Google account login problems

[Jiří Bělohradský]

Hello,

I am developing a FIDO2 authenticator. It has no attestation at the moment. It works fine with various services including Facebook, Github etc. However I am facing problems when trying to use it with Google account. 

1) On Google, it seems that registering phase uses older U2F protocol (APDU), while authentication phase uses FIDO2 (CBOR). I don't know why, it's weird.

2) Registering works fine for me, but authentication fails. It seems that the problem is between browser (Firefox) and server (Google), because the first step passes:

And after clicking Next:

If you had any suggestion how to debug this, it would help me a lot.

Thank you!

Jiri

[Jiří Bělohradský]

I am sorry - images were not sent. 

Step 1:

https://www.dropbox.com/s/v07rf7eafguer98/step1.png?dl=0

Step 2:

https://www.dropbox.com/s/alopjg1x6t9w788/step2.png?dl=0

Dne pondělí 7. prosince 2020 v 10:45:22 UTC+1 uživatel Jiří Bělohradský napsal:

[Nguyen Van Cuong]

Your Authenticator must implement U2F/CTAP1 to use login on Google account.

https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#u2f-interoperability

[Evgeniy P]

I have absolutely the same problem but not understand how the solution proposed by Nguyen Van Cuong solve problem? My authentificator  implements U2F/CTAP1 for both registering and authentication, but nevertheless problem remains.

Jir, do you solve the problem?

Thanks for attention.

Evgeniy

четверг, 10 декабря 2020 г. в 05:24:13 UTC+3, Nguyen Van Cuong:

[Jiří Bělohradský]

Hi Evgeniy,

I've finally found the solution. You have to reject all CBOR requests with CTAP2_ERR_NO_CREDENTIALS. This is because the credential originally came from CTAP1 registration. You also have to reject all incorrect combination of credentialID - rpIdHash with SW_WRONG_DATA on the authenticate command. When I had done those two steps, Google login has started to work fine.

Hope it will work for you as well.

Jiri

čt 25. 2. 2021 v 12:32 odesílatel Evgeniy P <elvis.p...@gmail.com> napsal:

[nuno sung]

Some information you may want to know about this.

https://github.com/Safari-FIDO-U2F/Safari-FIDO-U2F/issues/24#issuecomment-443923894
https://bugs.webkit.org/show_bug.cgi?id=202427

belohrad...@gmail.com 在 2021年2月26日 星期五上午3:15:38 [UTC+8] 的信中寫道：

[Evgeniy P]

Hi Jiri,

Thank you very much for response, but to speak briefly, in my case first part of your propose don't work.

I can see the sequence of commands from Client to Authenticator and first command after Select Application is CBOR request authenticatorGetInfo (0x04). My application responses in CBOR structure with versions = "U2F_V2" that means I support CTAP1/U2F.

Next command from Client to Authenticator comes in U2F format according FIDO U2F protocol (APDU with U2F_REGISTER or U2F_AUTHENTICATE) and my application responses according protocol.

Last command is Deselect in CBOR format.

If my application reject first CBOR request with CTAP2_ERR_NO_CREDENTIALS, next command from Webauthn Client is Deselect Application. I can't do registration in this case. Maybe I don't clearly understand what you means?

With regards, Evgeniy

четверг, 25 февраля 2021 г. в 22:15:38 UTC+3, belohrad...@gmail.com: