You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an issue in the progressive enrollment process for Passkey with JIT provisioned federated users. The issue arises when a JIT provisioned user, who hasn't yet enrolled a passkey, engages in the progressive enrollment during the Passkey authentication flow. Although the user successfully authenticates through a federated authenticator at an intermediate phase, the process encounters a failure immediately after the user consents to create a passkey.
At the point of failure, the following error is logged in the console.
Exception: ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authentication failed exception! FIDO2 trusted origin: https://localhost:9443/ sent in the request is invalid.
This error points to a problem with the FIDO2 trusted origin in the request, which seems to be causing the breakdown of the Passkey enrollment flow.
How to reproduce:
Log in to the WSO2 Identity Server Console.
Configure Google as a federated authenticator (as per [1]).
Set up the Passkey to support progressive enrollment (refer to [2]).
Create an application in the console and add Passkey login. Ensure Passkey progressive enrollment is enabled and usernameless authentication is disabled (refer to [3]).
Add Google as an additional authenticator for the first step in the sign-in method tab of the created application and save the changes.
Attempt to log in to the application, which will redirect you to the multi-option sign-in page.
Click on the Sign in with Passkey button.
You will be redirected to a page to add a username. Enter the username and click Create a passkey.
Then select Sign in with Google.
Authenticate yourself following the steps provided by Google. (Ensure the user is already JIT provisioned.)
You will then be redirected to a page stating no passkey found. Click on Create a passkey.
The issue arises in the final steps, where the system fails to redirect the user to perform the passkey creation .
Describe the issue:
There is an issue in the progressive enrollment process for Passkey with JIT provisioned federated users. The issue arises when a JIT provisioned user, who hasn't yet enrolled a passkey, engages in the progressive enrollment during the Passkey authentication flow. Although the user successfully authenticates through a federated authenticator at an intermediate phase, the process encounters a failure immediately after the user consents to create a passkey.
At the point of failure, the following error is logged in the console.
Exception: ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} - Authentication failed exception! FIDO2 trusted origin: https://localhost:9443/ sent in the request is invalid.
This error points to a problem with the FIDO2 trusted origin in the request, which seems to be causing the breakdown of the Passkey enrollment flow.
How to reproduce:
Sign in with Passkey
button.Create a passkey
.Sign in with Google
.Create a passkey
.The issue arises in the final steps, where the system fails to redirect the user to perform the passkey creation .
References:
[1] https://is.docs.wso2.com/en/next/guides/authentication/social-login/add-google-login/
[2] https://is.docs.wso2.com/en/next/guides/authentication/passwordless-login/add-passwordless-login-with-passkey/#:~:text=usernameless%20authentication.-,Enable%20Passkey%20progressive%20enrollment,%C2%B6,-This%20feature%20allows
[3] https://is.docs.wso2.com/en/next/guides/authentication/passwordless-login/add-passwordless-login-with-passkey/
Environment information :
The text was updated successfully, but these errors were encountered: