Closed rtheys closed 2 years ago
Hi, this behavior is somewhat "intended". I think the error could be handled better. Your observation is correct, the provider only passes the first WebAuthn challenge to the browser, so that error comes from passing the wrong challenge to the device. We currently only use the first challenge because there is not really a good way to destinguish WebAuthn token since the "serial" privacyIDEA gets when enrolling the token is not the serial that is printed on the device. In the future there will probably be support for multiple WebAuthn token, but doing that requires some time to implement a solution that does it properly.
Can i ask you why you use 2 different WebAuthn token?
Hi,
We have users who have multiple keys as they have keys at two different locations and keep them there.
Would it be an option to show the label of the token on the button that now shows "webauthn"? It could then show two buttons if there are two webauthn tokens registered? Maybe that would make it easier to distinguish between the challenges?
Regards, Rik
Would it be an option to show the label of the token on the button that now shows "webauthn"?
We do not get the token label directly, just the message from privacyIDEA which can be configured but by default contains the token description. However, that is probably the way to do it, but it does not quite fit the current structure of the provider and would require restructuring. There is also an ongoing effort in the privacyIDEA server to improve the communication with the plugins which will also result in a restructuring of the plugins, so that will probably be the time this enhancement will be implemented.
closed by #93
Hi,
Nice to see this will be fixed in a future release. Will it depend on a specific privacyidea server version, or will it work with the 3.6 release?
Regards, Rik
Hi, it will work with any version of the server.
Hi,
I'm using Keycloak 15 with keycloak-provider 1.0.0 (also have this issue with 0.6.1).
When I configure two webauthn tokens for a user and then try to login on keycloak as that user, the dialog will show that the webauthn triggers are there, but when I press the webauthn key that was added last, it does not work. Only the first added webauthn key works.
Below are the logs on the keycloak server. The logs show login with the first-registered webauthn token. I believe the issue is with the javascript code as the response from the second-registered key does not seem to be processed.
After pressing the key as instructed by the browser, the web developer console logs the following error:
Uncaught (in promise) DOMException: An attempt was made to use an object that is not, or is no longer, usable
So I believe there's an error in the javascript code somewhere.
Regards, Rik