Problem with webauthn in 7.2.0
165 views
Skip to first unread message
Marcin Roman
Apr 4, 2025, 6:32:19 AM4/4/25
to CAS Community
I have the following error while registering webauthn device:
cas-1 | WARN [org.apereo.cas.util.function.FunctionUtils] org.jooq.lambda.UncheckedException: org.jose4j.lang.JoseException: A JWS Compact Serial
ization must have exactly 3 parts separated by period ('.') characters
cas-1 | AbstractCipherExecutor.java:verifySignature:188
cas-1 | BaseStringCipherExecutor.java:lambda$verifyAndDecrypt$4:275
cas-1 | FunctionUtils.java:lambda$doIf$3:110
cas-1 | BaseStringCipherExecutor.java:verifyAndDecrypt:276
cas-1 |
cas-1 | ERROR [com.yubico.core.WebAuthnServer] Finishing registration failed with: [{"requestId":"RrsDjYZ_0OdXVZVHrc6vlzi9PY5LgHl24FLzQNMvipA","c
redential":{"type":"public-key","id":"z1eGOqoRqmHhygGUE1kyCA","response":{"attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUuf0Jy6JrTSc3v_jT6n5lX
cyyjI5N15H48XYSQgQYslJZAAAAAOqbjWZNAR0hPOS2tIy1ddQAEM9XhjqqEaph4coBlBNZMgilAQIDJiABIVgg9nQz46BdHSLuhytk05Yhu7N60cInFW2JgTdPcOm_h5EiWCChwxUO3OiZ8YNengMO8tpi6
ghHggZ5x87lxxKO9ws2HA","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiV1B4c281d25NYS00WWhtYXBxcTRFNDMyV0NwYWZwRXg5Z2ZCMGlCc3BQdyIsIm9
yaWdpbiI6Imh0dHBzOi8vbG9naW4udW1jcy5wbCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"},"clientExtensionResults":{"credProps":{"rk":true}}},"sessionToken":"mBzKQBz_dw1WGUV9a
KNO3nCwdS3BfF-QYqgTEW6pM30"}]
cas-1 | org.apereo.cas.util.crypto.DecryptionException: null
cas-1 | at org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480) ~[cas-server-core-util-api-7.2.1-SNAPSHOT.jar:7.2.1-SNA
PSHOT]
cas.authn.mfa.web-authn.core.application-id=https://login.umcs.pl
cas.authn.mfa.web-authn.core.allowed-origins=https://login.umcs.pl
cas.authn.mfa.web-authn.core.relying-party-id=login.umcs.pl
cas.authn.mfa.web-authn.core.relying-party-name=Uniwersytet Marii Curie-Skłodowskiej
cas.authn.mfa.web-authn.core.display-name-attribute=sAMAccountName
cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true
cas.authn.mfa.web-authn.core.qr-code-authentication-enabled=true
cas.authn.mfa.web-authn.core.expire-devices=99
cas.authn.mfa.web-authn.core.trusted-device-enabled=true
cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true
I have also deleted keystore.jwks when upgrading to 7.2.
Do you have any idea whst's wrong?
cas-1 | WARN [org.apereo.cas.util.function.FunctionUtils] org.jooq.lambda.UncheckedException: org.jose4j.lang.JoseException: A JWS Compact Serial
ization must have exactly 3 parts separated by period ('.') characters
cas-1 | AbstractCipherExecutor.java:verifySignature:188
cas-1 | BaseStringCipherExecutor.java:lambda$verifyAndDecrypt$4:275
cas-1 | FunctionUtils.java:lambda$doIf$3:110
cas-1 | BaseStringCipherExecutor.java:verifyAndDecrypt:276
cas-1 |
cas-1 | ERROR [com.yubico.core.WebAuthnServer] Finishing registration failed with: [{"requestId":"RrsDjYZ_0OdXVZVHrc6vlzi9PY5LgHl24FLzQNMvipA","c
redential":{"type":"public-key","id":"z1eGOqoRqmHhygGUE1kyCA","response":{"attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUuf0Jy6JrTSc3v_jT6n5lX
cyyjI5N15H48XYSQgQYslJZAAAAAOqbjWZNAR0hPOS2tIy1ddQAEM9XhjqqEaph4coBlBNZMgilAQIDJiABIVgg9nQz46BdHSLuhytk05Yhu7N60cInFW2JgTdPcOm_h5EiWCChwxUO3OiZ8YNengMO8tpi6
ghHggZ5x87lxxKO9ws2HA","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiV1B4c281d25NYS00WWhtYXBxcTRFNDMyV0NwYWZwRXg5Z2ZCMGlCc3BQdyIsIm9
yaWdpbiI6Imh0dHBzOi8vbG9naW4udW1jcy5wbCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"},"clientExtensionResults":{"credProps":{"rk":true}}},"sessionToken":"mBzKQBz_dw1WGUV9a
KNO3nCwdS3BfF-QYqgTEW6pM30"}]
cas-1 | org.apereo.cas.util.crypto.DecryptionException: null
cas-1 | at org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480) ~[cas-server-core-util-api-7.2.1-SNAPSHOT.jar:7.2.1-SNA
PSHOT]
cas.authn.mfa.web-authn.core.application-id=https://login.umcs.pl
cas.authn.mfa.web-authn.core.allowed-origins=https://login.umcs.pl
cas.authn.mfa.web-authn.core.relying-party-id=login.umcs.pl
cas.authn.mfa.web-authn.core.relying-party-name=Uniwersytet Marii Curie-Skłodowskiej
cas.authn.mfa.web-authn.core.display-name-attribute=sAMAccountName
cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true
cas.authn.mfa.web-authn.core.qr-code-authentication-enabled=true
cas.authn.mfa.web-authn.core.expire-devices=99
cas.authn.mfa.web-authn.core.trusted-device-enabled=true
cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true
I have also deleted keystore.jwks when upgrading to 7.2.
