FIDO2 with Yubikey 5 NFC

By: Franck THOMAS user 12 May 2020 at 3 a.m. CDT

7 Responses
Franck THOMAS gravatar
Hello, when i configure FIDO2 authentication mode and i try to connect with a yubikey 5 NFC i have the oops page with this error message : 2020-05-12 07:49:56,919 INFO [qtp1590550415-11] [org.gluu.oxauth.fido2.certification.CertificationKeyStoreUtils] (CertificationKeyStoreUtils.java:82) - No metadata for authenticator 2fc0579f811347eab116bb5a8db9202a. Attempting to contact MDS 2020-05-12 07:49:56,929 ERROR [qtp1590550415-11] [org.gluu.oxauth.fido2.service.Fido2RpExceptionHandler] (Fido2RpExceptionHandler.java:33) - Handled Fido2 RP exception org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException: Authenticator not in TOC aaguid 2fc0579f-8113-47ea-b116-bb5a8db9202a I anderstand that the aaguid for my yubikey 5 nfc was not found in the toc file. But how and where i can download the metadata for my yubikey and how can i configure gluu server? Thanks for your response. Best regards
CentOS 7.0
closed

Answers

By Sahil Arora user 12 May 2020 at 9 a.m. CDT

Copy
Sahil Arora gravatar
Hi Franck, You would need to register your key [here](https://mds2.fidoalliance.org/tokens/) to get a link to access TOC file, and then follow [these](https://gluu.org/docs/gluu-server/authn-guide/fido2/) instructions. Thanks Sahil

By Franck THOMAS user 12 May 2020 at 11:08 a.m. CDT

Copy
Franck THOMAS gravatar
Hi Sahil, Thanks for your answer. I have already register my email to download toc.jwt and Root.cer files on fidoalliance, but the problem is different. As you can see in the log file, the aaguid for my yubikey 5 nfc is not include in the toc file. So GLUU can't accept my token. So my question is how i can add metadata corresponding to my yubikey in gluu server. Best regards, Franck

By Yuriy Movchan staff 12 May 2020 at 2 p.m. CDT

Copy
Yuriy Movchan gravatar
Hi, All Yubikey are not listed in this `toc.jwt` file. As result in CE < 4.2 you need to put files from attached archive into `/etc/gluu/conf/fido2/server_metadata`. These are devices metadata. In CE 4.2 it's not needed. It can use public certs to do devices attestation if the device isn't in `toc.jwt`. Yo ucan try [this](https://repo.gluu.org/ubuntu/pool/main/bionic-devel/gluu-server_4.2.0-369~bionic_amd64.deb) 4.2 beta1. It contains also many another Fido2 improvements.
ctap2_devices.zip

By Franck THOMAS user 12 May 2020 at 2:38 p.m. CDT

Copy
Franck THOMAS gravatar
Hi Yuriy, Thank you for your answer, i understood the problem, but if I want to stay in 4.1 gluu release can you tell me where i can find the metadata json for gluu with the aaguid yubikey 5 nfc ? Best regards, Franck

By Michael Schwartz Account Admin 14 May 2020 at 12:05 p.m. CDT

Copy
Michael Schwartz gravatar
4.2 will be out at the end of June, but it may pay to wait for this release for FIDO 2 support. Sorry about that. Our first FIDO 2 implementation was clunky.

By Franck THOMAS user 14 May 2020 at 12:44 p.m. CDT

Copy
Franck THOMAS gravatar
Thanks for your answers. I found the way to use yubikey 5 NFC with gluu server. I have generate a metadata json file for yubikey with the aaguid for my key and i have put the file in the server_metadata folder and restart Oxauth server. If you want him let me now... Regards

By Michael Schwartz Account Admin 14 May 2020 at 1:22 p.m. CDT

Copy
Michael Schwartz gravatar
Nice work!

Post an answer