authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Passwordless WebAuthn Login not working

Open benedikt-bartscher opened this issue 3 years ago • 7 comments

Describe the bug Passwordless login via WebAuthn fails with 2 different errors in qutebrowser (QtWebEngine) and chromium. WebAuthn as normal 2FA works as expected.

To Reproduce

  1. Create a user and setup WebAuthn
  2. Create a passwordless flow and assign it to the default-auth-flow
  3. Try to login passwordless

Expected behavior Get logged in

Screenshots chromium: image qutebrowser: image

Version and Deployment (please complete the following information):

  • authentik version: 2022.3.3
  • Deployment: helm

benedikt-bartscher avatar Mar 22 '22 23:03 benedikt-bartscher

Could you get check again with log level set to debug, and check for Userless flow, getting generic webauthn challenge in the logs

BeryJu avatar Mar 23 '22 21:03 BeryJu

Of course, here are all the logs produced by the flow in debug mode:

{"event": "/if/flow/pwless/", "host": "authentik.my.domain", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 25, "remote": "***.***.***.***", "request_id": "2bd6d7dcbf024c3eba2b8579dacf7d30", "runtime": 15, "scheme": "https", "status": 200, "timestamp": "2022-03-23T21:40:36.071540", "user": "", "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36"}
{"event": "/api/v3/root/config/", "host": "authentik.my.domain", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 25, "remote": "***.***.***.***", "request_id": "c58028be081846458710dbf2b34178f9", "runtime": 11, "scheme": "https", "status": 200, "timestamp": "2022-03-23T21:40:36.379383", "user": "", "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36"}
{"event": "f(exec): Continuing existing plan", "flow_slug": "pwless", "host": "authentik.my.domain", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 25, "request_id": "f23b7ff28cb94b739b7f9fe72b2ccc77", "timestamp": "2022-03-23T21:40:36.726213"}
{"current_stage": "<AuthenticatorValidateStage: Stage WebAuthn>", "event": "f(exec): Current stage", "flow_slug": "pwless", "host": "authentik.my.domain", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 25, "request_id": "f23b7ff28cb94b739b7f9fe72b2ccc77", "timestamp": "2022-03-23T21:40:36.726382"}
{"event": "f(exec): Passing POST", "flow_slug": "pwless", "host": "authentik.my.domain", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 25, "request_id": "f23b7ff28cb94b739b7f9fe72b2ccc77", "stage": "<AuthenticatorValidateStage: Stage WebAuthn>", "timestamp": "2022-03-23T21:40:36.726638", "view_class": "authentik.stages.authenticator_validate.stage.AuthenticatorValidateStageView"}
{"event": "/api/v3/flows/executor/pwless/?query=", "host": "authentik.my.domain", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 25, "remote": "***.***.***.***", "request_id": "f23b7ff28cb94b739b7f9fe72b2ccc77", "runtime": 16, "scheme": "https", "status": 200, "timestamp": "2022-03-23T21:40:36.731767", "user": "", "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36"}

benedikt-bartscher avatar Mar 23 '22 21:03 benedikt-bartscher

Maybe there is something wrong with my config? I could not find any documentation on pwless login so i am not sure if this is correct:

default-auth-flow image

pwless flow image

webauthn stage of pwless flow: image

benedikt-bartscher avatar Mar 23 '22 21:03 benedikt-bartscher

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar May 23 '22 00:05 stale[bot]

i still did not get passwordless webauthn login to work. @BeryJu did i missconfigure something?

benedikt-bartscher avatar May 23 '22 11:05 benedikt-bartscher

Can confirm it that it's not working, tested it with another guy on 3 devices. ^^"

kerkmann avatar Jul 01 '22 01:07 kerkmann

As far as I can say, it's seems like a client bug. :( I hope that this bug will be fixed and not be forgotten. :(

kerkmann avatar Jul 04 '22 06:07 kerkmann

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 03 '22 01:09 stale[bot]

I experience this as well with a YubiKey 5 NFC, under Windows 10 Chromium and Firefox, with authentik gh-next: image image MFA (i.e. after identification stage) works fine under both browsers.

I should note I had to enable U2F on the YubiKey, I could not get registration, passwordless, or MFA to work with it disabled. So it appears FIDO2 is not being used?

There are also no resident WebAuthn keys, which would make sense if U2F was used, as Yubico opted to use non-resident keys for their implementation.

$ ./ykman fido credentials list
Enter your PIN:
# no authentik keys here

Also, I will assume that qutebrowser does not properly/fully support WebAuthn? I believe that would be a separate issue.

sevmonster avatar Jan 25 '23 21:01 sevmonster