Hi Graham, I gave it a try this morning (but on branch master 7.0.0-SNAPSHOT) and ... it's eventually working great :) Thanks to Misagh and the dev team !
What I've done is removing every workaround we did on this topic : removed config/WebAuthnConfiguration.java + webauthn/web/WebAuthnController.java, removed the extra pack of deps linked to those two files, flushed my dev db and imported just one mfa-webauthn service, removed custom theme and finally recompiled and restarted tomcat10 (mine is not bundled, it is marked as external thru gradle.properties). I can now register my fido2 device and then login without any error. build.gradle linked deps : // MFA FIDO2 WEBAUTHN > implementation > "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}" > cas.yml : web-authn: > core: > relying-party-id: mydomain.fr > relying-party-name: mynickname > allowed-origins: https://cas.mydomain.fr > trusted-device-enabled: false > application-id: https://www.mydomain.fr > Le ven. 12 mai 2023 à 01:41, Graham Ballantyne <he...@grahamballantyne.com> a écrit : > Hi all, > > I'm having a similar issue with webauthn device registration failing on > CAS 6.6.x; the /cas/webauthn/register endpoint returns a 403 error, and the > server logs have an invalid CSRF token error: > > web_1 | 2023-05-11 23:11:38,248 DEBUG > [org.springframework.security.web.access.channel.ChannelProcessingFilter] - > <Request: filter invocation [POST /webauthn/register]; ConfigAttributes: > [REQUIRES_SECURE_CHANNEL]> > web_1 | 2023-05-11 23:11:38,250 DEBUG > [org.springframework.security.web.csrf.CsrfFilter] - <Invalid CSRF token > found for https://cas_server/cas/webauthn/register> > web_1 | 2023-05-11 23:11:38,250 DEBUG > [org.springframework.security.web.access.AccessDeniedHandlerImpl] - > <Responding with 403 status code> > > I'm not able to implement the workaround here (commenting out > @PreAuthorize("isAuthenticated()") in WebAuthnController.java) as > WebAuthnController.java no longer contains that line. It looks like Misagh > changed how this works in a recent commit ( > https://github.com/apereo/cas/commit/b9233b0731004fdc85994539c67fe0cd0f01c2c3 > ). > > I've tried adding the cas.authn.mfa.web-authn.core.allowed-origins > property (which the docs say defaults to the server name, so I'd think it > wouldn't be necessary) and it still fails. My webauthn settings from > cas.properties are: > > cas.authn.mfa.web-authn.core.application-id=https://mycasdomain.ca > cas.authn.mfa.web-authn.core.relying-party-name=Graham CAS Dev > cas.authn.mfa.web-authn.core.relying-party-id=mycasdomain.ca > cas.authn.mfa.web-authn.core.display-name-attribute=displayName > cas.authn.mfa.web-authn.core.allow-primary-authentication=true > cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true > cas.authn.mfa.web-authn.core.trusted-device-enabled=true > cas.authn.mfa.web-authn.crypto.encryption.key=xxx > cas.authn.mfa.web-authn.crypto.signing.key=yyy > cas.authn.mfa.web-authn.core.allowed-origins:https://mycasdomain.ca > > I'm not a Java developer so I'm a little out of my element in trying to > see where the problem is. Any tips would be appreciated! > > Cheers, > Graham. > > > On Thursday, April 6, 2023 at 4:59:11 AM UTC-7 dussu...@gmail.com wrote: > > > Hi, > I'm now able to register my webauthn device, to login, and trust my device. > > What I noticed is that the allowed-origins (device registering) property > and application-id extension (connect) seem now mandatory to me, (though it > was not in 6.5.9). > Without those two settings, I'm stuck. > > web-authn: > core: > relying-party-id: mydomain.fr > relying-party-name: myrpname > allowed-origins: https://cas-dev.mydomain.fr > trusted-device-enabled: true > application-id: https://cas-dev.mydomain.fr/test > > First, I want to say that I thank you all for your precious advices ! > (@PreAuthorize("isAuthenticated()") + WebAuthnConfiguration.java trick) > This won't go in production right now, because I wonder about the security > impact when accessing the webauthn/register endpoint ... ? > > Regards, > Le mercredi 29 mars 2023 à 16:15:00 UTC+2, John a écrit : > > What does your cas.log state for error? Are you using a valid ssl > certificate, cas host name matches whats in config? Also, in 7.x/master you > have to edit this, > > > https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437 > > with the below, > > return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + > WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE, > WebAuthnController.BASE_ENDPOINT_WEBAUTHN + > WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER); > > There's actually 2 bugs, maybe more. One is the PreAuthorize and the other > is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed > the csrf issue and still working through the other as time permits. > > > On Wednesday, March 29, 2023 at 4:29:34 AM UTC-5 dussu...