2

I'm trying to register a fido2 device in Mailcow using Firefox 95.0.2. When trying to do so, the Registration Status field announces:

The operation is insecure.

I've managed to track the error down to this line:

return navigator.credentials.create(createCredentialArgs);

Where createCredentialArgs is:

{"publicKey":{"rp":{"name":"WebAuthn Library","id":"subdomain.domain.tld:port"},"authenticatorSelection":{"userVerification":"preferred","requireResidentKey":true},"user":{"id":"=?BINARY?B?YWRtaW4=?=","name":"admin","displayName":"admin"},"pubKeyCredParams":[{"type":"public-key","alg":-7},{"type":"public-key","alg":-257}],"attestation":"direct","extensions":{"exts":true},"timeout":30000,"challenge":"=?BINARY?B?AJpcm\/8fHdnFDt60yDig2j14XLKtQmJfvslXLPIFj0g=?=","excludeCredentials":[]}}

The server uses a custom CA certificate present on the Mailcow installation, the client's host and Firefox.

Any ideas on why?

JeffLee
  • 111
  • 1
  • 10

1 Answers1

2

After doing some more testing with Edge (and discovering the "thisisunsafe" trick), I've discovered that WebAuthn isn't a big fan of ports. So, it didn't like: "id":"subdomain.domain.tld:port".

Replacing $_SERVER['SERVER_NAME'] where $_SERVER['HTTP_HOST'] when initializing the $WebAuthn Variable fixed the issue.

Basically navigator.credentials.create() doesn't accept ids with ports.

JeffLee
  • 111
  • 1
  • 10
  • 2
    Correct. The rpId is the effective domain. No IP address, no port, no scheme, no path. no TLD. It is explained here: https://www.w3.org/TR/webauthn-2/#relying-party-identifier – Spomky-Labs Dec 27 '21 at 11:50