Hi Marcin, I can register webauthn devices when I'm directly accessing a webauthn protected service with all the conf you'll find below (hope it will help) You might be able to register your webauthn device on the fly directly accessing to a webauthn protected service with this conf below, but my CAS version is 7.2.0-RC6 and not 7.2.1-SNAPSHOT ... maybe this is has to do with your issue ? ... And, in my context, webauthn db support is redis
This said, please notice that I still cannot register a webauthn device from the "palantir" account profile management ( https://apereo.github.io/cas/7.0.x/registration/Account-Management-Overview.html ) because it always fallback to my other MFA method which is totp gauth and the Account Profile Management is trying to make me register gauth devices even if I click on "FIDO2 Webauthn" registration. There is a topic (and rejected PRs) about this wich may interest you : https://groups.google.com/a/apereo.org/g/cas-user/c/bYz_05OmPbI/m/lt-Gu7G2AwAJ Regards, build.gradle deps : * // MFA FIDO2 WEBAUTHN implementation "org.apereo.cas:cas-server-support-webauthn" implementation "org.apereo.cas:cas-server-support-webauthn-redis" //MFA TRUSTED DEVICE implementation "org.apereo.cas:cas-server-support-trusted-mfa" implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"* cas.yml conf file : * web-authn: core: relying-party-id: myuniv.com relying-party-name: Myuniv allowed-origins: https://mycaserver.myuniv.com trusted-device-enabled: true application-id: https://www.myuniv.com multiple-device-registration-enabled: true expire-devices-time-unit: days expire-devices: 1 crypto: encryption: key: blahblahblah signing: key: blahblahblah redis: *REDIS_SETTINGS trusted: core: auto-assign-device-name: true device-registration-enabled: true authentication-context-attribute: isFromTrustedMultifactorAuthentication redis: *REDIS_SETTINGS crypto: enabled: true signing: key: blahblahblah encryption: key: blahblahblah device-fingerprint: cookie: enabled: true max-age: 32400 crypto: enabled: true signing: key: blahblahblah encryption: key: blahblahblah* Le vendredi 4 avril 2025 à 12:32:19 UTC+2, Marcin Roman a écrit : I have the following error while registering webauthn device: cas-1 | WARN [org.apereo.cas.util.function.FunctionUtils] org.jooq.lambda.UncheckedException: org.jose4j.lang.JoseException: A JWS Compact Serial ization must have exactly 3 parts separated by period ('.') characters cas-1 | AbstractCipherExecutor.java:verifySignature:188 cas-1 | BaseStringCipherExecutor.java:lambda$verifyAndDecrypt$4:275 cas-1 | FunctionUtils.java:lambda$doIf$3:110 cas-1 | BaseStringCipherExecutor.java:verifyAndDecrypt:276 cas-1 | cas-1 | ERROR [com.yubico.core.WebAuthnServer] Finishing registration failed with: [{"requestId":"RrsDjYZ_0OdXVZVHrc6vlzi9PY5LgHl24FLzQNMvipA","c redential":{"type":"public-key","id":"z1eGOqoRqmHhygGUE1kyCA","response":{"attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUuf0Jy6JrTSc3v_jT6n5lX cyyjI5N15H48XYSQgQYslJZAAAAAOqbjWZNAR0hPOS2tIy1ddQAEM9XhjqqEaph4coBlBNZMgilAQIDJiABIVgg9nQz46BdHSLuhytk05Yhu7N60cInFW2JgTdPcOm_h5EiWCChwxUO3OiZ8YNengMO8tpi6 ghHggZ5x87lxxKO9ws2HA","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiV1B4c281d25NYS00WWhtYXBxcTRFNDMyV0NwYWZwRXg5Z2ZCMGlCc3BQdyIsIm9 yaWdpbiI6Imh0dHBzOi8vbG9naW4udW1jcy5wbCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"},"clientExtensionResults":{"credProps":{"rk":true}}},"sessionToken":"mBzKQBz_dw1WGUV9a KNO3nCwdS3BfF-QYqgTEW6pM30"}] cas-1 | org.apereo.cas.util.crypto.DecryptionException: null cas-1 | at org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480) ~[cas-server-core-util-api-7.2.1-SNAPSHOT.jar:7.2.1-SNA PSHOT] cas.authn.mfa.web-authn.core.application-id=https://login.umcs.pl cas.authn.mfa.web-authn.core.allowed-origins=https://login.umcs.pl cas.authn.mfa.web-authn.core.relying-party-id=login.umcs.pl cas.authn.mfa.web-authn.core.relying-party-name=Uniwersytet Marii Curie-Skłodowskiej cas.authn.mfa.web-authn.core.display-name-attribute=sAMAccountName cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true cas.authn.mfa.web-authn.core.qr-code-authentication-enabled=true cas.authn.mfa.web-authn.core.expire-devices=99 cas.authn.mfa.web-authn.core.trusted-device-enabled=true cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true I have also deleted keystore.jwks when upgrading to 7.2. Do you have any idea whst's wrong? -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7021c988-8f06-43c2-9ce5-0b2431072e06n%40apereo.org.
