Hi,
I'm now able to register my webauthn device, to login, and trust my device.
What I noticed is that the allowed-origins (device registering) property
and application-id extension (connect) seem now mandatory to me, (though it
was not in 6.5.9).
Without those two settings, I'm stuck.
web-authn:
core:
relying-party-id: mydomain.fr
relying-party-name: myrpname
allowed-origins: https://cas-dev.mydomain.fr
trusted-device-enabled: true
application-id: https://cas-dev.mydomain.fr/test
First, I want to say that I thank you all for your precious advices !
(@PreAuthorize("isAuthenticated()") + WebAuthnConfiguration.java trick)
This won't go in production right now, because I wonder about the security
impact when accessing the webauthn/register endpoint ... ?
Regards,
Le mercredi 29 mars 2023 à 16:15:00 UTC+2, John a écrit :
> What does your cas.log state for error? Are you using a valid ssl
> certificate, cas host name matches whats in config? Also, in 7.x/master you
> have to edit this,
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>
> with the below,
>
> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
> WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>
> There's actually 2 bugs, maybe more. One is the PreAuthorize and the other
> is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed
> the csrf issue and still working through the other as time permits.
>
>
> On Wednesday, March 29, 2023 at 4:29:34 AM UTC-5 [email protected] wrote:
>
>> Thank you, you saved me lots of time, actually I needed those two :
>> implementation "org.springframework.security:spring-security-config"
>> implementation "org.springframework.security:spring-security-web"
>>
>> But I still have an js issue (JSON.Parse) when registering my device :
>>
>> "Registration failed SyntaxError: JSON.parse: unexpected non-digit at
>> line 1 column 2 of the JSON data" after the POST request on
>> https://cas-xx.xxx.fr/cas/webauthn/register.
>> (Chrome says the same: Registration failed SyntaxError: No number after
>> minus sign in JSON at position 1.)
>>
>> The error is caught here :
>> # register https://cas-xx.xxxxxx.fr/cas/js/webauthn/webauthn.js:477.
>> # (Asynchrone : promise callback) / register
>> https://cas-xx.xxxx.fr/cas/js/webauthn/webauthn.js:475
>> #
>> https://cas-xx.xxxxxx.fr/cas/login?service=https://node-cas-xxxxx.addomain.xxxxxxx.fr:9446/sample/&renew=true:390
>> .
>>
>> (The webapp is an instance of cas-sample-java-webapp running on port
>> 9446.)
>>
>> About JSON.Parse :
>> https://xxxxcas/login?service=https://xxxxx:9446/sample/&renew=true at
>> lines 386 and 390 : register(username, displayName, credentialNickname,
>> csrfToken);
>>
>> In my browser debugger, data seems present, as I can see them parsed by
>> the function getRegisterRequest in webauthn.js line 327:
>>
>> arguments: Arguments
>> 0: {…}
>> authenticate: "webauthn/authenticate"
>> register: "webauthn/register"
>> <prototype>: {…}
>> 1: "frederic.dussurget"
>> 2: "Frederic Dussurget"
>> 3: "wonderful_borg"
>> 4: false
>> callee:
>> length: 5
>> Symbol(Symbol.iterator):values()
>> <get callee()>: ()
>> <set callee()>: ()
>> <prototype>: {…
>> credentialNickname: "wonderful_borg"
>> displayName: "Frederic Dussurget"
>> requireResidentKey: false
>> urls: {…}
>> authenticate: "webauthn/authenticate"
>> register: "webauthn/register"
>> <prototype>: {…}
>> username: "frederic.dussurget"
>>
>> I you guys have any idea ...
