FIDO 2.0 Server - Conformance Tests - "Credential ID doesn't exists"

[Gastón Axel Lacuesta]

Hello everyone,

I was wondering if I can get some guidance with a problem running /assertion tests that I'm facing right now during FIDO 2.0 Server certification. I'm using WebAuthn.go (https://github.com/duo-labs/webauthn) as dependency.

For /assertion/options (GetAssertion Request), the conformance tools asks for the Credential.ID to be base64URL(without padding). The only way to be compliant with that test is to strip characters (+,/,-,_, and =) from the ID. Is this a correct approach? As the ID is generated by WebAuthn.go dependency we are using. With that change the test run just fine.

Then, I'm facing a problem with /assertion/options (GetAssertion Response) in which the conformance tools only sends the first step to register the credential and our Server responds OK. The tool takes the response and returns this error "Error: the string "Error while getting assertion: Error: Credential with ID \"JCd7EmC8GAqk16Nty9tTUvviVCtckIlmIq31mWi3b4U\" does not exist!" was thrown, throw an Error :)"

I don't understand why attestation/options works just fine and then in assertion/result it fails.

Thanks in advance,

Gastón

[Gastón Axel Lacuesta]

Update: debugging and trying to understand the issue, I think is related to the character strip commented above, the problem is... if not done, test results in failing. Here is a screenshot of showing that Credential.ID expected in assertion/options has the forbidden characters (like _)

Any guidance would be appreciated.

Thanks in advance,

Gastón

[Ackermann Yuriy]

Yes. This is because fido2 uses strictly base64URL encoding. Please check your code uses structly base64url

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/419b098f-3288-4fcd-aa31-02e963d492fcn%40fidoalliance.org.

--

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

[Gastón Axel Lacuesta]

Thanks for the answer Yuriy, it was helpful, already solved my issue.

I was using pkg.go.dev/encoding/base64 URLEncoding at first instance, which leaves padding at the end, had to changed it for RawURLEncoding to solve that. Then, I had a problem in my adapter (written in Java) in which had to replace \\+ and / characters for - and _ respectively.