Firefox Webauthn Registration "SecurityError: The operation is insecure."

[mcarbonneaux]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication/webauthn

Describe the bug

on firefox on windows 11 if i try to configure webauthn by following the documentation i fail with this error when i go to webauthn registering phase. but on all other website like google, webauthn.io it's work fine...

after digging on the web find why.... i've not found why...

finaly i've tested on different browser ... and with debugger console...
and on edge finaly i seen this message in the dev console (i've no message on firefox) :

the message speek about this link : https://chromium.googlesource.com/chromium/src/+/main/content/browser/webauth/pub_key_cred_params.md

on this page they say that on microsoft windows platform need to have Signature algorithms RS256 in pubKeyCredParams... and keycloak by default not use this Signature algorithms (only ES256)...

after adding it in keycloak admin console:

we don't have any more the error message in edge, and it's work, and it's work also on firefox...

Version

21.1.2

Regression

• The issue is a regression

Expected behavior

Webauthn Registration without error...

Actual behavior

Webauthn Registration "SecurityError: The operation is insecure."

How to Reproduce?

install keycloak 21.1.2 from scratch and follow the documentation https://www.keycloak.org/docs/21.1.2/server_admin/#webauthn_server_administration_guide and try to log first time and try to register webauthn key...

Anything else?

i think you must add RS256 by default in addition of ES256, because of windows platform authenticator that require it... or modify the documentation to inform keycloak admin user to add this Signature algorithms if they have windows user...

[mposolda]

@mcarbonneaux Thanks a lot for the investigation!

I am switching to "important" as it will be probably good to prioritize this. We should doublecheck whether we should change the default or update docs. Changing the default can be better unless there are some other side-effects (to be investigated).

@tnorimat Are you aware of any side-effects of changing the default to have both RS256 and ES256?

[tnorimat]

@mposolda I think it is OK to have both ES256 and RS256 as default setting.

[jonkoops]

Not sure if the others already checked this, but from what I can see this was reported for an older version that is no longer supported. Feel free to bump if this is still reproducible in 24.

[keycloak-github-bot]

Thanks for reporting this issue, but as this is reported against an older and unsupported release we are not able to evaluate the issue. Please verify with the nightly buildor the latest release.

If the issue can be reproduced in the nightly build or latest release add a comment with additional information, otherwise this issue will be automatically closed within 14 days.

[rmartinc]

@mposolda @tnorimat I also think that adding RS256 as default should not be an issue.

[jlrcontegix]

On Keycloak 24.0.1 we've added RS256, RS384, and RS512, but Firefox still fails to register our Yubikeys.

In our case we are only allowing a specific AAGUID and we see the following error, but this is only happening in Firefox (tested with 124.0.1):

[LevN0]

Do you have attestation conveyance preference set to at "direct" or "indirect"? Any other value won't send an AAGUID. I am not a 100% sure if even indirect sends it.

[jlrcontegix]

We have ours set to Direct. We've tried Indirect and Not Specified.

[keycloak-github-bot]

Due to lack of updates in the last 14 days this issue will be automatically closed.

[jonkoops]

Looks like the bot has closed this issue, if anyone can reproduce this under 24.0.2 let us know and I will re-open it.

[mcarbonneaux]

i've tested on 24.0.2, and the same:

and on edge is the same:

and after adding RS256 it's work fine!

my test bed : keycloak 24.0.2 zip + java 17 on windows 11 in start dev mode and firefox 124.0.2 and edge 123.0.2420.81
plus https://openidconnect.net/ for the openidc client.

i've created a new realm "test", and new client on this realms in openidc mode, and with credential
i've created a new browser workflow (like in the documentation), and forced this workflow on my new client.
after receiving the error i add rs256 on webauthn policy (not in password less version), and after is working.

[rmartinc]

Yep, this issue is not resolved, it was closed automatically by the bot.