>> Regards,
>> Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit :
>>
>>> Spring security and probably one or 2 of the webauthn, I dont remeber at
>>> the moment with looking at local commit history but here is all from gradle,
>>>
>>>
>>> /** Core **/
>>> implementation
>>> "org.apereo.cas:cas-server-core-api-configuration-model"
>>> implementation "org.apereo.cas:cas-server-core-api-mfa"
>>> implementation "org.apereo.cas:cas-server-core-events-configuration"
>>> implementation "org.apereo.cas:cas-server-core-notifications"
>>> implementation "org.apereo.cas:cas-server-core-authentication"
>>> implementation "org.apereo.cas:cas-server-core-authentication-api"
>>> implementation
>>> "org.apereo.cas:cas-server-core-authentication-mfa-api"
>>> implementation "org.apereo.cas:cas-server-core-util"
>>> implementation "org.apereo.cas:cas-server-core-web-api"
>>> implementation "org.apereo.cas:cas-server-core-webflow"
>>> implementation "org.apereo.cas:cas-server-core-webflow-api"
>>> implementation "org.apereo.cas:cas-server-core-webflow-mfa-api"
>>> implementation "org.apereo.cas:cas-server-webapp"
>>> implementation "org.apereo.cas:cas-server-webapp-init"
>>> implementation "org.apereo.cas:cas-server-webapp-config"
>>>
>>> /** Rest Plugins **/
>>> implementation
>>> "org.apereo.cas:cas-server-support-configuration-cloud-rest"
>>> implementation
>>> "org.apereo.cas:cas-server-support-rest-authentication"
>>>
>>> /** LDAP Support **/
>>> implementation "org.apereo.cas:cas-server-support-ldap"
>>> implementation "org.apereo.cas:cas-server-support-pm-ldap"
>>> implementation "org.apereo.cas:cas-server-support-pm-rest"
>>>
>>> /** Database Support **/
>>> implementation "org.apereo.cas:cas-server-support-jdbc"
>>> implementation "org.apereo.cas:cas-server-support-jpa-util"
>>> implementation "mysql:mysql-connector-java:${project.mysqlVerison}"
>>> implementation
>>> "com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}"
>>>
>>> /** Interrupt Support **/
>>> implementation "org.apereo.cas:cas-server-support-interrupt-webflow"
>>>
>>> /** Multifactor Auth **/
>>> implementation "org.apereo.cas:cas-server-support-gauth"
>>> implementation "org.apereo.cas:cas-server-support-gauth-ldap"
>>> implementation "org.apereo.cas:cas-server-support-webauthn"
>>> implementation "org.apereo.cas:cas-server-support-webauthn-ldap"
>>> implementation "org.apereo.cas:cas-server-support-webauthn-core"
>>> implementation
>>> "org.apereo.cas:cas-server-support-webauthn-core-webflow"
>>> implementation "org.apereo.cas:cas-server-support-simple-mfa"
>>> implementation "org.apereo.cas:cas-server-support-trusted-mfa"
>>>
>>> /** Protocols **/
>>> implementation "org.apereo.cas:cas-server-support-ws-idp"
>>> implementation "org.apereo.cas:cas-server-support-saml-idp"
>>> implementation
>>> "org.apereo.cas:cas-server-support-saml-sp-integrations"
>>>
>>>
>>> /** Services **/
>>> /** implementation
>>> "org.apereo.cas:cas-server-support-json-service-registry" **/
>>> implementation
>>> "org.apereo.cas:cas-server-support-rest-service-registry"
>>>
>>> implementation
>>> "org.springframework.security:spring-security-config:5.7.3"
>>> implementation "commons-net:commons-net:${project.apacheNetCom}"
>>> On Thursday, March 23, 2023 at 2:51:11 PM UTC-5 [email protected]
>>> wrote:
>>>
>>>> Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9
>>>> but not on 6.6 nor on the master branch 7.x.
>>>> On 6.6, after basic auth, a popup asks for the Yubikey pin and then,
>>>> when I press the register button,the flow breaks at POST
>>>> https://xxxxxxx.xx/cas/webauthn/register/finish. (FF : err 400
>>>> strict-origin-when-cross-origin)
>>>>
>>>> (The service app I use for my tests is the same when I wetn thru every
>>>> CAS version)
>>>>
>>>> webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as
>>>> you did
>>>>
>>>> here is my build.gradle webauthn section :
>>>> // MFA FIDO2 WEBAUTHN
>>>> implementation
>>>> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
>>>> implementation
>>>> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
>>>> implementation
>>>> "org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}"
>>>> (this one in order to comment out @PreAuthorize("isAuthenticated()") as
>>>> you did in
>>>> src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java )
>>>>
>>>> //MFA TRUSTED DEVICE
>>>> implementation
>>>> "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
>>>> implementation
>>>> "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"
>>>>
>>>> (John, what are the extra dependencies that you implement in your
>>>> build.gradle cas overlay to be able to modify the
>>>> src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
>>>> <https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437>
>>>>
>>>> ? Compilation breaks)
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit :
>>>>
>>>>> Circling back to this, it also fails on 7.x current and master. Same
>>>>> issue, I believe I have found the source which is related to the csrf
>>>>> token. It works by excluding the /register from csrf to the ignored
>>>>> endpoints on
>>>>>
>>>>>
>>>>> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>>>>>
>>>>> with the below,
>>>>>
>>>>> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
>>>>> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
>>>>> WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
>>>>> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote:
>>>>>
>>>>>> Since we don't use any of the actuators, all disabled except for
>>>>>> whatever cas sets as default, I am leaving my change by commenting out
>>>>>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just
>>>>>> going along finishing upgrade testing for us and will circle back to
>>>>>> this
>>>>>> later before we upgrade prod.
>>>>>>
>>>>>> However, I do see some changes made below, I haven't had time to test
>>>>>> if it will resolve this issue yet, maybe it will be part of next 7.x RC
>>>>>> but
>>>>>> for now its only in master. If I get some time I will switch to master
>>>>>> and
>>>>>> give it a go.
>>>>>>
>>>>>>
>>>>>> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
>>>>>>
>>>>>>
>>>>>> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 [email protected]
>>>>>> wrote:
>>>>>>
>>>>>>> Yes, I have the same registration issue.
>>>>>>>
>>>>>>> I thought I have caused this error by meddling with the spring
>>>>>>> security settings, but it looks like it is not the case.
>>>>>>>
>>>>>>> However, after setting up spring security for the webAuthnDevices
>>>>>>> actuator like this
>>>>>>>
>>>>>>> spring.security.user.name=XXX
>>>>>>>
>>>>>>> spring.security.user.password=YYY
>>>>>>>
>>>>>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>>>>>>>
>>>>>>>
>>>>>>> then registration starts to work, but requires HTTP basic
>>>>>>> authentication.
>>>>>>>
>>>>>>>
>>>>>>> This is spring security filter chain for /webauthn/register endpoint
>>>>>>> without any additional configuration:
>>>>>>>
>>>>>>> Security filter chain: [
>>>>>>>
>>>>>>> ChannelProcessingFilter
>>>>>>>
>>>>>>> WebAsyncManagerIntegrationFilter
>>>>>>>
>>>>>>> CorsFilter
>>>>>>>
>>>>>>> CsrfFilter
>>>>>>>
>>>>>>> SecurityContextHolderAwareRequestFilter
>>>>>>>
>>>>>>> AnonymousAuthenticationFilter
>>>>>>>
>>>>>>> ExceptionTranslationFilter
>>>>>>>
>>>>>>> AuthorizationFilter
>>>>>>>
>>>>>>> ]
>>>>>>>
>>>>>>> And the chain with the spring security settings as above:
>>>>>>>
>>>>>>> Security filter chain: [
>>>>>>>
>>>>>>> ChannelProcessingFilter
>>>>>>>
>>>>>>> WebAsyncManagerIntegrationFilter
>>>>>>>
>>>>>>> CorsFilter
>>>>>>>
>>>>>>> CsrfFilter
>>>>>>>
>>>>>>> BasicAuthenticationFilter
>>>>>>>
>>>>>>> SecurityContextHolderAwareRequestFilter
>>>>>>>
>>>>>>> AnonymousAuthenticationFilter
>>>>>>>
>>>>>>> ExceptionTranslationFilter
>>>>>>>
>>>>>>> AuthorizationFilter
>>>>>>>
>>>>>>> ]
>>>>>>>
>>>>>>>
>>>>>>> I would say that
>>>>>>>
>>>>>>> 1) setting the actuator access really influences the processing
>>>>>>> for registration endpoint (and it should not),
>>>>>>>
>>>>>>> 2) using PERMIT or ANONYMOUS is not enough to make it work, as
>>>>>>> perhaps it does not satisfy the @PreAuthorize("isAuthenticated()")
>>>>>>> requirement
>>>>>>>
>>>>>>> I wonder how the registration endpoint should be authenticated; I
>>>>>>> guess it can not be left unprotected but I fail to see how to set it up.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Michal V.
