Hi all, I'm having a similar issue with webauthn device registration failing on CAS 6.6.x; the /cas/webauthn/register endpoint returns a 403 error, and the server logs have an invalid CSRF token error:
web_1 | 2023-05-11 23:11:38,248 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] - <Request: filter invocation [POST /webauthn/register]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]> web_1 | 2023-05-11 23:11:38,250 DEBUG [org.springframework.security.web.csrf.CsrfFilter] - <Invalid CSRF token found for https://cas_server/cas/webauthn/register> web_1 | 2023-05-11 23:11:38,250 DEBUG [org.springframework.security.web.access.AccessDeniedHandlerImpl] - <Responding with 403 status code> I'm not able to implement the workaround here (commenting out @PreAuthorize("isAuthenticated()") in WebAuthnController.java) as WebAuthnController.java no longer contains that line. It looks like Misagh changed how this works in a recent commit (https://github.com/apereo/cas/commit/b9233b0731004fdc85994539c67fe0cd0f01c2c3). I've tried adding the cas.authn.mfa.web-authn.core.allowed-origins property (which the docs say defaults to the server name, so I'd think it wouldn't be necessary) and it still fails. My webauthn settings from cas.properties are: cas.authn.mfa.web-authn.core.application-id=https://mycasdomain.ca cas.authn.mfa.web-authn.core.relying-party-name=Graham CAS Dev cas.authn.mfa.web-authn.core.relying-party-id=mycasdomain.ca cas.authn.mfa.web-authn.core.display-name-attribute=displayName cas.authn.mfa.web-authn.core.allow-primary-authentication=true cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true cas.authn.mfa.web-authn.core.trusted-device-enabled=true cas.authn.mfa.web-authn.crypto.encryption.key=xxx cas.authn.mfa.web-authn.crypto.signing.key=yyy cas.authn.mfa.web-authn.core.allowed-origins:https://mycasdomain.ca I'm not a Java developer so I'm a little out of my element in trying to see where the problem is. Any tips would be appreciated! Cheers, Graham. On Thursday, April 6, 2023 at 4:59:11 AM UTC-7 dussu...@gmail.com wrote: Hi, I'm now able to register my webauthn device, to login, and trust my device. What I noticed is that the allowed-origins (device registering) property and application-id extension (connect) seem now mandatory to me, (though it was not in 6.5.9). Without those two settings, I'm stuck. web-authn: core: relying-party-id: mydomain.fr relying-party-name: myrpname allowed-origins: https://cas-dev.mydomain.fr trusted-device-enabled: true application-id: https://cas-dev.mydomain.fr/test First, I want to say that I thank you all for your precious advices ! (@PreAuthorize("isAuthenticated()") + WebAuthnConfiguration.java trick) This won't go in production right now, because I wonder about the security impact when accessing the webauthn/register endpoint ... ? Regards, Le mercredi 29 mars 2023 à 16:15:00 UTC+2, John a écrit : What does your cas.log state for error? Are you using a valid ssl certificate, cas host name matches whats in config? Also, in 7.x/master you have to edit this, https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437 with the below, return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE, WebAuthnController.BASE_ENDPOINT_WEBAUTHN + WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER); There's actually 2 bugs, maybe more. One is the PreAuthorize and the other is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed the csrf issue and still working through the other as time permits. On Wednesday, March 29, 2023 at 4:29:34 AM UTC-5 dussu...@gmail.com wrote: Thank you, you saved me lots of time, actually I needed those two : implementation "org.springframework.security:spring-security-config" implementation "org.springframework.security:spring-security-web" But I still have an js issue (JSON.Parse) when registering my device : "Registration failed SyntaxError: JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data" after the POST request on https://cas-xx.xxx.fr/cas/webauthn/register. (Chrome says the same: Registration failed SyntaxError: No number after minus sign in JSON at position 1.) The error is caught here : # register https://cas-xx.xxxxxx.fr/cas/js/webauthn/webauthn.js:477. # (Asynchrone : promise callback) / register https://cas-xx.xxxx.fr/cas/js/webauthn/webauthn.js:475 # https://cas-xx.xxxxxx.fr/cas/login?service=https://node-cas-xxxxx.addomain.xxxxxxx.fr:9446/sample/&renew=true:390 . (The webapp is an instance of cas-sample-java-webapp running on port 9446.) About JSON.Parse : https://xxxxcas/login?service=https://xxxxx:9446/sample/&renew=true at lines 386 and 390 : register(username, displayName, credentialNickname, csrfToken); In my browser debugger, data