Supergluu Fido U2F responce rejected after upgrate to Gluu 4.3

By: Janis Kulins user 12 Oct 2021 at 8:15 a.m. CDT

3 Responses
Janis Kulins gravatar
Expected behaviour After approving authentication push message in supergluu app, data is passed to gluu server and successfully verified. Authenticaiton is completed. Actual behavior After accepting authentication in supergluu app, error message appear: fido U2F responce was rejected. Authentication attempt failed. Configuration to reproduce Upgrade to gluu 4.3. via bundled script. standard supergluu interception script used from git repo. Device is already binded to enduser account. Runs regular authentication OIDC request to gluu where acr_values=super-gluu Setup was working fine on 4.2. Gluu end user account and device binding (via QR) is working. Problems starting on next authentication attempt. Tried to delete all keys from supergluu app, and remove device from end user configuration (reattach it). Not solved the problem. Any idea on root cause? Thank you Log files 2021-10-12 15:58:23,712 DEBUG [qtp1224347463-19] [org.gluu.oxauth.service.common.UserService] (UserService.java:96) - Found 1 entries for user id = card1 2021-10-12 15:58:23,803 DEBUG [qtp1224347463-19] [oxauth.ws.rs.fido.u2f.U2fAuthenticationWS] (U2fAuthenticationWS.java:141) - Finishing authentication for username 'card1' with response ' {"signatureData":"AQAAAAMwRQIhAPpfmvxB9kYinAEacudO OkMwSWSSDf_4OLXe62t6b6ZxAiB2XI8g06jgwl8zwp-EOkQDCpLQDWGd2Igcy_hMM66F_w","clientData":"eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiWUJ6akp5dVFEYnFBYUs3bmIzN0lFb25wN1ZkWGtOQUwyc3BuSllNSm9vcyIsIm9yaWdpbiI6Imh0dHBzOlwvXC9 kZC10ZHNzcnYwMS5kY3QuZGVjdGEuY29tIn0","keyHandle":"Choo6Q2uN8Qqb68UXDxSxlboHyl2HWY2gfakdeFJASKr9yJiu3PHQCob3-wPOha3BXHQtTaDySl9RJUcnlD5dg"} ' 2021-10-12 15:58:23,812 DEBUG [qtp1224347463-19] [gluu.oxauth.service.fido.u2f.AuthenticationService] (AuthenticationService.java:161) - Client data HEX '65794a30655841694f694a7559585a705a32463062334975615751755a32563051584e7a5a584a30615 7397549697769593268686247786c626d646c496a6f6957554a36616b703564564645596e464259557333626d497a4e306c46623235774e315a6b5747744f5155777963334275536c6c4e536d397663794973496d39796157647062694936496d68306448427a4f6c77765843396b5a4331305a484e7a 636e59774d53356b593351755a47566a6447457559323974496e30' 2021-10-12 15:58:23,812 DEBUG [qtp1224347463-19] [gluu.oxauth.service.fido.u2f.AuthenticationService] (AuthenticationService.java:162) - Signature data HEX '4151414141414d7752514968415070666d767842396b59696e4145616375644f4f6b4d7753575353 44665f344f4c58653632743662365a78416942325849386730366a67776c387a77702d454f6b514443704c514457476432496763795f684d4d3636465f77' 2021-10-12 15:58:23,818 ERROR [qtp1224347463-19] [oxauth.ws.rs.fido.u2f.U2fAuthenticationWS] (U2fAuthenticationWS.java:175) - Exception happened org.gluu.oxauth.model.fido.u2f.exception.BadInputException: Signature is not valid at org.gluu.oxauth.service.fido.u2f.RawAuthenticationService.checkSignature(RawAuthenticationService.java:66) ~[classes/:?] at org.gluu.oxauth.service.fido.u2f.AuthenticationService.finishAuthentication(AuthenticationService.java:167) ~[classes/:?] at org.gluu.oxauth.service.fido.u2f.AuthenticationService.finishAuthentication(AuthenticationService.java:135) ~[classes/:?] at org.gluu.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.finishAuthentication(U2fAuthenticationWS.java:157) ~[classes/:?] at org.gluu.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS$Proxy$_$$_WeldClientProxy.finishAuthentication(Unknown Source) ~[classes/:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:546) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:435) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:396) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:398) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:365) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) ~[resteasy-jaxrs-3.15.1.Final.jar:3.15.1.Final] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[servlet-api-3.1.jar:3.1.0] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:228) ~[websocket-server-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.gluu.server.filters.AbstractCorsFilter.handleNonCORS(AbstractCorsFilter.java:362) ~[oxcore-server-4.3.0.Final.jar:?] at org.gluu.server.filters.AbstractCorsFilter.doFilter(AbstractCorsFilter.java:139) ~[oxcore-server-4.3.0.Final.jar:?] at org.gluu.oxauth.filter.CorsFilter.doFilter(CorsFilter.java:118) ~[classes/:?] at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.gluu.oxauth.audit.debug.ServletLoggingFilter.doFilter(ServletLoggingFilter.java:84) ~[classes/:?] at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) ~[jetty-servlet-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) ~[jetty-security-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) ~[jetty-server-9.4.43.v20210629.jar:9.4.43.v20210629] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) ~[jetty-server-9.4.43.v20210629.jar:9.4.43.v20210629]
Gluu 4.3 CentOS 8.0
closed

Answers

By Ganesh Dutt Sharma Account Admin 12 Oct 2021 at 3 p.m. CDT

Copy
Ganesh Dutt Sharma gravatar
Not covered in community support

By Janis Kulins user 13 Oct 2021 at 3:30 a.m. CDT

Copy
Janis Kulins gravatar
Hello, just wanted to pint out, that this is out-of the box functionality, with default config. So possibility ,that there are some issues in code wich might be addressed. I planed to report issue in git, but there is recommendation to do here first. We identified at lest several other issues in 4.3, but look like it is not welcomed to report them. Have a good an productive day.

By Janis Kulins user 26 Oct 2021 at 6:02 a.m. CDT

Copy
Janis Kulins gravatar
its broken here: #1525 *** Check if signatire verification method returns true** https://github.com/GluuFederation/oxAuth/issues/1525

Post an answer