-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to get 1Password to save passkeys for axum example #351
Comments
On webauthn.io, can you open "advanced" settings, and on discoverable credential select "discouraged" and try again? webauthn-rs does the right thing and sets this to discouraged trying to make rk/discoverable as opportunistic, but this might be tripping up 1password. If that causes webauthn.io to "fail" in the same way, then it's a bug in 1password's handling of discoverable credentials (they CAN and are allowed to make rk/discoverable even under discouraged). If that doesn't trigger the error, then it will be something else, likely that we are asking for credProtect. Either way I think you're right, it's a 1password error. |
Can you try this: https://webauthn.me/debugger ? You need to check "attestation: direct", "extensions" and "credentialProtectionPolicy: userVerificationRequired". do NOT check "enforce credential protection policy". Also check "authenticatorSelection" and "userVerification: required". |
Didn't know about https://webauthn.me/debugger, thanks for the heads up! Unfortunately I can't get 1password to even prompt me to save on https://webauthn.me/debugger, I tried with the settings you recommended and also just the default settings it starts with. On both safari and firefox, only the browser popup appears, not the 1password one. Even stranger still, I was using "1Password in the browser", but noticed there's also a "1Password in the browser _beta", and the release notes for a recent version of that include:
So I've now tested with the latest "1Password in the browser beta" and the popup also doesn't appear there! This does increase the probability this is a 1password issue... |
Honestly, I'm a bit stumped now too tbh. But I think you are correct, it's tending to a 1password problem. I'm just not sure what to look at next to help proceed this. I might need to setup 1password myself and try it locally. I won't get to it for a few days though sorry :( |
If you could test with 1Password that'd be great, but there's also no hurry, this is already a lot of quick feedback on an issue! In the meantime I've contacted 1password support and described both this issue and the issues with https://webauthn.me/debugger, so hopefully they have some input on what's happening 👍 |
Let me know their response from that :) |
So 1Password seem to have pretty good support! They found a regression with allowing webauthn requests from localhost and have fixed that, and also pushed a fix for https://webauthn.me/debugger on the nightly Chrome browser extension, so should arrive on Firefox too. They also mentioned a bug in this library, and gave the following details:
I tried eyeballing the code here and didn't get very far since my Rust skills are pretty weak, but maybe that means something to you? |
While investigating kanidm#351 I noticed that the `excludeCredentials` id's were still in base64url and which was failing validation in 1Password. Here I mirror the same modifications done to the `allowCredentials` list.
Hi @alexhumphreys and @Firstyear. As you mentionned the fixes should be hitting the next beta, but you should be able to test using our nightly extension on Chrome. I pushed #361 to fix the issue with the id's not being converted in the Javascript code. |
@Progdrasil thanks for getting back to us here! I just tried your PR with chrome and the nightly 1Password (and running the server with
Looking at the line that was added in the inspector, |
While investigating kanidm#351 I noticed that the `excludeCredentials` id's were still in base64url and which was failing validation in 1Password. Here I mirror the same modifications done to the `allowCredentials` list. This also adds an optional chaining to the `allowCredentials` list in the request options.
Doh 🤦. You're absolutely right. I just pushed an update to the PR using optional chaining. I also added it to the |
Nice one! With those changes on your PR I was able to successfully register/login with Chrome and nightly 1Password. Thank you! |
We should just fix the improperly converted id's on our end though. :) |
While investigating #351 I noticed that the `excludeCredentials` id's were still in base64url and which was failing validation in 1Password. Here I mirror the same modifications done to the `allowCredentials` list. This also adds an optional chaining to the `allowCredentials` list in the request options.
I think we the PR that @Progdrasil made, we can close this. Thanks everyone! |
@alexhumphreys have you gotten this to work with firefox yet? I'm experiencing the same issue. It looks like the firefox extension is lagging over (edit: it's actually 3 months behind!) |
@wez We haven't released an updated version of webauthn with the fix, might be your issue here. We plan to do so soon for 0.5.0. |
I thought the only fixes here were in the javascript; I'm running with the js from the current main branch. It works in chrome with no issues. |
We ship wasm bindings as well which are part of this library and needed updates IIRC. |
The 1P folks are working on pushing an update; meanwhile I've confirmed that the beta version of the 1P extension works in FF. |
Cool, I think beside us finalising the next release this is done then. |
I did this
Then navigated to http://localhost:8080/ on firefox (
version 118.0 (64-bit)
) with the 1password extension installed. Enteredfoobar
in the field and clickedregister
. 1password popup appears, I select a vault and click "save".I also did the same thing on safari with the 1password extension installed there.
I expected the following
1password to save the passkey, as it does for example on https://webauthn.io/
What actually happened
In both safari and firefox I got the following error:
There's the error in the Firefox inspector console:
I
tail
ed the various logs in~/Library/Group\ Containers/2BUA8C4S2C.com.1password/Library/Application\ Support/1Password/Data/logs
but did not see any interesting messages.Version (and git commit)
840a6f5
Operating System / Version
MacOS Ventura 13.5.1 (22G90)
Firefox 118.0 (64-bit)
1Password for Mac 8.10.16 (81016047)
1Password in the browser 2.15.1
1Password for safari 2.15.1
Any other comments
I was able to successfully log in on Safari (using presumably the apple keychain) with the same server running, so it seems to be a 1Password issue.
Which of course could mean it's out of your hands and I need to open a ticket with them, but the fact that https://webauthn.io/
works suggests something may be up here.
The text was updated successfully, but these errors were encountered: