fido2 icon indicating copy to clipboard operation
fido2 copied to clipboard
verified publisher icon StrongKey

CORS request

Open ashutoshkumarmishra560 opened this issue 4 years ago • 3 comments

Hi,

I have setup FIDO 2 server and I am able to register and authenticate by calling the URL https://ilantus.fido2.com:8181/basicserver/ However I have a web application from where I would like to call the /preregister and /register and authenticate APIs. I have added the below property in webauthntutorial-confguration.properties file:

webauthntutorial.cfg.property.accesscontrolalloworigins=https://localhost:8443

but while making the AJAX call from my web application I am getting CORS error "Access to XMLHttpRequest at 'https://ilantus.fido2.com:8181/basicserver/fido2/preregister' from origin 'https://localhost:8443' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."

I am hoping I am trying a correct use case. If possible please suggest an approach.

ashutoshkumarmishra560 avatar Jan 27 '21 12:01 ashutoshkumarmishra560

@ashutoshkumarmishra560 Based on the description of your current issue it seems that you are tying to use the fido2 server indirectly through the basic server. This implementation is irregular from a typical set up. Ideally you want your client facing application talking directly to the fido2 server. Please look at https://github.com/StrongKey/fido2/blob/a16d7860d17cd41a04356c5496b1c45720d2e02f/sampleapps/java/basic/server/src/main/java/com/strongkey/webauthntutorial/SKFSClient.java to see how the basic server makes it's requests to the fido2 server as an example for your implementation.

This being said here are some potential solutions to your current configuration:

  • please try putting the FQDN of the web application as the value for webauthntutorial.cfg.property.accesscontrolalloworigins.
  • if this doesn't work please try installing an cors extension to your browser.

DavidCBeach avatar Jan 27 '21 22:01 DavidCBeach

While calling /register API of skfs I am getting below error:

[2021-01-28T15:59:13.956+0000] [Payara 4.1] [SEVERE] [FIDO-ERR-0015] [SKFS] [tid: _ThreadID=99 _ThreadName=http-thread-pool::http-listener-2(2)] [timeMillis: 1611849553956] [levelValue: 1000] [[ FIDO-ERR-0015: User signature could not be verified: TPM attestation statement cetificate has an invalid subjectAlternativeNames: Missing Manufacturer]]

[2021-01-28T15:59:13.956+0000] [Payara 4.1] [SEVERE] [FIDO-MSG-2001] [SKFS] [tid: _ThreadID=99 _ThreadName=http-thread-pool::http-listener-2(2)] [timeMillis: 1611849553956] [levelValue: 1000] [[ FIDO-MSG-2001: FIDO 2 Debug Message : Registration Signature verification : false]]

What could be missing in the request?

ashutoshkumarmishra560 avatar Jan 28 '21 16:01 ashutoshkumarmishra560

What FIDO2 authenticator are you using when you're making this request? Is it possible for you to test using a different authenticator?

DavidCBeach avatar Jan 29 '21 02:01 DavidCBeach