search

ruimarinho / gsts

Obtain and store AWS STS credentials to interact with Amazon services by authenticating via G Suite SAML.
MIT License
217 stars 38 forks source link

Security key not detected #3

Closed lizthegrey closed 4 years ago

lizthegrey commented 4 years ago

For some reason, when chromium is executed by puppeteer, my security key's light never comes on, and tapping it has no effect. I had to use backup codes to log in with gsts.

This is on Ubuntu Linux, gsts version 2.1.0

ruimarinho commented 4 years ago

Hi @lizthegrey! Unfortunately I am experiencing the same issue on macOS. I am pretty sure it was working before..

I have tried to direct gsts to the traditional login page (https://accounts.google.com) and it works fine there, so it must be some kind of legacy check of the U2F script that is still in use by that particular page.

I'll see if someone over at the puppeteer project can shed some light on this. Thanks for the report!

Zlender commented 4 years ago

I just tried gsts for the first time yesterday and couldn't figure out how to get security key to light up during MFA step with Google. If I open webauthn demo site in same browser in new tab I can use it just fine https://demo.yubico.com/webauthn-technical/registration .

Maybe completely unrelated but if I just go to login to gmail.com in the same Chromium window with my corp account I get this error from google

Couldn't sign you in
This browser or app may not be secure. Learn more
Try using a different browser. If you’re already using a supported browser, you can refresh your screen and try again to sign in.

Learn more leads to https://support.google.com/accounts/answer/7675428?hl=en

lizthegrey commented 4 years ago

https://accounts.google.com/signin/challenge/sk/3 [...] fails

[15417:15417:0414/145411.100121:ERROR:device_event_log_impl.cc(162)] [14:54:11.098] FIDO: fido_hid_device.cc:469 HID error received: 6
[15417:15417:0414/145411.100466:ERROR:device_event_log_impl.cc(162)] [14:54:11.100] FIDO: get_assertion_request_handler.cc:402 Ignoring status 127 from hid:13cb190b-5d41-441a-a998-56bad41b7940

https://accounts.google.com/signin/v2/challenge/sk/webauthn [...] succeeds

I'll ask the Chrome Googler sitting next to me to help me out ;)

ruimarinho commented 4 years ago

What a fun trip this was! Experimental supported now enabled on https://github.com/ruimarinho/gsts/tree/v2.2.0.

Added a section to the README with a 'postmortem' of this bug (https://github.com/ruimarinho/gsts/tree/v2.2.0#security-keys--webauthn--u2f).

Please give it a try with --enable-experimental-u2f-support (just to play a bit with Chrome switches). If everything goes well it might be enabled by default in the future.

I'm going to close this issue as I'm confident it will work 😅