Skip to content
This repository has been archived by the owner on Nov 7, 2023. It is now read-only.

clientData sending invalid tokenBinding status #29

Closed
frankh opened this issue May 16, 2019 · 11 comments
Closed

clientData sending invalid tokenBinding status #29

frankh opened this issue May 16, 2019 · 11 comments

Comments

@frankh
Copy link

frankh commented May 16, 2019
edited

edit: My original comment was wrong, see #29 (comment)

I tried to use krypton as a u2f key on a site but it kept rejected it. I eventually realised that it's because the site requires token binding (see https://fidoalliance.org/fido-technote-the-growing-role-of-token-binding/)

It seems krypton doesn't support this yet, is it on the roadmap?
@agrinman
Copy link
Contributor

@frankh what site is this for? I thought chrome dropped support for the token binding standard anyways..?

@frankh
Copy link
Author

frankh commented May 17, 2019

I've done some more research and it seems that token-binding is not supported anywhere

It's a private project that's requiring this flag, i'll bug them to remove the requirement.

@frankh frankh closed this as completed May 17, 2019
@frankh
Copy link
Author

frankh commented May 17, 2019

Actually, it does look like this is a bug

According to the spec[1], the only valid values for this field are "supported" and "present" - so "not-supported" causes it to be rejected, but skipping the field entirely works.

I think the fix is to simply remove the field from the clientData here

kr-u2f/src/background.ts

Line 164 in f9599d4

tokenBinding: {

[1] https://www.w3.org/TR/webauthn/#dom-collectedclientdata-tokenbinding

@frankh frankh reopened this May 17, 2019
@frankh
Copy link
Author

frankh commented May 17, 2019

Created a PR here #30

@frankh frankh changed the title token binding not supported clientData sending invalid tokenBinding status May 17, 2019
@frankh frankh mentioned this issue May 17, 2019
Closed
@frankh
Copy link
Author

frankh commented May 17, 2019

It seems this was valid at some point, but is no longer, see: w3c/webauthn#914

@agrinman
Copy link
Contributor

While the PR looks good wrt to the spec, I wonder if this will break other sites that maybe also don’t realize this spec change (especially sites that support U2F only). Have you tested this change with sites like Google, Dropbox, etc...?

@frankh
Copy link
Author

frankh commented May 17, 2019

I just tested with Google and Dropbox and can confirm they still work. It also seems that my Yubikey 5C doesn't send this field in clientData, so anything that supports that should work with this change

@agrinman
Copy link
Contributor

Hm I would also test with a site that is U2F only i.e maybe GitHub & GitLab (Google and Dropbox both are webauthn). Might need to set/send the field differently based upon the protocol but I'm not sure.

@frankh
Copy link
Author

frankh commented May 17, 2019

Can confirm github works too

(this is good for me upping all my security 😄 )

@frankh
Copy link
Author

frankh commented Jun 6, 2019

hi, just wondering if you're considering merging this?

@agrinman
Copy link
Contributor

Sorry for the delay, I had merged this a little while back.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove invalid tokenBinding field from clientData frankh/kr-u2f
2 participants
@agrinman @frankh