I'm trying to register a fido2 device in Mailcow using Firefox 95.0.2. When trying to do so, the Registration Status field announces:

The operation is insecure.

I've managed to track the error down to this line:

return navigator.credentials.create(createCredentialArgs);

Where createCredentialArgs is:

{"publicKey":{"rp":{"name":"WebAuthn Library","id":"subdomain.domain.tld:port"},"authenticatorSelection":{"userVerification":"preferred","requireResidentKey":true},"user":{"id":"=?BINARY?B?YWRtaW4=?=","name":"admin","displayName":"admin"},"pubKeyCredParams":[{"type":"public-key","alg":-7},{"type":"public-key","alg":-257}],"attestation":"direct","extensions":{"exts":true},"timeout":30000,"challenge":"=?BINARY?B?AJpcm\/8fHdnFDt60yDig2j14XLKtQmJfvslXLPIFj0g=?=","excludeCredentials":[]}}

The server uses a custom CA certificate present on the Mailcow installation, the client's host and Firefox.

Any ideas on why?

CodePudding user response：

After doing some more testing with Edge (and discovering the "thisisunsafe" trick), I've discovered that WebAuthn isn't a big fan of ports. So, it didn't like: "id":"subdomain.domain.tld:port".

Replacing $_SERVER['SERVER_NAME'] where $_SERVER['HTTP_HOST'] when initializing the $WebAuthn Variable fixed the issue.

Basically navigator.credentials.create() doesn't accept ids with ports.