>>>>>>>
>>>>>>> On 1/31/23 16:14, John wrote:
>>>>>>>
>>>>>>> I have nothing configured or defined for endpoints or actuators
>>>>>>> besides what is default set by cas, we have never used those. I went
>>>>>>> back
>>>>>>> and configured according to
>>>>>>>
>>>>>>> management.endpoint.webAuthnDevices.enabled=true
>>>>>>> management.endpoints.web.exposure.include=*
>>>>>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
>>>>>>>
>>>>>>> even tried ANONYMOUS below, which makes all actuators work, I can
>>>>>>> even pull /cas/actuator/webAuthnDevices/username anonymously and gets
>>>>>>> devices for user. I don't think the endpoint webAuthnDevices controls
>>>>>>> the
>>>>>>> end user registration page as it falls under/webauthn/register and NOT
>>>>>>> /cas/actuator/webAuthnDevices
>>>>>>>
>>>>>>> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
>>>>>>>
>>>>>>> Below is debug output,
>>>>>>>
>>>>>>> 2023-01-31 09:05:41,149 DEBUG
>>>>>>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
>>>>>>> received exception
>>>>>>> [org.springframework.security.access.AccessDeniedException: Access is
>>>>>>> denied] due to a type mismatch with handler
>>>>>>> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String,
>>>>>>>
>>>>>>> String, String, boolean, String, HttpServletRequest,
>>>>>>> HttpServletResponse)]>
>>>>>>>
>>>>>>> And browser POST response to /webauthn/register , base64 decoded is
>>>>>>>
>>>>>>> --- !<java.util.LinkedHashMap>
>>>>>>> timestamp: "2023-01-31T15:05:41.161+00:00"
>>>>>>> status: 403
>>>>>>> error: "Forbidden"
>>>>>>> path: "/cas/webauthn/register"
>>>>>>>
>>>>>>>
>>>>>>> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 [email protected]
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>> have you, by any chance, configured spring security for the
>>>>>>>> webauthn endpoint?
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>>
>>>>>>>> Michal Vocu
>>>>>>>>
>>>>>>>> On 1/26/23 19:03, John wrote:
>>>>>>>>
>>>>>>>> When trying to register a new device, the POST request to
>>>>>>>> /webauthn/register is failing from spring security, access denied,
>>>>>>>> http 403.
>>>>>>>>
>>>>>>>> Commenting out the below within
>>>>>>>> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
>>>>>>>>
>>>>>>>> got it working again,
>>>>>>>>
>>>>>>>> @PreAuthorize("isAuthenticated()")
>>>>>>>>
>>>>>>>> Looks like it was added in 6.4.x release, is anyone else not having
>>>>>>>> a registration issue?
>>>>>>>>
>>>>>>>> --
>>>>>>>> - Website: https://apereo.github.io/cas
>>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>>>>> ---
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "CAS Community" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to [email protected].
>>>>>>>> To view this discussion on the web visit
>>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org
>>>>>>>>
>>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer>
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f648c1c9-876b-47c6-a177-90332f2c4been%40apereo.org.
