Hi Graham,
I gave it a try this morning (but on branch master 7.0.0-SNAPSHOT) and ...
it's eventually working great :) Thanks to Misagh and the dev team !
What I've done is removing every workaround we did on this topic : removed
config/WebAuthnConfiguration.java + webauthn/web/WebAuthnController.java,
removed the extra pack of deps linked to those two files, flushed my dev db
and imported just one mfa-webauthn service, removed custom theme and
finally recompiled and restarted tomcat10 (mine is not bundled, it is
marked as external thru gradle.properties). I can now register my fido2
device and then login without any error.
build.gradle linked deps :
// MFA FIDO2 WEBAUTHN
> implementation
> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
>
cas.yml :
web-authn:
> core:
> relying-party-id: mydomain.fr
> relying-party-name: mynickname
> allowed-origins: https://cas.mydomain.fr
> trusted-device-enabled: false
> application-id: https://www.mydomain.fr
>
Le ven. 12 mai 2023 à 01:41, Graham Ballantyne <[email protected]>
a écrit :
> Hi all,
>
> I'm having a similar issue with webauthn device registration failing on
> CAS 6.6.x; the /cas/webauthn/register endpoint returns a 403 error, and the
> server logs have an invalid CSRF token error:
>
> web_1 | 2023-05-11 23:11:38,248 DEBUG
> [org.springframework.security.web.access.channel.ChannelProcessingFilter] -
> <Request: filter invocation [POST /webauthn/register]; ConfigAttributes:
> [REQUIRES_SECURE_CHANNEL]>
> web_1 | 2023-05-11 23:11:38,250 DEBUG
> [org.springframework.security.web.csrf.CsrfFilter] - <Invalid CSRF token
> found for https://cas_server/cas/webauthn/register>
> web_1 | 2023-05-11 23:11:38,250 DEBUG
> [org.springframework.security.web.access.AccessDeniedHandlerImpl] -
> <Responding with 403 status code>
>
> I'm not able to implement the workaround here (commenting out
> @PreAuthorize("isAuthenticated()") in WebAuthnController.java) as
> WebAuthnController.java no longer contains that line. It looks like Misagh
> changed how this works in a recent commit (
> https://github.com/apereo/cas/commit/b9233b0731004fdc85994539c67fe0cd0f01c2c3
> ).
>
> I've tried adding the cas.authn.mfa.web-authn.core.allowed-origins
> property (which the docs say defaults to the server name, so I'd think it
> wouldn't be necessary) and it still fails. My webauthn settings from
> cas.properties are:
>
> cas.authn.mfa.web-authn.core.application-id=https://mycasdomain.ca
> cas.authn.mfa.web-authn.core.relying-party-name=Graham CAS Dev
> cas.authn.mfa.web-authn.core.relying-party-id=mycasdomain.ca
> cas.authn.mfa.web-authn.core.display-name-attribute=displayName
> cas.authn.mfa.web-authn.core.allow-primary-authentication=true
> cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true
> cas.authn.mfa.web-authn.core.trusted-device-enabled=true
> cas.authn.mfa.web-authn.crypto.encryption.key=xxx
> cas.authn.mfa.web-authn.crypto.signing.key=yyy
> cas.authn.mfa.web-authn.core.allowed-origins:https://mycasdomain.ca
>
> I'm not a Java developer so I'm a little out of my element in trying to
> see where the problem is. Any tips would be appreciated!
>
> Cheers,
> Graham.
>
>
> On Thursday, April 6, 2023 at 4:59:11 AM UTC-7 [email protected] wrote:
>
>
> Hi,
> I'm now able to register my webauthn device, to login, and trust my device.
>
> What I noticed is that the allowed-origins (device registering) property
> and application-id extension (connect) seem now mandatory to me, (though it
> was not in 6.5.9).
> Without those two settings, I'm stuck.
