fido2 icon indicating copy to clipboard operation
fido2 copied to clipboard

Published 20 hours ago verified publisher icon StrongKey

Error during new user registration at Basicdemo page

Open Canopus-B opened this issue 2 years ago • 16 comments

Hello, all, I recently install SKFS server and Basicdemo (at CentOS 7 on the same virtual machine) according to manual FIDO Server (SKFS) Administration Guide Version 4.4.1. Then try to register new user by using Ybikey 5 NFC token on separate computer, entering on basic demo webpage https://fido.lab.elvis.ru:8181/basicdemo/ via internet (Firefox browser latest version). I got the next error (WEBAUTHN-WS-ERR-1000) FIDO reg fail server log is FIDO SKFS new reg fail.log I try this 3 or more times - result the same. At the same time the token successfully registered at https://demo.strongkey.com/basicdemo/ Any suggestions?

Canopus-B avatar Jun 10 '22 09:06 Canopus-B

Your server logs indicate that you are using HMAC Authentication - and the result of that check is a failure:

/APPL-ERR-1016: HMAC Authentication Failed: Expected HMAC: kFWbcC/wE45Ek7YrASN9Qov46s5LVtwB8dfHk1ROF6k= Produced HMAC: s/YR****************************************]]/

Try using Password Authentication between the Basic Demo application and the FIDO Server - it will be easier to resolve that issue and once you have everything working, you can go back to HMAC Authentication if you wish.

You may also want to consider using the latest release (4.5.0) even though your problem is not related to the specific version of the FIDO Server.

On 6/10/22 2:04 AM, Canopus-B wrote:

Hello, all, I recently install SKFS server and Basicdemo (at CentOS 7 on the same virtual machine) according to manual FIDO Server (SKFS) Administration Guide Version 4.4.1. Then try to register new user by using Ybikey 5 NFC token on separate computer, entering on basic demo webpage https://fido.lab.elvis.ru:8181/basicdemo/ via internet (Firefox browser latest version). I got the next error (WEBAUTHN-WS-ERR-1000) FIDO reg fail https://user-images.githubusercontent.com/75253423/173028300-46f6f433-82aa-498a-bb2d-4b5b9b9c136c.PNG server log is FIDO SKFS new reg fail.log https://github.com/StrongKey/fido2/files/8877399/FIDO.SKFS.new.reg.fail.log I try this 3 or more times - result the same. At the same time the token successfully registered at https://demo.strongkey.com/basicdemo/ Any suggestions?

— Reply to this email directly, view it on GitHub https://github.com/StrongKey/fido2/issues/196, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABWSVTQGE5H3S4AEBAUCIB3VOMAKPANCNFSM5YM7HLCQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

arshadnoor avatar Jun 10 '22 17:06 arshadnoor

Try using Password Authentication between the Basic Demo application and the FIDO Server

Thanks for qiuck answer, but can you tell me how to select this option? Any reference or manual? Because I was not change anything in application or server, get both them as is from Git.

Canopus-B avatar Jun 14 '22 13:06 Canopus-B

HMAC Authentication Additionally, I would like to point out that produced HMAC contains many non-Base64 symbols "*". I think this means not a normal HMAC validation failure, but some failures in the data (packet) format.

Canopus-B avatar Jun 14 '22 15:06 Canopus-B

@Canopus-B , I would suggest that you install the second sample app (fidopolicy) as described here :https://docs.strongkey.com/index.php/skfs-home/skfs-usage/policy-module-demo/skfs-installation-with-fido2-same This should allow you to test different authenticators based on different policies.

We do have some documentation on how password based auth works but that applies to applications that you may create on your own (https://docs.strongkey.com/index.php/skfs-home/skfs-developers/skfs-api-security/skfs-password-based-authentication)

In terms of ***** symbols, that was intentional as we did not want to print the whole HMAC so we printed out the first few letters followed by *'s

Thank you

push2085 avatar Jun 14 '22 17:06 push2085

We do have some documentation on how password based auth works but that applies to applications that you may create on your own (https://docs.strongkey.com/index.php/skfs-home/skfs-developers/skfs-api-security/skfs-password-based-authentication)

As I understand basicdemo works by default in "HMAC Authentication" mode and I shold modify it? Or I can make some setting? I find out that SKFS server by default not understand "HMAC Authentication" but only "Password Authentication" mode. because ping in HMAC mode is fails. I was try to test SKFS server by skfsclient sample client application and log is below. SKFS get config and ping by skfsclient in PWD and HMAC mode.txt Briefly, ping and get configuration commands is OK in "Password Authentication" and FAIL in "HMAC Authentication" mode. Maybe exist checklist for this situation? What I must to check to make correct work with HMAC Authentication at SKFS.