@gmail.com wrote: > > Thank you, you saved me lots of time, actually I needed those two : > implementation "org.springframework.security:spring-security-config" > implementation "org.springframework.security:spring-security-web" > > But I still have an js issue (JSON.Parse) when registering my device : > > "Registration failed SyntaxError: JSON.parse: unexpected non-digit at line > 1 column 2 of the JSON data" after the POST request on > https://cas-xx.xxx.fr/cas/webauthn/register. > (Chrome says the same: Registration failed SyntaxError: No number after > minus sign in JSON at position 1.) > > The error is caught here : > # register https://cas-xx.xxxxxx.fr/cas/js/webauthn/webauthn.js:477. > # (Asynchrone : promise callback) / register > https://cas-xx.xxxx.fr/cas/js/webauthn/webauthn.js:475 > # > https://cas-xx.xxxxxx.fr/cas/login?service=https://node-cas-xxxxx.addomain.xxxxxxx.fr:9446/sample/&renew=true:390 > . > > (The webapp is an instance of cas-sample-java-webapp running on port 9446.) > > About JSON.Parse : > https://xxxxcas/login?service=https://xxxxx:9446/sample/&renew=true at > lines 386 and 390 : register(username, displayName, credentialNickname, > csrfToken); > > In my browser debugger, data seems present, as I can see them parsed by > the function getRegisterRequest in webauthn.js line 327: > > arguments: Arguments > 0: {…} > authenticate: "webauthn/authenticate" > register: "webauthn/register" > <prototype>: {…} > 1: "frederic.dussurget" > 2: "Frederic Dussurget" > 3: "wonderful_borg" > 4: false > callee: > length: 5 > Symbol(Symbol.iterator):values() > <get callee()>: () > <set callee()>: () > <prototype>: {… > credentialNickname: "wonderful_borg" > displayName: "Frederic Dussurget" > requireResidentKey: false > urls: {…} > authenticate: "webauthn/authenticate" > register: "webauthn/register" > <prototype>: {…} > username: "frederic.dussurget" > > I you guys have any idea ... > Regards, > Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit : > > Spring security and probably one or 2 of the webauthn, I dont remeber at > the moment with looking at local commit history but here is all from gradle, > > > /** Core **/ > implementation "org.apereo.cas:cas-server-core-api-configuration-model" > implementation "org.apereo.cas:cas-server-core-api-mfa" > implementation "org.apereo.cas:cas-server-core-events-configuration" > implementation "org.apereo.cas:cas-server-core-notifications" > implementation "org.apereo.cas:cas-server-core-authentication" > implementation "org.apereo.cas:cas-server-core-authentication-api" > implementation "org.apereo.cas:cas-server-core-authentication-mfa-api" > implementation "org.apereo.cas:cas-server-core-util" > implementation "org.apereo.cas:cas-server-core-web-api" > implementation "org.apereo.cas:cas-server-core-webflow" > implementation "org.apereo.cas:cas-server-core-webflow-api" > implementation "org.apereo.cas:cas-server-core-webflow-mfa-api" > implementation "org.apereo.cas:cas-server-webapp" > implementation "org.apereo.cas:cas-server-webapp-init" > implementation "org.apereo.cas:cas-server-webapp-config" > > /** Rest Plugins **/ > implementation > "org.apereo.cas:cas-server-support-configuration-cloud-rest" > implementation "org.apereo.cas:cas-server-support-rest-authentication" > > /** LDAP Support **/ > implementation "org.apereo.cas:cas-server-support-ldap" > implementation "org.apereo.cas:cas-server-support-pm-ldap" > implementation "org.apereo.cas:cas-server-support-pm-rest" > > /** Database Support **/ > implementation "org.apereo.cas:cas-server-support-jdbc" > implementation "org.apereo.cas:cas-server-support-jpa-util" > implementation "mysql:mysql-connector-java:${project.mysqlVerison}" > implementation > "com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}" > > /** Interrupt Support **/ > implementation "org.apereo.cas:cas-server-support-interrupt-webflow" > > /** Multifactor Auth **/ > implementation "org.apereo.cas:cas-server-support-gauth" > implementation "org.apereo.cas:cas-server-support-gauth-ldap" > implementation "org.apereo.cas:cas-server-support-webauthn" > implementation "org.apereo.cas:cas-server-support-webauthn-ldap" > implementation "org.apereo.cas:cas-server-support-webauthn-core" > implementation > "org.apereo.cas:cas-server-support-webauthn-core-webflow" > implementation "org.apereo.cas:cas-server-support-simple-mfa" > implementation "org.apereo.cas:cas-server-support-trusted-mfa" > > /** Protocols **/ > implementation "org.apereo.cas:cas-server-support-ws-idp" > implementation "org.apereo.cas:cas-server-support-saml-idp" > implementation "org.apereo.cas:cas-server-support-saml-sp-integrations" > > > /** Services **/ > /** implementation > "org.apereo.cas:cas-server-support-json-service-registry" **/ > implementation > "org.apereo.cas:cas-server-support-rest-service-registry" > > implementation > "org.springframework.security:spring-security-config:5.7.3" > implementation "commons-net:commons-net:${project.apacheNetCom}" > On Thursday, March 23, 2023 at 2:51:11 PM UTC-5 dussu...@gmail.com wrote: > > Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but > not on 6.6 nor on the master branch 7.x. > On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when > I press the register button,the flow breaks at POST > https://xxxxxxx.xx/cas/webauthn/register/finish. (FF : err 400 > strict-origin-when-cross-origin) > > (The service app I use for my tests is the same when I wetn thru every CAS > version) > > webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you > did > > here is my build.gradle webauthn section : > // MFA FIDO2 WEBAUTHN > implementation > "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}" > (this one in order to comment out @PreAuthorize("isAuthenticated()") as > you did in > src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java ) > > //MFA TRUSTED DEVICE > implementation > "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}" > > (John, what are the extra dependencies that