Hi We have some questions about support for FIDO2 in Gluu. General questions In the directory /etc/gluu/conf/fido2/authenticator_certs: Which certificates are expected to be in this directory? In what format (DER encoded binary or Base64 encoded PEM)? Do the certificate files need to have specific names or extensions? In the directory /etc/gluu/conf/fido2/mds/cert: Which certificate is expected to be there? Can there be multiple certificates? In what format (DER encoded binary or Base64 encoded PEM)? Do the certificate files need to have specific names or extensions? In the directory /etc/gluu/conf/fido2/mds/toc: I guess it is supposed to contain the TOC in JWT format. Can there be multiple files there? Do the certificate files need to have specific names or extensions? In the directory /etc/gluu/conf/fido2/server_metadata: Is anything expected to be present here? When the FIDO tries to fetch the MDS TOC, which URL does it try to fetch from? Has that URL changed? Can this URL be configured or changed? Seems like the URLs mentioned in the Gluu 4.3 documentation do not match the actual URLS on the FIDO Alliance website. FIDO2 JSON configuration has a field called mdsAccessToken. What should be specified here? Does FIDO Alliance website endpoint need an access token to download the MDS TOC anymore? Can this field be left blank? If this field is specific to a registered vendor, can FIDO2 devices from a different vendor work? With Gluu 4.1 It works fine to the extent that it shows the web page asking the user to plug in the device, then it asks for device PIN, then it asks to tap the key. The key blinks and when we tap it, it is recognized and page submits to the server. However the server returns with "OOPS An unexpected error has occured at null." Here is a partial dump from oxauth.log: 2021-12-22 04:42:59,745 INFO [qtp1590550415-20] [gluu.oxauth.fido2.service.verifier.AuthenticatorAttestationVerifier] (AuthenticatorAttestationVerifier.java:76) - Authenticator data packed {"fmt":"packed","attStmt":{"alg":-7,"sig":"MEQCIDWSQ/2xzvo4m51dF6+DWY7/PzS2mCB7eiLbHu0gbmmJAiBZ0xW+mJdBfOAu+9pH1QevgEtLZiGIaJGMKpaEDaWVdQ==","x5c":["MIICLTCCAdSgAwIBAgIQM5NPQeqjWWVCmdlSS6miYzAKBggqhkjOPQQDAjBBMQswCQYDVQQGEwJDQTESMBAGA1UECgwJSFlQRVJTRUNVMR4wHAYDVQQDDBVIeXBlcnNlY3UgRklETzIgQ0EgMDEwIBcNMTgxMTA4MDAwMDAwWhgPMjAzMzExMDcyMzU5NTlaMGMxCzAJBgNVBAYTAkNBMRIwEAYDVQQKDAlIWVBFUlNFQ1UxIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xHDAaBgNVBAMME0h5cGVyc2VjdSBGSURPMiBLMTgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATfoMHfRzyd7OT9s7eheDV+wmxkTiossM4vortghjJHd6rCsexpNMen+kIyKZPLdacm4KrH5apsUv58MTofV0+eo4GJMIGGMB0GA1UdDgQWBBSjdwfajaSyAu8X4vxgZoZebrB9mDAfBgNVHSMEGDAWgBSrzBy/3jGBHSp39ZiMSuK0LEf2UDAMBgNVHRMBAf8EAjAAMBMGCysGAQQBguUcAgEBBAQDAgUgMCEGCysGAQQBguUcAQEEBBIEEJ934nmm4k1YtwAx5ZQ8apgwCgYIKoZIzj0EAwIDRwAwRAIgf9qy2l6q1UPCp7288CfPgSAvCFrx6Yhv7LpsZbmZi2QCIF/6bByJqm2umlVVraz9o6QMBKSDC5TxEaM4hLwk5oiv","MIIB4DCCAYegAwIBAgIQM5NPQeqjWWVCmdlSS6miYTAKBggqhkjOPQQDAjA6MQswCQYDVQQGEwJDQTESMBAGA1UECgwJSFlQRVJTRUNVMRcwFQYDVQQDDA5IWVBFUkZJRE8gMDIwMDAgFw0xODExMDEwMDAwMDBaGA8yMDM4MTAzMTIzNTk1OVowQTELMAkGA1UEBhMCQ0ExEjAQBgNVBAoMCUhZUEVSU0VDVTEeMBwGA1UEAwwVSHlwZXJzZWN1IEZJRE8yIENBIDAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE75fXNGqPfZXxlsRo5Bgh0i0Pw3YyMJij/EFIaM/4jBJl20YDtwum0Rd1xxlS01cSbYQSAtsMLzh7uHhARFaA4aNmMGQwHQYDVR0OBBYEFKvMHL/eMYEdKnf1mIxK4rQsR/ZQMB8GA1UdIwQYMBaAFLZYcfMMwkQAGbt3ryzZFPFypmsIMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIAOKBc5ARX+GxJ4bCioXvz/66QXXYqjOWE7/NK7/1PI1AiBRbfL3HPfBj8lLEyey9Mut+QlW742YphzbXbKTVUYGvQ=="]},"authData":"dLdNiuWk5v66vO1/DLvfdfgbLxlDJSFF1/WzIuaBsCpFAAADqJ934nmm4k1YtwAx5ZQ8apgAYBdBOccnT7gv728EOdlDYNIC+sn3ezO9nN8bilVsT6TE7wci+qPfZ5e3gdfnYT/VyVYgYlO7f0+K6EJPP7Mf5Ntca5JUB9usiuJ2am2w6wNadwcc1JgMGIaRwC4qdbHPf6UBAgMmIAEhWCCS+QhHhcmPT+09Ppv9KIfNkbNRradzWXDYFB0uDzvDiCJYIHaZM39o87gZG6ods/LoJ0y6tGc3VM9eRGVEE30EDRm/"} 