>
> web-authn:
> core:
> relying-party-id: mydomain.fr
> relying-party-name: myrpname
> allowed-origins: https://cas-dev.mydomain.fr
> trusted-device-enabled: true
> application-id: https://cas-dev.mydomain.fr/test
>
> First, I want to say that I thank you all for your precious advices !
> (@PreAuthorize("isAuthenticated()") + WebAuthnConfiguration.java trick)
> This won't go in production right now, because I wonder about the security
> impact when accessing the webauthn/register endpoint ... ?
>
> Regards,
> Le mercredi 29 mars 2023 à 16:15:00 UTC+2, John a écrit :
>
> What does your cas.log state for error? Are you using a valid ssl
> certificate, cas host name matches whats in config? Also, in 7.x/master you
> have to edit this,
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>
> with the below,
>
> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
> WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>
> There's actually 2 bugs, maybe more. One is the PreAuthorize and the other
> is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed
> the csrf issue and still working through the other as time permits.
>
>
> On Wednesday, March 29, 2023 at 4:29:34 AM UTC-5 [email protected] wrote:
>
> Thank you, you saved me lots of time, actually I needed those two :
> implementation "org.springframework.security:spring-security-config"
> implementation "org.springframework.security:spring-security-web"
>
> But I still have an js issue (JSON.Parse) when registering my device :
>
> "Registration failed SyntaxError: JSON.parse: unexpected non-digit at line
> 1 column 2 of the JSON data" after the POST request on
> https://cas-xx.xxx.fr/cas/webauthn/register.
> (Chrome says the same: Registration failed SyntaxError: No number after
> minus sign in JSON at position 1.)
>
> The error is caught here :
> # register https://cas-xx.xxxxxx.fr/cas/js/webauthn/webauthn.js:477.
> # (Asynchrone : promise callback) / register
> https://cas-xx.xxxx.fr/cas/js/webauthn/webauthn.js:475
> #
> https://cas-xx.xxxxxx.fr/cas/login?service=https://node-cas-xxxxx.addomain.xxxxxxx.fr:9446/sample/&renew=true:390
> .
>
> (The webapp is an instance of cas-sample-java-webapp running on port 9446.)
>
> About JSON.Parse :
> https://xxxxcas/login?service=https://xxxxx:9446/sample/&renew=true at
> lines 386 and 390 : register(username, displayName, credentialNickname,
> csrfToken);
>
> In my browser debugger, data seems present, as I can see them parsed by
> the function getRegisterRequest in webauthn.js line 327:
>
> arguments: Arguments
> 0: {…}
> authenticate: "webauthn/authenticate"
> register: "webauthn/register"
> <prototype>: {…}
> 1: "frederic.dussurget"
> 2: "Frederic Dussurget"
> 3: "wonderful_borg"
> 4: false
> callee:
> length: 5
> Symbol(Symbol.iterator):values()
> <get callee()>: ()
> <set callee()>: ()
> <prototype>: {…
> credentialNickname: "wonderful_borg"
> displayName: "Frederic Dussurget"
> requireResidentKey: false
> urls: {…}
> authenticate: "webauthn/authenticate"
> register: "webauthn/register"
> <prototype>: {…}
> username: "frederic.dussurget"
>
> I you guys have any idea ...