you implement in your > build.gradle cas overlay to be able to modify the > src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java > <https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437> > ? Compilation breaks) > > Regards, > > > Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit : > > Circling back to this, it also fails on 7.x current and master. Same > issue, I believe I have found the source which is related to the csrf > token. It works by excluding the /register from csrf to the ignored > endpoints on > > > https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437 > > with the below, > > return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + > WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE, > WebAuthnController.BASE_ENDPOINT_WEBAUTHN + > WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER); > > > > > > On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote: > > Since we don't use any of the actuators, all disabled except for whatever > cas sets as default, I am leaving my change by commenting out > @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just > going along finishing upgrade testing for us and will circle back to this > later before we upgrade prod. > > However, I do see some changes made below, I haven't had time to test if > it will resolve this issue yet, maybe it will be part of next 7.x RC but > for now its only in master. If I get some time I will switch to master and > give it a go. > > > https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java > > > On Friday, February 3, 2023 at 7:11:44 AM UTC-6 micha...@gmail.com wrote: > > Yes, I have the same registration issue. > > I thought I have caused this error by meddling with the spring security > settings, but it looks like it is not the case. > > However, after setting up spring security for the webAuthnDevices actuator > like this > > spring.security.user.name=XXX spring.security.user.password=YYY > cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED > > then registration starts to work, but requires HTTP basic authentication. > > > This is spring security filter chain for /webauthn/register endpoint > without any additional configuration: > > Security filter chain: [ ChannelProcessingFilter > WebAsyncManagerIntegrationFilter CorsFilter CsrfFilter > SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter > ExceptionTranslationFilter AuthorizationFilter ] And the chain with the > spring security settings as above: > Security filter chain: [ ChannelProcessingFilter > WebAsyncManagerIntegrationFilter CorsFilter CsrfFilter > BasicAuthenticationFilter SecurityContextHolderAwareRequestFilter > AnonymousAuthenticationFilter ExceptionTranslationFilter > AuthorizationFilter ] > > I would say that > > 1) setting the actuator access really influences the processing for > registration endpoint (and it should not), > > 2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps > it does not satisfy the @PreAuthorize("isAuthenticated()") requirement > > I wonder how the registration endpoint should be authenticated; I guess it > can not be left unprotected but I fail to see how to set it up. > > Regards, > > Michal V. > > On 1/31/23 16:14, John wrote: > > I have nothing configured or defined for endpoints or actuators besides > what is default set by cas, we have never used those. I went back and > configured according to > > management.endpoint.webAuthnDevices.enabled=true > management.endpoints.web.exposure.include=* > cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT > > even tried ANONYMOUS below, which makes all actuators work, I can even > pull /cas/actuator/webAuthnDevices/username anonymously and gets devices > for user. I don't think the endpoint webAuthnDevices controls the end user > registration page as it falls under/webauthn/register and NOT > /cas/actuator/webAuthnDevices > > cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS > > Below is debug output, > > 2023-01-31 09:05:41,149 DEBUG > [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the > received exception > [org.springframework.security.access.AccessDeniedException: Access is > denied] due to a type mismatch with handler > [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String, > String, String, boolean, String, HttpServletRequest, HttpServletResponse)]> > > And browser POST response to /webauthn/register , base64 decoded is > > --- !<java.util.LinkedHashMap> > timestamp: "2023-01-31T15:05:41.161+00:00" > status: 403 > error: "Forbidden" > path: "/cas/webauthn/register" > > > On Monday, January 30, 2023 at 11:16:42 PM UTC-6 micha...@gmail.com wrote: > > Hi, > have you, by any chance, configured spring security for the webauthn > endpoint? > > Best regards, > > Michal Vocu > > On 1/26/23 19:03, John wrote: > > When trying to register a new device, the POST request to > /webauthn/register is failing from spring security, access denied, http 403. > > Commenting out the below within > (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java) > got it working again, > > @PreAuthorize("isAuthenticated()") > > Looks like it was added in 6.4.x release, is anyone else not having a > registration issue? > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+u...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer> > . > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKm8WbtFypSxqYGYH7AR_TrhoSwh8g%3D0-DE-nnXqnVFex8_79w%40mail.gmail.com.