Passwordless not working on 2024.4.1

[it-global-architect]

Describe the bug
Passwordless function is returning Failed to authenticate message. The same passkey works when used in the login > password > WebAuthn flow
Passkey from both 1Password and Windows Hello fails on passwordless flow

To Reproduce
go to auth.mydomaind
click on use a security key
Click on sign in 1password popup or choose windows hello (both works for user > pass > WebAuth but fails for passwordless)
receive the Failed to authenticate message

Expected behavior
Login success

Screenshots

Logs

authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "Task published", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.root.celery", "pid": 45, "request_id": "97a5951066a541a6a42fc5e8d50a2d2c", "schema_name": "public", "task_id": "2dbc009246144425a89610eb2255cb24", "task_name": "authentik.policies.reputation.tasks.save_reputation", "timestamp": "2024-04-29T14:39:21.965867"}
authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 45, "remote": "192.168.50.159", "request_id": "97a5951066a541a6a42fc5e8d50a2d2c", "runtime": 31, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-04-29T14:39:21.971079", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"}
authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 45, "remote": "192.168.50.159", "request_id": "cbd6ab3060b34224bc81ae78c3069bf0", "runtime": 21, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-04-29T14:39:22.011008", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"}
authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 45, "remote": "192.168.50.159", "request_id": "3658aade2d1c43ee8909fc5e6b53cb06", "runtime": 17, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-04-29T14:39:22.054367", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "cbb6c138-60d4-46ca-b4da-fd5266f38253", "task_name": "event_notification_handler", "timestamp": "2024-04-29T14:39:22.088575"}
authentik-server-1      | {"auth_via": "unauthenticated", "domain_url": "auth.my-domain.com", "event": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F", "host": "auth.my-domain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 45, "remote": "192.168.50.159", "request_id": "d9781374e7ff4a6299707aeda21342ea", "runtime": 20, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-04-29T14:39:22.094649", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"}
authentik-worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "e4fd3c4f07c942d6bb5442b407131710", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.097114"}
authentik-worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fc5764d30aaf4032af7dc3a4c2060825", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.097806"}
authentik-worker-1      | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fa151826cd5147c3818c41880d458a0c", "task_name": "authentik.events.tasks.event_trigger_handler", "timestamp": "2024-04-29T14:39:22.098369"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "cbb6c13860d446cab4dafd5266f38253", "task_name": "event_notification_handler", "timestamp": "2024-04-29T14:39:22.099331"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "2dbc0092-4614-4425-a896-10eb2255cb24", "task_name": "save_reputation", "timestamp": "2024-04-29T14:39:22.101521"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "2dbc009246144425a89610eb2255cb24", "task_name": "save_reputation", "timestamp": "2024-04-29T14:39:22.116309"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "e4fd3c4f-07c9-42d6-bb54-42b407131710", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.117588"}
authentik-worker-1      | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-e4fd3c4f07c942d6bb5442b407131710", "timestamp": "2024-04-29T14:39:22.129071"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "e4fd3c4f07c942d6bb5442b407131710", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.130409"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fc5764d3-0aaf-4032-af7d-c3a4c2060825", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.131437"}
authentik-worker-1      | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fc5764d30aaf4032af7dc3a4c2060825", "timestamp": "2024-04-29T14:39:22.140819"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "fc5764d30aaf4032af7dc3a4c2060825", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.142013"}
authentik-worker-1      | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "task_id": "fa151826-cd51-47c3-818c-41880d458a0c", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.143073"}
authentik-worker-1      | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fa151826cd5147c3818c41880d458a0c", "timestamp": "2024-04-29T14:39:22.152936"}
authentik-worker-1      | {"checker": "passes_action", "domain_url": null, "event": "Event matcher check result", "level": "info", "logger": "authentik.policies.event_matcher.models", "pid": 354, "result": "<PolicyResult passing=False messages=('Action matched.',)>", "schema_name": "public", "task_id": "task-fa151826cd5147c3818c41880d458a0c", "timestamp": "2024-04-29T14:39:22.155335"}
authentik-worker-1      | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 354, "schema_name": "public", "state": "SUCCESS", "task_id": "fa151826cd5147c3818c41880d458a0c", "task_name": "event_trigger_handler", "timestamp": "2024-04-29T14:39:22.156483"}

Version and Deployment (please complete the following information):

• authentik version: 2024.4.1
• Deployment: docker-compose

Additional context

{
    "user": {
        "pk": 1,
        "email": "",
        "username": "AnonymousUser",
        "is_anonymous": true
    },
    "action": "login_failed",
    "app": "authentik.events.signals",
    "context": {
        "stage": {
            "pk": "1e3f ... 2",
            "app": "authentik_stages_authenticator_validate",
            "name": "WebAuthn passwordless (custom stage)",
            "model_name": "authenticatorvalidatestage"
        },
        "device": {
            "pk": 11,
            "app": "authentik_stages_authenticator_webauthn",
            "name": "1Password",
            "model_name": "webauthndevice"
        },
        "username": "",
        "device_type": {
            "pk": "b ... d",
            "app": "authentik_stages_authenticator_webauthn",
            "name": "WebAuthn device type 1Password (b  ...   0d)",
            "model_name": "webauthndevicetype"
        },
        "device_class": "webauthn",
        "http_request": {
            "args": {
                "next": "/"
            },
            "path": "/api/v3/flows/executor/webauthn-passwordless-custom-flow/",
            "method": "POST",
            "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"
        }
    },
    "client_ip": "192. ....159",
    "expires": "2025-04-29T14:23:25.006Z",
    "brand": {
        "pk": "f0  ...  5e",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

[wgentine]

same problem here

[BeryJu]

@it-global-architect @wgentine Please have a look at the browser developer console for a more detailed error message

[it-global-architect]

@it-global-architect @wgentine Please have a look at the browser developer console for a more detailed error message

authentik(early): version 2024.4.1, apiBase https://auth.mydomain.com/api/v3 config.ts:89:8 authentik(early): version 2024.4.1, apiBase https://auth.mydomain.com/api/v3 config.ts:89:8 Setting Locale to ... English (en) ak-locale-context.ts:81:20 authentik/ws: connected to wss://auth.mydomain.com/ws/client/ ws.ts:29:20 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/root/config/ middleware.ts:34:16 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/core/brands/current/ middleware.ts:34:16 Retrieving "b5x-stateful-inline-icon" flag errored: timed out - falling back injected.js:4:473899 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/root/config/ middleware.ts:34:16 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/core/brands/current/ middleware.ts:34:16 authentik/api[authentik-default]: 200 GET https://auth.mydomain.com/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F middleware.ts:34:16 authentik/api[authentik-default]: 200 POST https://auth.mydomain.com/api/v3/flows/executor/webauthn-passwordless-custom-flow/?query=next%3D%252F

[it-global-architect]

@BeryJu I tested on Firefox and Edge. Both no success.

[it-global-architect]

update: tested on iPhone and iPad safari.
Same error as on windows browsers

[MaxPelly]

Ifafter getting the failed login you refresh the page and represent the token does it let you in? Could be something similar to #5972

[it-global-architect]

Ifafter getting the failed login you refresh the page and represent the token does it let you in? Could be something similar to #5972

I just tried 5 times refreshing the page and unfortunately no lucky

[imightbelosthere]

Facing the same situation when trying to use a passkey on an android device. Passkey being used "locally" works fine, if I try to use another device as passkey it just errors out and if I retry I get in the same loop as OP.
Authentik version 2024.4.2 running on a docker compose deployment.
Tested on a Surface Pro X (local Passkey works - Remote doesn't) and Android device (local Passkey works - Remote doesn't).