> Regards,
> Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit :
>
> Spring security and probably one or 2 of the webauthn, I dont remeber at
> the moment with looking at local commit history but here is all from gradle,
>
>
> /** Core **/
> implementation "org.apereo.cas:cas-server-core-api-configuration-model"
> implementation "org.apereo.cas:cas-server-core-api-mfa"
> implementation "org.apereo.cas:cas-server-core-events-configuration"
> implementation "org.apereo.cas:cas-server-core-notifications"
> implementation "org.apereo.cas:cas-server-core-authentication"
> implementation "org.apereo.cas:cas-server-core-authentication-api"
> implementation "org.apereo.cas:cas-server-core-authentication-mfa-api"
> implementation "org.apereo.cas:cas-server-core-util"
> implementation "org.apereo.cas:cas-server-core-web-api"
> implementation "org.apereo.cas:cas-server-core-webflow"
> implementation "org.apereo.cas:cas-server-core-webflow-api"
> implementation "org.apereo.cas:cas-server-core-webflow-mfa-api"
> implementation "org.apereo.cas:cas-server-webapp"
> implementation "org.apereo.cas:cas-server-webapp-init"
> implementation "org.apereo.cas:cas-server-webapp-config"
>
> /** Rest Plugins **/
> implementation
> "org.apereo.cas:cas-server-support-configuration-cloud-rest"
> implementation "org.apereo.cas:cas-server-support-rest-authentication"
>
> /** LDAP Support **/
> implementation "org.apereo.cas:cas-server-support-ldap"
> implementation "org.apereo.cas:cas-server-support-pm-ldap"
> implementation "org.apereo.cas:cas-server-support-pm-rest"
>
> /** Database Support **/
> implementation "org.apereo.cas:cas-server-support-jdbc"
> implementation "org.apereo.cas:cas-server-support-jpa-util"
> implementation "mysql:mysql-connector-java:${project.mysqlVerison}"
> implementation
> "com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}"
>
> /** Interrupt Support **/
> implementation "org.apereo.cas:cas-server-support-interrupt-webflow"
>
> /** Multifactor Auth **/
> implementation "org.apereo.cas:cas-server-support-gauth"
> implementation "org.apereo.cas:cas-server-support-gauth-ldap"
> implementation "org.apereo.cas:cas-server-support-webauthn"
> implementation "org.apereo.cas:cas-server-support-webauthn-ldap"
> implementation "org.apereo.cas:cas-server-support-webauthn-core"
> implementation
> "org.apereo.cas:cas-server-support-webauthn-core-webflow"
> implementation "org.apereo.cas:cas-server-support-simple-mfa"
> implementation "org.apereo.cas:cas-server-support-trusted-mfa"
>
> /** Protocols **/
> implementation "org.apereo.cas:cas-server-support-ws-idp"
> implementation "org.apereo.cas:cas-server-support-saml-idp"
> implementation "org.apereo.cas:cas-server-support-saml-sp-integrations"
>
>
> /** Services **/
> /** implementation
> "org.apereo.cas:cas-server-support-json-service-registry" **/
> implementation
> "org.apereo.cas:cas-server-support-rest-service-registry"
>
> implementation
> "org.springframework.security:spring-security-config:5.7.3"
> implementation "commons-net:commons-net:${project.apacheNetCom}"
> On Thursday, March 23, 2023 at 2:51:11 PM UTC-5 [email protected] wrote:
>
> Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but
> not on 6.6 nor on the master branch 7.x.
> On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when
> I press the register button,the flow breaks at POST
> https://xxxxxxx.xx/cas/webauthn/register/finish. (FF : err 400
> strict-origin-when-cross-origin)
>
> (The service app I use for my tests is the same when I wetn thru every CAS
> version)
>
> webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you
> did
>
> here is my build.gradle webauthn section :
> // MFA FIDO2 WEBAUTHN
> implementation
> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}"
> (this one in order to comment out @PreAuthorize("isAuthenticated()") as
> you did in
> src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java )
>
> //MFA TRUSTED DEVICE
> implementation
> "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"
>
> (John, what are the extra dependencies that you implement in your
> build.gradle cas overlay to be able to modify the
> src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
> <https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437>
> ? Compilation breaks)
>
> Regards,
>
>
> Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit :
>
> Circling back to this, it also fails on 7.x current and master. Same
> issue, I believe I have found the source which is related to the csrf
> token. It works by excluding the /register from csrf to the ignored
> endpoints on
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>
> with the below,
>
> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
> WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>
>
>
>
>
> On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote:
>
> Since we don't use any of the actuators, all disabled except for whatever
> cas sets as default, I am leaving my change by commenting out
> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just
> going along finishing upgrade testing for us and will circle back to this
> later before we upgrade prod.
