLlfwsq6OpFPnWFAlC48MWomdyghMiT8nT3Ghb-qZCpBjWQ20afs9nbfJvVQu-fDZUXkbiFZ_e9LrcseASlJ4Rcqcb0uTkZP5Pa
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: clientdata=eyJjaGFsbGVuZ2UiOiJEMVZDUm1HOUN1T0N2UmFUdjRtX2xUOWtjbUM4QV9pc0d0YjFoNi1Sb0xv
IiwiY2xpZW50RXh0ZW5zaW9ucyI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2lu
IjoiaHR0cHM6Ly9zc28tdGVzdC5lc2F0Lmt1bGV1dmVuLmJlIiwidHlwZSI6IndlYmF1dGhuLmdl
dCJ9
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: signaturedata=MEYCIQChpe6fG8GkwsLbgta_MLUzflxLyHEpDSEcotwGSY-umQIhALPlN47N8odw1TSOX9xfNE-K
0PDLp5YvzuNtp_hOcvT7
2021-12-01 10:58:10,631 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-20-thread-4) PrivacyIDEA SDK: authenticatordata=j854s7gdNJHSffDKGDXQT1cJcoOZ8s7ikgfsqCk7B48BAAAENw
2021-12-01 10:58:10,809 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://sso-test.esat.kuleuven.be/...) PrivacyIDEA SDK: /validate/check:
{
  "detail": {
    "message": "Found matching challenge",
    "serial": "WAN0000E49C",
    "threadid": 139932688971520
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": true
  },
  "time": 1638352690.7810771,
  "version": "privacyIDEA 3.6",
  "versionnumber": "3.6",
  "signature": "rsa_sha256_pss:a001d2c44714053603db861c8ab6bd8915917a333eb58bd867dc710f6743aadd439ab1cd5eabab7e98c5b0e709c17b394b1cf091b062bf6b705a379a03162b08e67aa93414c5aa105412e9291dbc90937f5cab737657bb6e6d5946128de7c17e48fc89845cd4f8b909584ee12ae0044a50adca8d0debaf12d27fcb5eb5e3965561a259a7ff65c6114652fc1d6331a4f79e828da5007afb871c703b469244e5ca7afdcdd32620acd0739ecf67901491c5aed729cfea00d6f14f5dce170822b64259013e2508324256039bcad003185ec881bea654edd947972959773ed85224361a4878ca9ae668fe400109e57381a3126e6ab7cee9df2449157e8ec4f0482bc6"
}
nilsbehlen commented 2 years ago

Hi, this behavior is somewhat "intended". I think the error could be handled better. Your observation is correct, the provider only passes the first WebAuthn challenge to the browser, so that error comes from passing the wrong challenge to the device. We currently only use the first challenge because there is not really a good way to destinguish WebAuthn token since the "serial" privacyIDEA gets when enrolling the token is not the serial that is printed on the device. In the future there will probably be support for multiple WebAuthn token, but doing that requires some time to implement a solution that does it properly.

Can i ask you why you use 2 different WebAuthn token?

rtheys commented 2 years ago

Hi,

We have users who have multiple keys as they have keys at two different locations and keep them there.

Would it be an option to show the label of the token on the button that now shows "webauthn"? It could then show two buttons if there are two webauthn tokens registered? Maybe that would make it easier to distinguish between the challenges?

Regards, Rik

nilsbehlen commented 2 years ago

Would it be an option to show the label of the token on the button that now shows "webauthn"?

We do not get the token label directly, just the message from privacyIDEA which can be configured but by default contains the token description. However, that is probably the way to do it, but it does not quite fit the current structure of the provider and would require restructuring. There is also an ongoing effort in the privacyIDEA server to improve the communication with the plugins which will also result in a restructuring of the plugins, so that will probably be the time this enhancement will be implemented.

nilsbehlen commented 2 years ago

closed by #93

rtheys commented 2 years ago

Hi,

Nice to see this will be fixed in a future release. Will it depend on a specific privacyidea server version, or will it work with the 3.6 release?

Regards, Rik

nilsbehlen commented 2 years ago

Hi, it will work with any version of the server.