By: richard abbott user 06 Mar 2019 at 10:54 a.m. CST

9 Responses
richard abbott gravatar
I have enabled FIDO2 script and set default authentication to FIDO. I get the prompt using google chrome. I insert the key and tap the button. Then i get a oops page with the following error in the oxauth.log 2019-03-06 16:41:32,330 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Fido2. Authenticate for step 2 2019-03-06 16:41:32,331 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Fido2. Prepare for step 2. Call Fido2 in order to finish registration flow 2019-03-06 16:41:32,359 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Fido2. Authenticate for step 2. Get invalid registration status from Fido2 server

By Mohib Zico staff 07 Mar 2019 at 2:31 a.m. CST

Mohib Zico gravatar
Will try to test against 3.1.5.

By richard abbott user 07 Mar 2019 at 4:40 a.m. CST

richard abbott gravatar
I have installed the latest gluu-server-3.1.6 running on Azure

By richard abbott user 07 Mar 2019 at 5:11 a.m. CST

richard abbott gravatar
UPDATE Its seems to register the device to a user and login ......it is when I Subsequently attempt to login in again that i get a failed to authenticate.

By Jose Gonzalez staff 07 Mar 2019 at 6:53 a.m. CST

Jose Gonzalez gravatar
Are you using Chrome? How does it go with Firefox? I think Chrome gives some trouble for Fido 2 authentication. If this is a blocker for you, try with fido u2f authentication. There is a separate custom script for that. The con this time would be Firefox as it doesn't support u2f out of the box and requires a bit of manual intervention: - http://www.cardps.com/news/activating-fido-u2f-on-firefox-quantum (versions higher than 57) - https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/ (lower than 57)

By richard abbott user 07 Mar 2019 at 9:15 a.m. CST

richard abbott gravatar
It seems to happen on Chrome Firefox and Microsoft Edge. I have used the following link to test https://demo.yubico.com/webauthn/ . This test is OK. Thanks

By Yuriy Movchan staff 07 Mar 2019 at 12:19 p.m. CST

Yuriy Movchan gravatar
I've enabled Fido2 script in 3.1.6 with latest oxauth.war (Fix for Edge). Both Chroma and Edge works well for me. The issue in TOC files I believe. We can't include them into CE by default. As result you have to get them from MDS services... In order to use Fido2 we need to obtain access token to get Fido2 metadata. Here are steps needed to enable Fido2 support: 1. Register here: https://mds2.fidoalliance.org/tokens/ (FAQ about this here: https://fidoalliance.org/metadata/) 2. You should get e-mail with access token. 3. Put cert file `https://mds.fidoalliance.org/Root.cer` into `/etc/gluu/conf/fido2/mds/cert` folder 4. Put TOC file `https://mds2.fidoalliance.org/?token=<your_access_token>` into `/etc/gluu/conf/fido2/mds/toc` folder 5. Fix permissions: chown -R root:gluu /etc/gluu/conf/fido2 6. Open `https://<server>/identity/configuration/update`. Select 'oxAuth configuration'. Scroll to `mdsAccessToken` parameter and put into it your access token. oxAuth needs it do download device metadaata at runtime. 7. Deploy latest oxauth.war from https://ox.gluu.org/maven/org/xdi/oxauth-server/3.1.6.Final/oxauth-server-3.1.6.Final.war 8. Restart oxAuth server. 9. Check if Mds service loaded entries: cat /opt/gluu/jetty/oxauth/logs/oxauth.log | grep MdsTocService 10. Try to log in Chrome/Edge.</server></your_access_token>

By richard abbott user 08 Mar 2019 at 8:25 a.m. CST

richard abbott gravatar
So I have followed your steps and see the following in the log 2019-03-08 14:06:49,381 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:111) - Populating TOC entries from /etc/gluu/conf/fido2/mds/toc 2019-03-08 14:06:50,045 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:183) - Legal header "Metadata Legal Header: Version 1.00.?Date: May 21, 2018. To access, view and use any Metadata Statements or the TOC file (?METADATA?) from the MDS, You must be bound by the latest FIDO Alliance Metadata Usage Terms that can be found at http://mds2.fidoalliance.org/ . If you already have a valid token, access the above URL attaching your token such as http://mds2.fidoalliance.org?token=YOUR-VALID-TOKEN. If You have not entered into the agreement, please visit the registration site found at http://fidoalliance.org/MDS/ and enter into the agreement and obtain a valid token. You must not redistribute this file to any third party. Removal of this Legal Header or modifying any part of this file renders this file invalid. The integrity of this file as originally provided from the MDS is validated by the hash value of this file that is recorded in the MDS. The use of invalid files is strictly prohibited. If the version number for the Legal Header is updated from Version 1.00, the METADATA below may also be updated or may not be available. Please use the METADATA with the Legal Header with the latest version number. Dated: 2018-05-21 Version LH-1.00" 2019-03-08 14:06:50,046 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:186) - Property 'no' value: 13. Number of entries: 30 2019-03-08 14:06:50,046 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:193) - Added TOC entry 07a9f89c-6407-4594-9d56-621d5f1e358b from /etc/gluu/conf/fido2/mds/toc/toc.jwt with status "NOT_FIDO_CERTIFIED" 2019-03-08 14:06:50,047 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:193) - Added TOC entry 39a5647e-1853-446c-a1f6-a79bae9f5bc7 from /etc/gluu/conf/fido2/mds/toc/toc.jwt with status "FIDO_CERTIFIED_L1" 2019-03-08 14:06:50,047 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:193) - Added TOC entry 77010bd7-212a-4fc9-b236-d2ca5e9d4084 from /etc/gluu/conf/fido2/mds/toc/toc.jwt with status "FIDO_CERTIFIED_L1" 2019-03-08 14:06:50,047 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:193) - Added TOC entry 820d89ed-d65a-409e-85cb-f73f0578f82a from /etc/gluu/conf/fido2/mds/toc/toc.jwt with status "FIDO_CERTIFIED_L1" 2019-03-08 14:06:50,049 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:193) - Added TOC entry d41f5a69-b817-4144-a13c-9ebd6d9254d6 from /etc/gluu/conf/fido2/mds/toc/toc.jwt with status "FIDO_CERTIFIED_L1" 2019-03-08 14:06:50,049 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:193) - Added TOC entry ee041bce-25e5-4cdb-8f86-897fd6418464 from /etc/gluu/conf/fido2/mds/toc/toc.jwt with status "FIDO_CERTIFIED_L1" 2019-03-08 14:06:50,061 INFO [main] [gluu.oxauth.fido2.service.mds.MdsTocService] (MdsTocService.java:123) - Get TOC 6 entries with nextUpdate date 2019-04-03 I have NOT yet deployed the new war file ...however I have tested on Firefox...and we seem to have success. 2019-03-08 14:23:06,845 ERROR [qtp804611486-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:608) - Failed to get attributes from session 2019-03-08 14:24:03,318 INFO [qtp804611486-12] [oxauth.fido2.ws.rs.service.AssertionService] (AssertionService.java:90) - options {"username":"trevor"} 2019-03-08 14:24:03,318 INFO [qtp804611486-12] [oxauth.fido2.ws.rs.service.AssertionService] (AssertionService.java:151) - assertionOptions {"username":"trevor"} 2019-03-08 14:24:03,321 INFO [qtp804611486-12] [oxauth.fido2.ws.rs.service.AssertionService] (AssertionService.java:171) - Options trevor 2019-03-08 14:24:17,588 INFO [qtp804611486-12] [oxauth.fido2.ws.rs.service.AssertionService] (AssertionService.java:95) - authenticateResponse {"type":"public-key","id":"HSQIQvOl7eQHxDA08RsNdSK3X1pE9pTLO5NChuDtJRLsEkzsJKE3ZnNodHQd-fpfV4SXZDBjYidl8zzBVyalQw","rawId":"HSQIQvOl7eQHxDA08RsNdSK3X1pE9pTLO5NChuDtJRLsEkzsJKE3ZnNodHQd-fpfV4SXZDBjYidl8zzBVyalQw","response":{"authenticatorData":"EytThLkvWYGcThTtEkzGl_11ZE7CfvJanLsnMHt7H4kBAAAAHg","clientDataJSON":"eyJjaGFsbGVuZ2UiOiJ1Ny1oWnhPUDVSZXZrb0E3VTlKVlhfR2NlZWJjZzBrelR5dklINjk2MnowIiwiY2xpZW50RXh0ZW5zaW9ucyI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2luIjoiaHR0cHM6Ly9ib3gwLnVrc291dGguY2xvdWRhcHAuYXp1cmUuY29tIiwidHlwZSI6IndlYmF1dGhuLmdldCJ9","signature":"MEQCIAGjMt7kw9twAtP_0a065Bl_vUBMsnXlqkldGO3b8W0qAiAcqbU3ZZnRkBg7VXjLFJdua4thK05qRnOp77NP9EVKag","userHandle":null},"clientExtensionResults":{}} 