>
> However, I do see some changes made below, I haven't had time to test if
> it will resolve this issue yet, maybe it will be part of next 7.x RC but
> for now its only in master. If I get some time I will switch to master and
> give it a go.
>
>
> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
>
>
> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 [email protected] wrote:
>
> Yes, I have the same registration issue.
>
> I thought I have caused this error by meddling with the spring security
> settings, but it looks like it is not the case.
>
> However, after setting up spring security for the webAuthnDevices actuator
> like this
>
> spring.security.user.name=XXX spring.security.user.password=YYY
> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>
> then registration starts to work, but requires HTTP basic authentication.
>
>
> This is spring security filter chain for /webauthn/register endpoint
> without any additional configuration:
>
> Security filter chain: [ ChannelProcessingFilter
> WebAsyncManagerIntegrationFilter CorsFilter CsrfFilter
> SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter
> ExceptionTranslationFilter AuthorizationFilter ] And the chain with the
> spring security settings as above:
> Security filter chain: [ ChannelProcessingFilter
> WebAsyncManagerIntegrationFilter CorsFilter CsrfFilter
> BasicAuthenticationFilter SecurityContextHolderAwareRequestFilter
> AnonymousAuthenticationFilter ExceptionTranslationFilter
> AuthorizationFilter ]
>
> I would say that
>
> 1) setting the actuator access really influences the processing for
> registration endpoint (and it should not),
>
> 2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps
> it does not satisfy the @PreAuthorize("isAuthenticated()") requirement
>
> I wonder how the registration endpoint should be authenticated; I guess it
> can not be left unprotected but I fail to see how to set it up.
>
> Regards,
>
> Michal V.
>
> On 1/31/23 16:14, John wrote:
>
> I have nothing configured or defined for endpoints or actuators besides
> what is default set by cas, we have never used those. I went back and
> configured according to
>
> management.endpoint.webAuthnDevices.enabled=true
> management.endpoints.web.exposure.include=*
> cas.monitor.endpoints.endpoint.webAuthnDevices.access=PERMIT
>
> even tried ANONYMOUS below, which makes all actuators work, I can even
> pull /cas/actuator/webAuthnDevices/username anonymously and gets devices
> for user. I don't think the endpoint webAuthnDevices controls the end user
> registration page as it falls under/webauthn/register and NOT
> /cas/actuator/webAuthnDevices
>
> cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
>
> Below is debug output,
>
> 2023-01-31 09:05:41,149 DEBUG
> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the
> received exception
> [org.springframework.security.access.AccessDeniedException: Access is
> denied] due to a type mismatch with handler
> [org.apereo.cas.webauthn.web.WebAuthnController#startRegistration(String,
> String, String, boolean, String, HttpServletRequest, HttpServletResponse)]>
>
> And browser POST response to /webauthn/register , base64 decoded is
>
> --- !<java.util.LinkedHashMap>
> timestamp: "2023-01-31T15:05:41.161+00:00"
> status: 403
> error: "Forbidden"
> path: "/cas/webauthn/register"
>
>
> On Monday, January 30, 2023 at 11:16:42 PM UTC-6 [email protected] wrote:
>
> Hi,
> have you, by any chance, configured spring security for the webauthn
> endpoint?
>
> Best regards,
>
> Michal Vocu
>
> On 1/26/23 19:03, John wrote:
>
> When trying to register a new device, the POST request to
> /webauthn/register is failing from spring security, access denied, http 403.
>
> Commenting out the below within
> (support/cas-server-support-webauthn-core/src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java)
> got it working again,
>
> @PreAuthorize("isAuthenticated()")
>
> Looks like it was added in 6.4.x release, is anyone else not having a
> registration issue?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ad6db18-8a87-41e9-8216-98f6c1fa8492n%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKm8WbtFypSxqYGYH7AR_TrhoSwh8g%3D0-DE-nnXqnVFex8_79w%40mail.gmail.com.