Canopus-B avatar Jun 16 '22 16:06 Canopus-B

Hi @Canopus-B,

Here is an example of the output for a ping request using skfsclient.jar with HMAC authentication

$ saka445:~> java -jar ~/skfsclient/skfsclient.jar P https://`hostname`:8181 1 rest hmac 162a5684336fa6e7 7edd81de1baab6ebcc76ebe3e38f41f4

Copyright (c) 2001-2022 StrongAuth, Inc. All rights reserved.

REST Ping test with hmac
******************************************
json = {"svcinfo":{"did":1,"protocol":"FIDO2_0","authtype":"HMAC"},"payload":""}

Calling ping @ https://saka445.testdomain.com:8181/skfs/rest/ping

Ping test complete.
******************************************
Ping response : StrongKey, Inc. FIDO Server 4.4.2
Hostname: saka445.testdomain.com (ServerID: 1)
Current time: Thu Jun 16 10:29:06 PDT 2022
Up since: Wed Jun 15 17:44:05 PDT 2022
FIDO Server Domain 1 is alive!


Done with Ping!

I addition to this, here are the GlassFish logs printed at /usr/local/strongkey/payara5/glassfish/domains/domain1/logs/server.log:

[2022-06-16T10:29:06.659-0700] [Payara 5.2020.7] [INFO] [FIDO-MSG-0060] [SKFS] [tid: _ThreadID=172 _ThreadName=http-thread-pool::http-listener-2(5)] [timeMillis: 1655400546659] [levelValue: 800] [[
  FIDO-MSG-0060: Received ping request;  Input: [TXID=172-1655400546659]
 did=1]]

[2022-06-16T10:29:06.660-0700] [Payara 5.2020.7] [INFO] [FIDO-MSG-0001] [SKFS] [tid: _ThreadID=172 _ThreadName=http-thread-pool::http-listener-2(5)] [timeMillis: 1655400546660] [levelValue: 800] [[
  FIDO-MSG-0001: Received preregister request; Input: [TXID=172-1655400546660]
 did=1
 protocol=FIDO2_0
 username=pinguser1655400546659
 displayname=pinguserkey
 options={"attestation":"direct"}
 extensions=null]]

[2022-06-16T10:29:06.665-0700] [Payara 5.2020.7] [INFO] [FIDO-MSG-0002] [SKFS] [tid: _ThreadID=172 _ThreadName=http-thread-pool::http-listener-2(5)] [timeMillis: 1655400546665] [levelValue: 800] [[
  FIDO-MSG-0002: Done with preregister request; Output: [TXID=172-1655400546660, START=1655400546660, FINISH=1655400546665, TTC=5]
FIDO2Registration Challenge parameters = {"Response":{"rp":{"name":"FIDOServer","id":"testdomain.com"},"user":{"name":"pinguser1655400546659","id":"YxJxp7lHkfTV-5O8VRZ8q6jW4uZ_HOYzuoX5OKX49C8","displayName":"pinguserkey"},"challenge":"Q1qaUzI5i4QeJ0UDVedf0Q","pubKeyCredParams":[{"type":"public-key","alg":-7},{"type":"public-key","alg":-35},{"type":"public-key","alg":-36},{"type":"public-key","alg":-8},{"type":"public-key","alg":-47},{"type":"public-key","alg":-257},{"type":"public-key","alg":-258},{"type":"public-key","alg":-259},{"type":"public-key","alg":-37},{"type":"public-key","alg":-38},{"type":"public-key","alg":-39}],"excludeCredentials":[],"attestation":"direct"}}]]