Do you have any idea whst's wrong?
Frédéric Dussurget
Apr 8, 2025, 6:18:54 AM4/8/25
to CAS Community, Marcin Roman
Hi Marcin,
I can register webauthn devices when I'm directly accessing a webauthn protected service with all the conf you'll find below (hope it will help)
You might be able to register your webauthn device on the fly directly accessing to a webauthn protected service with this conf below, but my CAS version is 7.2.0-RC6 and not 7.2.1-SNAPSHOT ... maybe this is has to do with your issue ? ... And, in my context, webauthn db support is redis
This said, please notice that I still cannot register a webauthn device from the "palantir" account profile management ( https://apereo.github.io/cas/7.0.x/registration/Account-Management-Overview.html ) because it always fallback to my other MFA method which is totp gauth and the Account Profile Management is trying to make me register gauth devices even if I click on "FIDO2 Webauthn" registration. There is a topic (and rejected PRs) about this wich may interest you : https://groups.google.com/a/apereo.org/g/cas-user/c/bYz_05OmPbI/m/lt-Gu7G2AwAJ
Regards,
build.gradle deps :
// MFA FIDO2 WEBAUTHN
implementation "org.apereo.cas:cas-server-support-webauthn"
implementation "org.apereo.cas:cas-server-support-webauthn-redis"
//MFA TRUSTED DEVICE
implementation "org.apereo.cas:cas-server-support-trusted-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"
cas.yml conf file :
web-authn:
core:
relying-party-id: myuniv.com
relying-party-name: Myuniv
allowed-origins: https://mycaserver.myuniv.com
trusted-device-enabled: true
application-id: https://www.myuniv.com
multiple-device-registration-enabled: true
expire-devices-time-unit: days
expire-devices: 1
crypto:
encryption:
key: blahblahblah
signing:
key: blahblahblah
redis: *REDIS_SETTINGS
trusted:
core:
auto-assign-device-name: true
device-registration-enabled: true
authentication-context-attribute: isFromTrustedMultifactorAuthentication
redis: *REDIS_SETTINGS
crypto:
enabled: true
signing:
key: blahblahblah
encryption:
key: blahblahblah
device-fingerprint:
cookie:
enabled: true
max-age: 32400
crypto:
enabled: true
signing:
key: blahblahblah
encryption:
key: blahblahblah
I can register webauthn devices when I'm directly accessing a webauthn protected service with all the conf you'll find below (hope it will help)
You might be able to register your webauthn device on the fly directly accessing to a webauthn protected service with this conf below, but my CAS version is 7.2.0-RC6 and not 7.2.1-SNAPSHOT ... maybe this is has to do with your issue ? ... And, in my context, webauthn db support is redis
This said, please notice that I still cannot register a webauthn device from the "palantir" account profile management ( https://apereo.github.io/cas/7.0.x/registration/Account-Management-Overview.html ) because it always fallback to my other MFA method which is totp gauth and the Account Profile Management is trying to make me register gauth devices even if I click on "FIDO2 Webauthn" registration. There is a topic (and rejected PRs) about this wich may interest you : https://groups.google.com/a/apereo.org/g/cas-user/c/bYz_05OmPbI/m/lt-Gu7G2AwAJ
Regards,
build.gradle deps :
// MFA FIDO2 WEBAUTHN
implementation "org.apereo.cas:cas-server-support-webauthn"
implementation "org.apereo.cas:cas-server-support-webauthn-redis"
//MFA TRUSTED DEVICE
implementation "org.apereo.cas:cas-server-support-trusted-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"
cas.yml conf file :
web-authn:
core:
relying-party-id: myuniv.com
relying-party-name: Myuniv
allowed-origins: https://mycaserver.myuniv.com
trusted-device-enabled: true
application-id: https://www.myuniv.com
multiple-device-registration-enabled: true
expire-devices-time-unit: days
expire-devices: 1
crypto:
encryption:
key: blahblahblah
signing:
key: blahblahblah
redis: *REDIS_SETTINGS
trusted:
core:
auto-assign-device-name: true
device-registration-enabled: true
authentication-context-attribute: isFromTrustedMultifactorAuthentication
redis: *REDIS_SETTINGS
crypto:
enabled: true
signing:
key: blahblahblah
encryption:
key: blahblahblah
device-fingerprint:
cookie:
enabled: true
max-age: 32400
crypto:
enabled: true
signing:
key: blahblahblah
encryption:
key: blahblahblah
Marcin Roman
Jun 7, 2025, 5:52:12 AM6/7/25
to CAS Community, Frédéric Dussurget, Marcin Roman
Thanks, it works well.
My problem turned out to be a garbage in webauthn records in ldap.
Reply all
Reply to author
Forward
0 new messages