-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firefox Webauthn Registration "SecurityError: The operation is insecure." #28020
Comments
@mcarbonneaux Thanks a lot for the investigation! I am switching to "important" as it will be probably good to prioritize this. We should doublecheck whether we should change the default or update docs. Changing the default can be better unless there are some other side-effects (to be investigated). @tnorimat Are you aware of any side-effects of changing the default to have both RS256 and ES256? |
@mposolda I think it is OK to have both ES256 and RS256 as default setting. |
Not sure if the others already checked this, but from what I can see this was reported for an older version that is no longer supported. Feel free to bump if this is still reproducible in 24. |
Thanks for reporting this issue, but as this is reported against an older and unsupported release we are not able to evaluate the issue. Please verify with the nightly buildor the latest release. If the issue can be reproduced in the nightly build or latest release add a comment with additional information, otherwise this issue will be automatically closed within 14 days. |
Do you have attestation conveyance preference set to at "direct" or "indirect"? Any other value won't send an AAGUID. I am not a 100% sure if even indirect sends it. |
We have ours set to Direct. We've tried Indirect and Not Specified. |
Due to lack of updates in the last 14 days this issue will be automatically closed. |
Looks like the bot has closed this issue, if anyone can reproduce this under 24.0.2 let us know and I will re-open it. |
i've tested on 24.0.2, and the same: and after adding RS256 it's work fine! my test bed : keycloak 24.0.2 zip + java 17 on windows 11 in start dev mode and firefox 124.0.2 and edge 123.0.2420.81 i've created a new realm "test", and new client on this realms in openidc mode, and with credential |
Yep, this issue is not resolved, it was closed automatically by the bot. |
Before reporting an issue
Area
authentication/webauthn
Describe the bug
on firefox on windows 11 if i try to configure webauthn by following the documentation i fail with this error when i go to webauthn registering phase. but on all other website like google, webauthn.io it's work fine...
after digging on the web find why.... i've not found why...
finaly i've tested on different browser ... and with debugger console...
and on edge finaly i seen this message in the dev console (i've no message on firefox) :
the message speek about this link : https://chromium.googlesource.com/chromium/src/+/main/content/browser/webauth/pub_key_cred_params.md
on this page they say that on microsoft windows platform need to have Signature algorithms RS256 in pubKeyCredParams... and keycloak by default not use this Signature algorithms (only ES256)...
after adding it in keycloak admin console:
we don't have any more the error message in edge, and it's work, and it's work also on firefox...
Version
21.1.2
Regression
Expected behavior
Webauthn Registration without error...
Actual behavior
Webauthn Registration "SecurityError: The operation is insecure."
How to Reproduce?
install keycloak 21.1.2 from scratch and follow the documentation https://www.keycloak.org/docs/21.1.2/server_admin/#webauthn_server_administration_guide and try to log first time and try to register webauthn key...
Anything else?
i think you must add RS256 by default in addition of ES256, because of windows platform authenticator that require it... or modify the documentation to inform keycloak admin user to add this Signature algorithms if they have windows user...
The text was updated successfully, but these errors were encountered: