fix (fido2): Failed to register Fido2 key

[MohitMaliFtechiz]

Describe the issue

Failed to register Fido2 key

Steps To Reproduce

Steps to reproduce the behavior:

1. Go to configuration
2. Click on Person Authentication Script
3. Enable Fido2 script
4. Go to Manage Authentication.
5. Change default authentication method to fido2.
6. try to authn a user via fido2 script.

Expected behavior

user must be register and authenticate with fido2.

Actual behavior

user failed to register with fido2.

Screenshots

Desktop (please complete the following information):

• OS: Rhel8
• Gluu version 4.5.1
• Browser chrome, Brave

Additional context

oxauth_script log

2023-05-18 05:55:55,212 TRACE [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:305) - Executing python 'getPageForStep' authenticator method
2023-05-18 05:55:55,212 TRACE [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:309) - Executed python 'getPageForStep' authenticator method, result: /auth/fido2/step1.xhtml
2023-05-18 05:55:55,219 TRACE [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:416) - Validating acr_values: 'fido2'
2023-05-18 05:55:55,219 DEBUG [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:161) - Executing python 'isValidAuthenticationMethod' authenticator method
2023-05-18 05:55:55,219 DEBUG [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:165) - Executed python 'isValidAuthenticationMethod' authenticator method, result: true
2023-05-18 05:55:55,219 TRACE [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:273) - Executing python 'prepareForStep' authenticator method
2023-05-18 05:55:55,219 TRACE [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:277) - Executed python 'prepareForStep' authenticator method, result: true
2023-05-18 05:55:55,219 TRACE [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:289) - Executing python 'getExtraParametersForStep' authenticator method
2023-05-18 05:55:55,219 TRACE [qtp915416632-18] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:293) - Executed python 'getExtraParametersForStep' authenticator method, result: [platformAuthenticatorAvailable]
2023-05-18 05:56:07,553 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:209) - Executing python 'authenticate' authenticator method
2023-05-18 05:56:07,554 INFO [qtp915416632-14] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:244) - Fido2. Authenticate for step 1
2023-05-18 05:56:07,591 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:213) - Executed python 'authenticate' authenticator method, result: true
2023-05-18 05:56:07,591 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:321) - Executing python 'getApiVersion' authenticator method
2023-05-18 05:56:07,591 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:324) - Executed python 'getApiVersion' authenticator method, result: 11
2023-05-18 05:56:07,591 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:225) - Executing python 'getNextStep' authenticator method
2023-05-18 05:56:07,591 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:229) - Executed python 'getNextStep' authenticator method, result: -1
2023-05-18 05:56:07,591 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:289) - Executing python 'getExtraParametersForStep' authenticator method
2023-05-18 05:56:07,591 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:293) - Executed python 'getExtraParametersForStep' authenticator method, result: [platformAuthenticatorAvailable]
2023-05-18 05:56:07,592 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:193) - Executing python 'getCountAuthenticationSteps' authenticator method
2023-05-18 05:56:07,592 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:197) - Executed python 'getCountAuthenticationSteps' authenticator method, result: 2
2023-05-18 05:56:07,592 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:305) - Executing python 'getPageForStep' authenticator method
2023-05-18 05:56:07,592 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:309) - Executed python 'getPageForStep' authenticator method, result: /auth/fido2/secKeys.xhtml
2023-05-18 05:56:07,592 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:289) - Executing python 'getExtraParametersForStep' authenticator method
2023-05-18 05:56:07,592 TRACE [qtp915416632-14] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:293) - Executed python 'getExtraParametersForStep' authenticator method, result: [platformAuthenticatorAvailable]
2023-05-18 05:56:07,906 TRACE [qtp915416632-15] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:416) - Validating acr_values: 'fido2'
2023-05-18 05:56:07,906 DEBUG [qtp915416632-15] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:161) - Executing python 'isValidAuthenticationMethod' authenticator method
2023-05-18 05:56:07,906 DEBUG [qtp915416632-15] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:165) - Executed python 'isValidAuthenticationMethod' authenticator method, result: true
2023-05-18 05:56:07,906 TRACE [qtp915416632-15] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:273) - Executing python 'prepareForStep' authenticator method
2023-05-18 05:56:07,906 INFO [qtp915416632-15] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:244) - Fido2. Prepare for step 2
2023-05-18 05:56:07,914 INFO [qtp915416632-15] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:244) - Fido2. Prepare for step 2. Call Fido2 endpoint in order to start attestation flow
2023-05-18 05:56:07,916 INFO [qtp915416632-15] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:244) - false
2023-05-18 05:56:07,916 INFO [qtp915416632-15] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:244) - basic_json {'attestation': 'direct', 'displayName': u'admin', 'username': u'admin'}
2023-05-18 05:56:07,937 INFO [qtp915416632-15] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:244) - Fido2. Prepare for step 2. Successfully start flow with next requests.
2023-05-18 05:56:07,937 INFO [qtp915416632-15] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:244) - fido2_assertion_request: 'None'
2023-05-18 05:56:07,937 INFO [qtp915416632-15] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:244) - fido2_attestation_request: '{"attestation":"direct","authenticatorSelection":{"authenticatorAttachment":"cross-platform","requireResidentKey":false,"userVerification":"preferred"},"challenge":"QSTaSgj2luoMIplHmvWCN4mF6pqBC1LXPTdXt4Ln7xo","pubKeyCredParams":[{"type":"public-key","alg":-257},{"type":"public-key","alg":-7}],"rp":{"name":"https://MohitMaliFtechiz-stable-ram.gluu.info","id":"MohitMaliFtechiz-stable-ram.gluu.info"},"user":{"id":"ln337hAP20hnTxxP8Un8hL6hG_eNCiYxJ6WhLku-PV0","name":"admin","displayName":"admin"},"excludeCredentials":[]}'
2023-05-18 05:56:07,937 TRACE [qtp915416632-15] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:277) - Executed python 'prepareForStep' authenticator method, result: true
2023-05-18 05:56:07,937 TRACE [qtp915416632-15] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:289) - Executing python 'getExtraParametersForStep' authenticator method
2023-05-18 05:56:07,937 TRACE [qtp915416632-15] [org.gluu.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:293) - Executed python 'getExtraParametersForStep' authenticator method, result: [platformAuthenticatorAvailable]

