I'm trying to register a fido2 device in Mailcow using Firefox 95.0.2. When trying to do so, the Registration Status field announces:
The operation is insecure.
I've managed to track the error down to this line:
return navigator.credentials.create(createCredentialArgs);
Where createCredentialArgs
is:
{"publicKey":{"rp":{"name":"WebAuthn Library","id":"subdomain.domain.tld:port"},"authenticatorSelection":{"userVerification":"preferred","requireResidentKey":true},"user":{"id":"=?BINARY?B?YWRtaW4=?=","name":"admin","displayName":"admin"},"pubKeyCredParams":[{"type":"public-key","alg":-7},{"type":"public-key","alg":-257}],"attestation":"direct","extensions":{"exts":true},"timeout":30000,"challenge":"=?BINARY?B?AJpcm\/8fHdnFDt60yDig2j14XLKtQmJfvslXLPIFj0g=?=","excludeCredentials":[]}}
The server uses a custom CA certificate present on the Mailcow installation, the client's host and Firefox.
Any ideas on why?
CodePudding user response:
After doing some more testing with Edge (and discovering the "thisisunsafe" trick), I've discovered that WebAuthn isn't a big fan of ports.
So, it didn't like: "id":"subdomain.domain.tld:port"
.
Replacing $_SERVER['SERVER_NAME']
where $_SERVER['HTTP_HOST']
when initializing the $WebAuthn
Variable fixed the issue.
Basically navigator.credentials.create() doesn't accept ids with ports.