mfa-webauthn broken since last week. CAS 7.1.0

[Frédéric Dussurget]

Hi,
We cannot register devices anymore with mfa-webauthn since last week.
It works with a clone of cas-overlay-template from April 11th but not with today's clone (April 18th). Same dependencies and same cas.properties directives. Master CAS 7 branch.

When trying to register a new device, I have this message on the login :

JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data

In the firefox debugger :

XHRPOST
https://mycasdev.mywonderfuluniv.fr/cas/webauthn/register
[HTTP/1.1 200  63ms]

Registration failed DOMException: CredentialContainer request is not allowed.
    createCredential https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
    executeRegisterRequest https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
    executeRequest https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
    performCeremony https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
    promise callback*performCeremony https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
    register https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
    <anonymous> https://mycasdev.mywonderfuluniv.fr/cas/login:373
webauthn.js:474:21
Uncaught (in promise) DOMException: CredentialContainer request is not allowed.
    createCredential https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
    executeRegisterRequest https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
    executeRequest https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
    performCeremony https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
    promise callback*performCeremony https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
    register https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
    <anonymous> https://mycasdev.mywonderfuluniv.fr/cas/login:373


If I try to reuse a device that had already been registered, I have this error in the ff debugger  with today's build :

XHRPOST
https://mycasdev.mywonderfuluniv.fr/cas/webauthn/authenticate
[HTTP/1.1 403  131ms]

Authentication failed SyntaxError: JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data webauthn.js:570:17
    authenticate https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:570
    (Asynchrone : promise callback)
    authenticate https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:561
    <anonyme> https://mycasdev.mywonderfuluniv.fr/cas/login:356
Uncaught (in promise) SyntaxError: JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data

Regards,

[Frédéric Dussurget]

Hi,

Some additional info : The base64 for decoded response is :

--- !<java.util.LinkedHashMap>
timestamp: "2024-04-23T14:14:08.165+00:00"
status: 403
error: "Forbidden"
message: "Forbidden"
path: "/cas/webauthn/register"

[Frédéric Dussurget]

Yet another info with spring web logs :

2024-04-23 16:46:27,232 DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing POST /error>
2024-04-23 16:46:27,232 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] - <Request: filter invocation [POST /error]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]>
2024-04-23 16:46:27,233 DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured POST /error>
2024-04-23 16:46:27,234 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <"FORWARD" dispatch for POST "/cas/error", parameters={masked}>
2024-04-23 16:46:27,234 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - <Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)>
2024-04-23 16:46:27,244 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Using 'application/vnd.cas.services+yaml', given [*/*] and supported [application/vnd.cas.services+yaml, application/json, application/*+json, application/cbor, application/xml;charset=UTF-8, text/xml;charset=UTF-8, application/*+xml;charset=UTF-8]>
2024-04-23 16:46:27,244 DEBUG [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor] - <Writing [{timestamp=Tue Apr 23 16:46:27 CEST 2024, status=403, error=Forbidden, message=Forbidden, path=/cas/ (truncated)...]>
2024-04-23 16:46:27,273 DEBUG [org.springframework.web.servlet.DispatcherServlet] - <Exiting from "FORWARD" dispatch, status 403>
2024-04-23 16:46:27,273 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>

[Jérôme LELEU]

Hi,

This is due to my change here: https://github.com/apereo/cas/pull/6015

Though, this should be fixed in the latest 7.1.0-SNAPSHOT.

Thanks.

Best regards,

Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/da6c1720-b0f7-4bb4-8dbf-9a4c190b8678n%40apereo.org.

[Frédéric Dussurget]

Hi,

thank you very much, Jérôme, that's very good news :) Be sure I'll keep you posted.

Have a good day !

[Frédéric Dussurget]

Hi Jerome, just to confirm that mfa-webauthn device registering is working fine now, thanks again