[2022-06-16T10:29:06.666-0700] [Payara 5.2020.7] [INFO] [FIDO-MSG-0061] [SKFS] [tid: _ThreadID=172 _ThreadName=http-thread-pool::http-listener-2(5)] [timeMillis: 1655400546666] [levelValue: 800] [[
  FIDO-MSG-0061: Done with ping request;  Output: [TXID=172-1655400546659, START=1655400546659, FINISH=1655400546666, TTC=7]
Ping response = StrongKey, Inc. FIDO Server 4.4.2
Hostname: saka445.testdomain.com (ServerID: 1)
Current time: Thu Jun 16 10:29:06 PDT 2022
Up since: Wed Jun 15 17:44:05 PDT 2022
FIDO Server Domain 1 is alive!
]]

Could you provide the GlassFish logs that are printed when you run a ping using the skfsclient.jar with HMAC authentication?

pattycakelol avatar Jun 16 '22 17:06 pattycakelol

Could you provide the GlassFish logs that are printed when you run a ping using the skfsclient.jar with HMAC authentication?

Hi @pattycakelol

GlassFish logs is here SKFS get config and ping by skfsclient in PWD and HMAC mode Payara.log In this log correct answer to GetConfiguration and Ping command in "Password Authentication" and FAIL at Ping command with "HMAC Authentication" (last 2 lines)

Canopus-B avatar Jun 17 '22 07:06 Canopus-B

@Canopus-B , I would suggest that you install the second sample app (fidopolicy) as described here :https://docs.strongkey.com/index.php/skfs-home/skfs-usage/policy-module-demo/skfs-installation-with-fido2-same This should allow you to test different authenticators based on different policies.

I was install fidopolicy app as described but it not work properly. The address is https://fido.lab.elvis.ru:8181/fidopolicy/ screenshot is below fidopolicy fail while register As I understand, the issue occurs in web applet because there is no any trace in payara log server fidopolicy.log

Canopus-B avatar Jun 27 '22 13:06 Canopus-B

Hello Yes you are correct that the server logs have no errors as it's failing even before it makes the web service call.

Will you be able to open the browser console log by either

  1. pressing f12 key or
  2. right click on the page and click on inspect element

And then go to the console tab.

Retry registration with the console logs open and send us any errors you may see there

Thank you

push2085 avatar Jun 29 '22 03:06 push2085

Here it is console log console-export-of-fidopolicy-fail.txt and screenshot console-fidopolicy-fail

Canopus-B avatar Jun 29 '22 10:06 Canopus-B

This looks like CORS issue so can you change the URL and remove the port 8181 and try again

push2085 avatar Jun 29 '22 15:06 push2085

This looks like CORS issue so can you change the URL and remove the port 8181 and try again

Please, give me more details, what is wrong with URL, what kind of change (and where) I should do? Should I remove only port in URL in browser and poc.cfg.property.apiuri field in poc-configuration.properties file or something else?

Canopus-B avatar Jun 29 '22 17:06 Canopus-B

Hi In the browser address bar, change the URL from https://fido.lab.elvis.ru:8181/fidopolicy/ ---> https://fido.lab.elvis.ru/fidopolicy/

Try the test again. Thank you

push2085 avatar Jun 29 '22 17:06 push2085

Hi In the browser address bar, change the URL from https://fido.lab.elvis.ru:8181/fidopolicy/ ---> https://fido.lab.elvis.ru/fidopolicy/

This is not work, I see empty page with "Unable to connect" message. By the way, at the instruction https://docs.strongkey.com/index.php/skfs-home/skfs-usage/policy-module-demo/skfs-installation-with-fido2-same I see 2 different URLs, [hostname of FIDO Server] and "FQDN-of-Policy-server". Does those two should be the same? If not, what should be the second?

Canopus-B avatar Jun 30 '22 09:06 Canopus-B

Hi These instructions assume that you are installing both the fido server and the sample application on the same machine/VM so they will be the same.

Also in the same instructions, step number 13 wants you to set up port forwarding, was that done?

Thank you

push2085 avatar Jun 30 '22 14:06 push2085

Hi,

You are right, the origin of last problems was due to absent of port forwarding (I was execute step number 13 but after that I was reset VM and port forwarding was implicitly reset too). But fidopolicy web service do not work correctly too. I was create new issue description to up this problem again.

Thank you.

Canopus-B avatar Jul 01 '22 15:07 Canopus-B

closing this issue as the discussion moved to https://github.com/StrongKey/fido2/issues/198

push2085 avatar Feb 10 '23 21:02 push2085