2019-03-08 14:24:17,595 INFO [qtp804611486-12] [gluu.oxauth.fido2.service.verifier.DomainVerifier] (DomainVerifier.java:38) - Domains comparison box0.uksouth.cloudapp.azure.com https://box0.uksouth.cloudapp.azure.com 2019-03-08 14:24:17,597 INFO [qtp804611486-12] [gluu.oxauth.fido2.service.verifier.AuthenticatorAssertionVerifier] (AuthenticatorAssertionVerifier.java:52) - Authenticator data EytThLkvWYGcThTtEkzGl_11ZE7CfvJanLsnMHt7H4kBAAAAHg 2019-03-08 14:24:17,598 INFO [qtp804611486-12] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:69) - RPIDHASH hex 132b5384b92f59819c4e14ed124cc697fd75644ec27ef25a9cbb27307b7b1f89 2019-03-08 14:24:17,598 INFO [qtp804611486-12] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:73) - FLAGS hex 01 2019-03-08 14:24:17,598 INFO [qtp804611486-12] [org.gluu.oxauth.fido2.service.AuthenticatorDataParser] (AuthenticatorDataParser.java:76) - COUNTERS hex 0000001e 2019-03-08 14:24:17,599 INFO [qtp804611486-12] [oxauth.fido2.service.processors.impl.U2FAssertionFormatProcessor] (U2FAssertionFormatProcessor.java:74) - Uncompressed ECpoint node {"1":2,"3":-7,"-1":1,"-2":"xQkv5vmBMHLioL9oxlAnoiX54xLFVJfZixtW/3BC5Oo=","-3":"PH4WcEkDIugcTl67+Cu18Gu8AlYemmmivd9QvAjKMk4="} 2019-03-08 14:24:17,599 INFO [qtp804611486-12] [oxauth.fido2.service.processors.impl.U2FAssertionFormatProcessor] (U2FAssertionFormatProcessor.java:75) - Public key hex 3059301306072a8648ce3d020106082a8648ce3d03010703420004c5092fe6f9813072e2a0bf68c65027a225f9e312c55497d98b1b56ff7042e4ea3c7e1670490322e81c4e5ebbf82bb5f06bbc02561e9a69a2bddf50bc08ca324e 2019-03-08 14:24:17,600 INFO [qtp804611486-12] [gluu.oxauth.fido2.service.verifier.CommonVerifiers] (CommonVerifiers.java:140) - Client data hash HEX 18e1d318f4e36fae0f40156e601b74462377c6b078eae96ced2f7f4bb9b9b3ac 2019-03-08 14:24:17,600 INFO [qtp804611486-12] [gluu.oxauth.fido2.service.verifier.CommonVerifiers] (CommonVerifiers.java:143) - Signature 3044022001a332dee4c3db7002d3ffd1ad3ae4197fbd404cb275e5aa495d18eddbf16d2a02201ca9b5376599d190183b5578cb14976e6b8b612b4e6a4673a9efb34ff4454a6a 2019-03-08 14:24:17,600 INFO [qtp804611486-12] [gluu.oxauth.fido2.service.verifier.CommonVerifiers] (CommonVerifiers.java:144) - Signature Base 132b5384b92f59819c4e14ed124cc697fd75644ec27ef25a9cbb27307b7b1f89010000001e18e1d318f4e36fae0f40156e601b74462377c6b078eae96ced2f7f4bb9b9b3ac 2019-03-08 14:24:17,604 INFO [qtp804611486-12] [gluu.oxauth.fido2.service.verifier.CommonVerifiers] (CommonVerifiers.java:180) - old counter 0 new counter 30 2019-03-08 14:24:17,618 INFO [qtp804611486-13] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:533) - Attempting to redirect user: SessionUser: SessionState {dn='oxAuthSessionId=c5cb9188-bcf7-4ac4-a56a-99b7f4ecd7e2,ou=session,o=@!B7E2.03F8.A829.C7D2!0001!0993.3776,o=gluu', id='c5cb9188-bcf7-4ac4-a56a-99b7f4ecd7e2', lastUsedAt=Fri Mar 08 14:24:17 UTC 2019, userDn='inum=@!B7E2.03F8.A829.C7D2!0001!0993.3776!0000!6A07.C131.97EF.3EAB,ou=people,o=@!B7E2.03F8.A829.C7D2!0001!0993.3776,o=gluu', authenticationTime=Fri Mar 08 14:24:17 UTC 2019, state=authenticated, sessionState='9690ebde254253ae50fc7dafd23d0a8523f6b215995f03633d8261085d0ef4f2.feb0404c-a2e4-4312-8370-efbfe3f4fa2b', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@39dd2a9d, involvedClients=null, sessionAttributes={auth_external_attributes=null, opbs=7ef2c083-eef2-44a0-936d-5da2309d1810, response_type=code, nonce=c6e4ec95-dbd0-46c6-993d-bcd918e64799, client_id=@!B7E2.03F8.A829.C7D2!0001!0993.3776!0008!2424.ED38, auth_step_passed_1=true, auth_step=2, acr=fido2, remote_ip=193.84.225.16, auth_user=trevor, scope=openid profile email user_name, acr_values=fido2, redirect_uri=https://box0.uksouth.cloudapp.azure.com/identity/authentication/getauthcode, state=f268e069-6b29-49d7-b6a4-571c2d459eb2}, persisted=true} 2019-03-08 14:24:17,620 INFO [qtp804611486-13] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:541) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@342cd28f 2019-03-08 14:24:17,621 INFO [qtp804611486-13] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:409) - Authentication success for User: 'null' 2019-03-08 14:24:17,811 INFO [qtp804611486-15] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:262) - Authentication success for Client: '@!B7E2.03F8.A829.C7D2!0001!0993.3776!0008!2424.ED38' still not success on Opera and Edge

By Mohib Zico staff 13 Mar 2019 at 1:44 p.m. CDT

Mohib Zico gravatar
Thanks for your report. We will try to test it in Opera and Edge as soon as we can grab some time.

By Yuriy Movchan staff 15 Mar 2019 at 1:13 a.m. CDT

Yuriy Movchan gravatar
Also, can you try to check how it work in 3.1.6?