web-authn and Account Profile Managment
281 views
Skip to first unread message
Frédéric Dussurget
Sep 11, 2024, 10:21:46 AM9/11/24
to CAS Community
Hi,
Context : version=7.2.0-SNAPSHOT
Extract of build.gradle :
//MFA TOTP
implementation "org.apereo.cas:cas-server-support-gauth"
implementation "org.apereo.cas:cas-server-support-gauth-redis"
// MFA FIDO2 WEBAUTHN
implementation "org.apereo.cas:cas-server-support-webauthn"
implementation "org.apereo.cas:cas-server-support-webauthn-redis"
//MFA TRUSTED DEVICE
implementation "org.apereo.cas:cas-server-support-trusted-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"
//MFA TOTP
implementation "org.apereo.cas:cas-server-support-gauth"
implementation "org.apereo.cas:cas-server-support-gauth-redis"
// MFA FIDO2 WEBAUTHN
implementation "org.apereo.cas:cas-server-support-webauthn"
implementation "org.apereo.cas:cas-server-support-webauthn-redis"
//MFA TRUSTED DEVICE
implementation "org.apereo.cas:cas-server-support-trusted-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"
My issue :
I have an issue with Account Profile Management (/cas/login page), but only with webauthn devices (mfa-gauth devices work fine) :- with build.gradle containing only web-authn dependencies, I'm able to register a webauthn device thru account profile management, but I get an 500 error message at the very end of the ceremony :
Error: jakarta.servlet.ServletException: Request processing failed: org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'viewRegistrationWebAuthn' of flow 'account'
- with build.gradle containing web-authn AND mfa-gauth dependencies, I cannot get the webauthn device registering ceremony : every time I end up on the mfa-gauth device registering ceremony. So, the only way to register mfa-webauthn devices is on the fly, accessing directly to a service.
Regards,
P Assenger
Nov 27, 2024, 8:59:25 PM11/27/24
to CAS Community, Frédéric Dussurget
Hi,
We encounter the same issue under v7.1.2, with only the web-authn dependencies : while the new device is registered, an error occurs at the interface.
In CAS logs, the error is as you described it : Exception thrown in state 'viewRegistrationWebAuthn' of flow 'account'. Albeit with this added message : no ''saveRegistration' state in flow 'account'.
The culprit code seems to be in "support/cas-server-support-webauthn-core-webflow/src/main/java/org/apereo/cas/webauthn/web/flow/account/WebAuthnMultifactorAccountProfileWebflowConfigurer.java'. BTW, this class does not seem to have a TestCase.
Harsh to be blocked on such a problem :(.
P.
P Assenger
Dec 5, 2024, 9:19:01 AM12/5/24
to CAS Community, P Assenger, Frédéric Dussurget
Two PRs should correct the issue with webauthn device registration. I do not know if the crossover with mfa-gauth is also corrected, as I wanted to get webauthn registration working for POC purpose, only.
Note that, for now, the two PRs are rejected as there is no test associated to them:
- PR ( 7.1.x) https://github.com/apereo/cas/pull/6252
- PR (master) : https://github.com/apereo/cas/pull/6254
Modification is trivial so the patch should be easy to apply for other revisions.
Regards,
P.
Frédéric Dussurget
Dec 5, 2024, 9:49:23 AM12/5/24
to CAS Community, P Assenger, Frédéric Dussurget
Thanks a lot for that ! I hope someone will fix it with your fix.
Until now, I had to register my webauthn devices for testing by accessing directly to a service protected by webauthn
Regards,
Frédéric Dussurget
Apr 10, 2025, 10:21:38 AM4/10/25
to CAS Community, Frédéric Dussurget, P Assenger
Hi,
Your fix seems to have been included ion the latest 7.2, I can now register webauthn devices through the account profile management BUT, I still cannot register webauthn devices if I have multiples MFA providers (in my cas webauthn and gauth)
Regards,
here are my logs when I try to register a webauthn device with both MFA poviders :
browser's console :
Request :
_csrf: "pPOlLr91F7EsX5z[... blahblahblah ...]w_XI-nzfe9
type: "webauthn"
_eventId_register: "Register"
execution: 537c7786-8f9b-4a65[...blahblahblah...]pZWlhOVUyOFo2TjVn
_csrf: "pPOlLr91F7EsX5z[... blahblahblah ...]w_XI-nzfe9
type: "webauthn"
_eventId_register: "Register"
execution: 537c7786-8f9b-4a65[...blahblahblah...]pZWlhOVUyOFo2TjVn
server logs :
2025-04-10 14:37:51,113 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-3-****************x0K3OY0-mycasserver] to [404b8927b61268... blahblahblah ...88ae3265ccee]>
2025-04-10 14:37:51,114 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is not an encoded ticket: [TicketGrantingTicketImpl], no decoding is necessary.>
2025-04-10 14:37:51,116 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@61f603b6]>
2025-04-10 14:37:51,130 DEBUG [org.apereo.cas.otp.web.flow.OneTimeTokenAccountCreateRegistrationAction] - <Registration key URI is [otpauth://totp/Gauth:frederic.dussurget?secret=****************]>
2025-04-10 14:37:51,422 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-1-****************Bi4ogU4- mycasserver ] to [837caa4f9326 ... blahblahblblah ... 3e9314859c5af98bc4721]>
2025-04-10 14:37:51,113 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-3-****************x0K3OY0-mycasserver] to [404b8927b61268... blahblahblah ...88ae3265ccee]>
2025-04-10 14:37:51,114 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is not an encoded ticket: [TicketGrantingTicketImpl], no decoding is necessary.>
2025-04-10 14:37:51,116 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@61f603b6]>
2025-04-10 14:37:51,130 DEBUG [org.apereo.cas.otp.web.flow.OneTimeTokenAccountCreateRegistrationAction] - <Registration key URI is [otpauth://totp/Gauth:frederic.dussurget?secret=****************]>
2025-04-10 14:37:51,422 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-1-****************Bi4ogU4- mycasserver ] to [837caa4f9326 ... blahblahblblah ... 3e9314859c5af98bc4721]>
... and when I'm trying to do the same thing with only the webauth MFA provider (flushed gauth from everywhere : build.gradle, services, cas.yml):
2025-04-10 15:02:06,835 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Ticket passed is not an encoded ticket: [TicketGrantingTicketImpl], no decoding is necessary.>
2025-04-10 15:02:06,838 DEBUG [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@5c09bcba]>
2025-04-10 15:02:06,861 DEBUG [org.apereo.cas.webauthn.web.flow.WebAuthnStartRegistrationAction] - <Starting registration sequence for [SimplePrincipal(id=frederic.dussurget, attributes=
Marcin Roman
Jun 7, 2025, 9:36:50 AM6/7/25
to CAS Community, Frédéric Dussurget, P Assenger
CasFeatureModule.AccountManagement.enabled=true
Caused by: java.lang.IllegalArgumentException: Cannot find state with id 'saveRegistration' in flow 'account' -- Known state ids are 'array<String>['myAccountProfile', 'updateSecurityQuestions', 'passwordChangeRequest', 'redirectToPasswordReset', 'ticketGrantingTicketCheck', 'redirectToLogin', 'removeSingleSignOnSession', 'casBrowserStorageReadView', 'oidcRevokeAccessToken', 'deleteMfaDevice', 'deleteMultifactorTrustedDevice', 'viewRegistrationWebAuthn']'
I have tested it on 7.2.3 and 7.3.0-RC2.
Also there is this problem with registering webauthn when gauth is enabled. However I have given up on gauth and I'm going to use credentials login + mfa-simple combined with webauthn login without user credentials.
Marcin Roman
Jun 20, 2025, 2:37:53 AM6/20/25
to CAS Community, Marcin Roman, Frédéric Dussurget, P Assenger
Both problems are now resolved in 7.2.x snapshots ;)
Reply all
Reply to author
Forward
0 new messages