2021-12-22 04:42:59,745 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:69) - RPIDHASH hex 74b74d8ae5a4e6febabced7f0cbbdf75f81b2f1943252145d7f5b322e681b02a 2021-12-22 04:42:59,745 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:73) - FLAGS hex 45 2021-12-22 04:42:59,746 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:76) - COUNTERS hex 000003a8 2021-12-22 04:42:59,746 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:83) - AAGUID hex 9f77e279a6e24d58b70031e5943c6a98 2021-12-22 04:42:59,746 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:86) - CredIDLen hex 0060 2021-12-22 04:42:59,746 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:88) - size 96 2021-12-22 04:42:59,747 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:90) - credID hex 174139c7274fb82fef6f0439d94360d202fac9f77b33bd9cdf1b8a556c4fa4c4ef0722faa3df6797b781d7e7613fd5c956206253bb7f4f8ae8424f3fb31fe4db5c6b925407dbac8ae2766a6db0eb035a77071cd4980c188691c02e2a75b1cf7f 2021-12-22 04:42:59,747 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:93) - cosePublicKey hex a501020326200121582092f9084785c98f4fed3d3e9bfd2887cd91b351ada7735970d8141d2e0f3bc3882258207699337f68f3b8191baa1db3f2e8274cbab4673754cf5e446544137d040d19bf 2021-12-22 04:42:59,747 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:124) - cosePublicKey {"1":2,"3":-7,"-1":1,"-2":"kvkIR4XJj0/tPT6b/SiHzZGzUa2nc1lw2BQdLg87w4g=","-3":"dpkzf2jzuBkbqh2z8ugnTLq0ZzdUz15EZUQTfQQNGb8="} 2021-12-22 04:42:59,747 INFO [qtp1590550415-20] [org.gluu.oxauth.fido2.certification.CertificationKeyStoreUtils] (CertificationKeyStoreUtils.java:82) - No metadata for authenticator 9f77e279a6e24d58b70031e5943c6a98. Attempting to contact MDS 2021-12-22 04:42:59,748 ERROR [qtp1590550415-20] [org.gluu.oxauth.fido2.service.Fido2RpExceptionHandler] (Fido2RpExceptionHandler.java:33) - Handled Fido2 RP exception org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException: Authenticator not in TOC aaguid 9f77e279-a6e2-4d58-b700-31e5943c6a98 at org.gluu.oxauth.fido2.service.mds.MdsService.fetchMetadata(MdsService.java:91) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.service.mds.MdsService$Proxy$_$$_WeldClientProxy.fetchMetadata(Unknown Source) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.certification.CertificationKeyStoreUtils.getCertificates(CertificationKeyStoreUtils.java:83) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.certification.CertificationKeyStoreUtils.populateTrustManager(CertificationKeyStoreUtils.java:97) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.certification.CertificationKeyStoreUtils$Proxy$_$$_WeldClientProxy.populateTrustManager(Unknown Source) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.service.processors.impl.PackedAttestationProcessor.process(PackedAttestationProcessor.java:84) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.service.processors.impl.PackedAttestationProcessor$Proxy$_$$_WeldClientProxy.process(Unknown