[MohitMaliFtechiz]

@maduvena i tried with sign cert i am able to register user but failing to re-autheticate the user.

**oxauth_log

06:58:23,692 DEBUG [qtp2131670196-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:81) - Getting user information from LDAP: userId = admin 2023-05-31 06:58:23,695 DEBUG [qtp2131670196-17] [org.gluu.oxauth.service.common.UserService] (UserService.java:96) - Found 1 entries for user id = admin 2023-05-31 06:58:23,725 DEBUG [qtp2131670196-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:332) - Authentication result for user 'admin'. auth_step: '2', result: 'false', credentials: '1427807653' 2023-05-31 06:58:23,725 TRACE [qtp2131670196-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:339) - ######################################################################### 2023-05-31 06:58:23,725 TRACE [qtp2131670196-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:340) - ++++++++++++++++++++++++++++++++++++++++++CURRENT ACR:fido2 2023-05-31 06:58:23,725 TRACE [qtp2131670196-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:341) - ++++++++++++++++++++++++++++++++++++++++++CURRENT STEP:2 2023-05-31 06:58:23,725 TRACE [qtp2131670196-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:344) - According to API version script supports steps overriding 2023-05-31 06:58:23,726 DEBUG [qtp2131670196-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:347) - Get next step from script: '-1' 2023-05-31 06:58:23,733 TRACE [qtp2131670196-17] [org.gluu.service.BaseCacheService] (BaseCacheService.java:84) - Put data, key 'oxId=6ba7b0fb-b8e2-4e90-aefd-ec0e81bd6a7e,ou=sessions,o=gluu': 'SessionId {dn='oxId=6ba7b0fb-b8e2-4e90-aefd-ec0e81bd6a7e,ou=sessions,o=gluu', id='6ba7b0fb-b8e2-4e90-aefd-ec0e81bd6a7e', outsideSid='ec836aeb-9abf-4f07-9cb0-a976caa7fd50', lastUsedAt=Wed May 31 06:58:23 UTC 2023, userDn='null', authenticationTime=Wed May 31 06:57:57 UTC 2023, state=unauthenticated, expirationDate=Wed May 31 08:57:57 UTC 2023, sessionState='2f7488f8213ee465d37bd65785cdc9f8adc64e546d1421ad20a852b1f7cb5795.d57b152e-cee4-45a2-a2fa-f158585981dc', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={1001.b16799e4-4180-41c3-9148-b4fd098706d9=false}}, sessionAttributes={auth_step=2, acr=fido2, remote_ip=27.123.249.236, auth_external_attributes=[{"platformAuthenticatorAvailable":"java.lang.String"}], opbs=7cdd1d32-0222-4bc6-9b48-7d86bfd2a7cd, scope=openid profile email user_name, acr_values=fido2, response_type=code, redirect_uri=https://test.gluu.org/identity/authcode.htm, state=387d2c66-e677-4d06-9099-288475c7fa37, nonce=bb1150cb-2df9-476f-834e-85346eff145e, client_id=1001.b16799e4-4180-41c3-9148-b4fd098706d9, auth_user=admin, platformAuthenticatorAvailable=false, auth_step_passed_1=true}, persisted=true}' 2023-05-31 06:58:23,733 INFO [qtp2131670196-17] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:226) - Authentication failed for 'null' 2023-05-31 06:58:23,734 TRACE [qtp2131670196-17] [org.gluu.oxauth.service.CookieService] (CookieService.java:155) - Found cookie: 'https://test.gluu.org/identity/authcode.htm' 2023-05-31 06:58:23,734 DEBUG [qtp2131670196-17] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:72) - Looking for the error with id: login_required 2023-05-31 06:58:23,734 DEBUG [qtp2131670196-17] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:77) - Found error, id: login_required 2023-05-31 06:58:23,735 DEBUG [qtp2131670196-17] [org.gluu.oxauth.service.ErrorHandlerService] (ErrorHandlerService.java:90) - Redirect to https://test.gluu.org/identity/authcode.htm?error_description=The+Authorization+Server+requires+End-User+authentication.+This+error+MAY+be+returned+when+the+prompt+parameter+in+the+Authorization+Request+is+set+to+none+to+request+that+the+Authorization+Server+should+not+display+any+user+interfaces+to+the+End-User%2C+but+the+Authorization+Request+cannot+be+completed+without+displaying+a+user+interface+for+user+authentication.&hint=Create+authorization+request+to+start+new+authentication+session.&error=login_required 2023-05-31 06:58:26,055 DEBUG [oxAuthScheduler_Worker-5] [org.gluu.service.timer.RequestJobListener] (RequestJobListener.java:53) - Bound request started

[maduvena]