seems present, as I can see them parsed by the function getRegisterRequest in webauthn.js line 327: arguments: Arguments 0: {…} authenticate: "webauthn/authenticate" register: "webauthn/register" <prototype>: {…} 1: "frederic.dussurget" 2: "Frederic Dussurget" 3: "wonderful_borg" 4: false callee: length: 5 Symbol(Symbol.iterator):values() <get callee()>: () <set callee()>: () <prototype>: {… credentialNickname: "wonderful_borg" displayName: "Frederic Dussurget" requireResidentKey: false urls: {…} authenticate: "webauthn/authenticate" register: "webauthn/register" <prototype>: {…} username: "frederic.dussurget" I you guys have any idea ... Regards, Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit : Spring security and probably one or 2 of the webauthn, I dont remeber at the moment with looking at local commit history but here is all from gradle, /** Core **/ implementation "org.apereo.cas:cas-server-core-api-configuration-model" implementation "org.apereo.cas:cas-server-core-api-mfa" implementation "org.apereo.cas:cas-server-core-events-configuration" implementation "org.apereo.cas:cas-server-core-notifications" implementation "org.apereo.cas:cas-server-core-authentication" implementation "org.apereo.cas:cas-server-core-authentication-api" implementation "org.apereo.cas:cas-server-core-authentication-mfa-api" implementation "org.apereo.cas:cas-server-core-util" implementation "org.apereo.cas:cas-server-core-web-api" implementation "org.apereo.cas:cas-server-core-webflow" implementation "org.apereo.cas:cas-server-core-webflow-api" implementation "org.apereo.cas:cas-server-core-webflow-mfa-api" implementation "org.apereo.cas:cas-server-webapp" implementation "org.apereo.cas:cas-server-webapp-init" implementation "org.apereo.cas:cas-server-webapp-config" /** Rest Plugins **/ implementation "org.apereo.cas:cas-server-support-configuration-cloud-rest" implementation "org.apereo.cas:cas-server-support-rest-authentication" /** LDAP Support **/ implementation "org.apereo.cas:cas-server-support-ldap" implementation "org.apereo.cas:cas-server-support-pm-ldap" implementation "org.apereo.cas:cas-server-support-pm-rest" /** Database Support **/ implementation "org.apereo.cas:cas-server-support-jdbc" implementation "org.apereo.cas:cas-server-support-jpa-util" implementation "mysql:mysql-connector-java:${project.mysqlVerison}" implementation "com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}" /** Interrupt Support **/ implementation "org.apereo.cas:cas-server-support-interrupt-webflow" /** Multifactor Auth **/ implementation "org.apereo.cas:cas-server-support-gauth" implementation "org.apereo.cas:cas-server-support-gauth-ldap" implementation "org.apereo.cas:cas-server-support-webauthn" implementation "org.apereo.cas:cas-server-support-webauthn-ldap" implementation "org.apereo.cas:cas-server-support-webauthn-core" implementation "org.apereo.cas:cas-server-support-webauthn-core-webflow" implementation "org.apereo.cas:cas-server-support-simple-mfa" implementation "org.apereo.cas:cas-server-support-trusted-mfa" /** Protocols **/ implementation "org.apereo.cas:cas-server-support-ws-idp" implementation "org.apereo.cas:cas-server-support-saml-idp" implementation "org.apereo.cas:cas-server-support-saml-sp-integrations" /** Services **/ /** implementation "org.apereo.cas:cas-server-support-json-service-registry" **/ implementation "org.apereo.cas:cas-server-support-rest-service-registry" implementation "org.springframework.security:spring-security-config:5.7.3" implementation "commons-net:commons-net:${project.apacheNetCom}" On Thursday, March 23, 2023 at 2:51:11 PM UTC-5 dussu...@gmail.com wrote: Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but not on 6.6 nor on the master branch 7.x. On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when I press the register button,the flow breaks at POST https://xxxxxxx.xx/cas/webauthn/register/finish. (FF : err 400 strict-origin-when-cross-origin) (The service app I use for my tests is the same when I wetn thru every CAS version) webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you did here is my build.gradle webauthn section : // MFA FIDO2 WEBAUTHN implementation "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}" (this one in order to comment out @PreAuthorize("isAuthenticated()") as you did in src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java ) //MFA TRUSTED DEVICE implementation "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}" (John, what are the extra dependencies that you implement in your build.gradle cas overlay to be able to modify the src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java <https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437> ? Compilation breaks) Regards, Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit : Circling back to this, it also fails on 7.x current and master. Same issue, I believe I have found the source which is related to the csrf token. It works by excluding the /register from csrf to the ignored endpoints on https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437 with the below, return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE, WebAuthnController.BASE_ENDPOINT_WEBAUTHN + WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER); On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote: Since we don't use any of the actuators, all disabled except for whatever cas sets as default, I am leaving my change by commenting out @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just going along finishing upgrade testing for us and will circle back to this later before we upgrade prod. However, I do see some changes made below, I haven't had time to test if it will resolve this issue yet, maybe it will be part of next 7.x RC but for now its only in master. If I get some time I will switch to master and give it a go. https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java On Friday, February 3, 2023 at 7:11:44 AM UTC-6 micha...@gmail.com wrote: Yes, I have the same registration issue. I thought I have caused this error by meddling with the spring security settings, but it looks like it is not the case. However, after setting up spring security for the webAuthnDevices actuator like this spring.security.user.name=XXX spring.security.user.password=YYY cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED then registration starts to work, but requires HTTP basic authentication. This is spring security filter chain for /webauthn/register endpoint without any additional configuration: Security filter chain: [ ChannelProcessingFilter WebAsyncManagerIntegrationFilter CorsFilter CsrfFilter SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter ExceptionTranslationFilter AuthorizationFilter ] And the chain with the spring security settings as above: Security filter chain: [ ChannelProcessingFilter WebAsyncManagerIntegrationFilter CorsFilter CsrfFilter BasicAuthenticationFilter SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter ExceptionTranslationFilter AuthorizationFilter ] I would say that 1) setting the actuator access really influences the processing for registration endpoint (and it should not), 2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps it does not satisfy the @PreAuthorize("isAuthenticated()") requirement I wonder how the registration endpoint should be authenticated; I guess it can not be left unprotected but I fail to see how to set it up. Regards, Michal V. On 1/31/23 16:14, John wrote: I have nothing configured or defined for endpoints or actuators besides what is default set by cas, we have never used those. I went back and configured according to management.endpoint.webAuthnDevices.enabled=true management.endpoints.web.exposure.include=* cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT even tried ANONYMOUS below, which makes all actuators work, I can even pull /cas/actuator/webAuthnDevices/username anonymously and gets devices for user. I don't think the endpoint webAuthnDevices controls the end user registration page as it falls under/webauthn/register and NOT /cas/actuator/webAuthnDevices cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS Below is debug output, 2023-01-31 09:05:41,149 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception [org.springframework.security.access.AccessDeniedException: Access is denied] due to a type mismatch with handler [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String, String, String, boolean, String, HttpServletRequest, HttpServletResponse)]> And browser POST response to /webauthn/register , base64 decoded is --- !<java.util.LinkedHashMap> timestamp: "2023-01-31T15:05:41.161+00:00" status: 403 error: "Forbidden" path: "/cas/webauthn/register" On Monday, January 30, 2023 at 11:16:42 PM UTC-6 micha...@gmail.com wrote: Hi, have you, by any chance, configured spring security for the webauthn endpoint? Best regards, Michal Vocu On 1/26/23 19:03, John wrote: When trying to register a new device, the POST request to /webauthn/register is failing from spring security, access denied, http 403. Commenting out the below within (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java) got it working again, @PreAuthorize("isAuthenticated()") Looks like it was added in 6.4.x release, is anyone else not having a registration issue? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/874c4e5b-4adb-4225-9a10-ce6bacb65332n%40apereo.org.