Source) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.service.verifier.AuthenticatorAttestationVerifier.verifyAuthenticatorAttestationResponse(AuthenticatorAttestationVerifier.java:89) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.service.verifier.AuthenticatorAttestationVerifier$Proxy$_$$_WeldClientProxy.verifyAuthenticatorAttestationResponse(Unknown Source) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.ws.rs.service.AttestationService.verify(AttestationService.java:133) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.ws.rs.service.AttestationService$Proxy$_$$_WeldClientProxy.verify(Unknown Source) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.ws.rs.controller.AttestationController.verify(AttestationController.java:73) ~[oxauth-fido2-server-4.1.0.Final.jar:?] at org.gluu.oxauth.fido2.ws.rs.controller.AttestationController$Proxy$_$$_WeldClientProxy.verify(Unknown Source) ~[oxauth-fido2-server-4.1.0.Final.jar:?] Even though it says "No metadata for authenticator 9f77e279a6e24d58b70031e5943c6a98", I have verified that metadata for this aaguid exists in the JWT file present in fido3/mds/toc folder. The device we are using is HyperFIDO Pro Mini from Hypersecu. Any idea why it is not recognizing the aaguid in the toc.jwt file? With Gluu 4.3 It is a standard full Gluu installation with no changes. We have tried reinstalling Gluu twice, but same result. It does not even go as far as Gluu 4.1. It gets a Java null pointer exception even before displaying the FIDO2 page which instructs the user to plug in the device. Not unexpectedly, plugging in the device in the USB port has no effect -- the page does not even recognize that the device has been plugged in. Here is the partial dump from oxauth_script.log: 2021-12-22 04:48:51,491 INFO [qtp536765369-82] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - Fido2. Authenticate for step 1 2021-12-22 04:48:51,538 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - Fido2. Prepare for step 2 2021-12-22 04:48:51,549 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - Fido2. Prepare for step 2. Call Fido2 endpoint in order to start assertion flow 2021-12-22 04:48:51,589 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - Fido2. Prepare for step 2. Successfully start flow with next requests. 2021-12-22 04:48:51,589 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - fido2_assertion_request: '{ 2021-12-22 04:48:51,589 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - "cause1":"java.lang.NullPointerException", 2021-12-22 04:48:51,589 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - "servlet":"org.gluu.fido2.service.app.ResteasyInitializer", 2021-12-22 04:48:51,589 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - "cause0":"org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException", 2021-12-22 04:48:51,589 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - "message":"org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException", 2021-12-22 04:48:51,589 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - "url":"/fido2/restv1/fido2/assertion/options", 2021-12-22 04:48:51,589 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - "status":"500" 2021-12-22 04:48:51,590 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - }' 2021-12-22 04:48:51,590 INFO [qtp536765369-22] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - fido2_attestation_request: 'None' No error is logged in oxauth.log. Any idea why it is getting NullPointerException and how to recitfy it?