webauthn MFA not working with TOTP. 'dict' object is not callable

[shmanubhav]

Describe the bug
I was able to setup the TOTP setup stage correctly, but as soon as I add Webauthn and select both TOTP and Webauthn, I start receiving a general system exception saying 'dict' object is not callable [as you can see in the logs below]
I also keep seeing this error in the logs

{"body":"{\"error\": \"invalid_grant\", \"error_description\": \"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"}

To Reproduce
Steps to reproduce the behavior:

1. Go to Flows -> default-authentication-flow -> Stage Bindings -> default-authentication-mfa-validation -> Edit Stage
2. Select WebAuthn Authenticator under Device classes. Select default-authenticator-webauthn-setup under configuration stage along with the corresponding TOTP device and config stage.
3. Select Force the user to configure an authenticator
4. Try to create a new user and use any MFA setup method and see Something went wrong! Please try again later.

Note: TOTP alone works just fine.

Expected behavior
MFA setup upon new login using TOTP as well as WebAuthn.

Logs

Stacktrace from authentik

{
    "geo": {<data>},
    "message": "Traceback (most recent call last):\n  File \"/authentik/flows/views/executor.py\", line 342, in post\n    stage_response = self.current_stage_view.post(request, *args, **kwargs)\n                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/authentik/stages/authenticator_validate/stage.py\", line 285, in post\n    stage_pk = self.executor.plan.context(PLAN_CONTEXT_SELECTED_STAGE)\n               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nbuiltins.TypeError: 'dict' object is not callable",
    "http_request": {
        "args": {
            "next": "/"
        },
        "path": "/api/v3/flows/executor/default-authentication-flow/",
        "method": "POST"
    }
}
User
{
    "pk": 2,
    "email": "",
    "username": "AnonymousUser"
}

Version and Deployment (please complete the following information):

• authentik version: 2023.5.4
• Deployment: helm

[shmanubhav]

@BeryJu I'm unable to validate the regression fix, due to k8s label constraints

Error: 2 errors occurred:
        * Deployment.apps "authentik-worker" is invalid: spec.template.labels: Invalid value: "gh-stages-authenticator_validate-fix-regression-1687776866-22f27e4": must be no more than 63 characters
        * Deployment.apps "authentik-server" is invalid: spec.template.labels: Invalid value: "gh-stages-authenticator_validate-fix-regression-1687776866-22f27e4": must be no more than 63 characters

make: *** [authentik] Error 1

Any workarounds to validate? Should I wait for a release?

[BeryJu]

you can use the image ghcr.io/goauthentik/dev-server:gh-stages-authenticator_validate-fix-regression, the one in the comment by defaults includes the commit the image was built for

[shmanubhav]

oh thanks, that did it.
The regression fix works as expected. Thanks for the quick turnaround!