Thanks, it works well. My problem turned out to be a garbage in webauthn records in ldap.
On Tuesday, April 8, 2025 at 12:18:54 PM UTC+2 Frédéric Dussurget wrote: > Hi Marcin, > I can register webauthn devices when I'm directly accessing a webauthn > protected service with all the conf you'll find below (hope it will help) > You might be able to register your webauthn device on the fly directly > accessing to a webauthn protected service with this conf below, but my CAS > version is 7.2.0-RC6 and not 7.2.1-SNAPSHOT ... maybe this is has to do > with your issue ? ... And, in my context, webauthn db support is redis > > This said, please notice that I still cannot register a webauthn device > from the "palantir" account profile management ( > https://apereo.github.io/cas/7.0.x/registration/Account-Management-Overview.html > > ) because it always fallback to my other MFA method which is totp gauth and > the Account Profile Management is trying to make me register gauth devices > even if I click on "FIDO2 Webauthn" registration. There is a topic (and > rejected PRs) about this wich may interest you : > https://groups.google.com/a/apereo.org/g/cas-user/c/bYz_05OmPbI/m/lt-Gu7G2AwAJ > > Regards, > > build.gradle deps : > > > > > > > * // MFA FIDO2 WEBAUTHN implementation > "org.apereo.cas:cas-server-support-webauthn" implementation > "org.apereo.cas:cas-server-support-webauthn-redis" //MFA TRUSTED DEVICE > implementation "org.apereo.cas:cas-server-support-trusted-mfa" > implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"* > > > cas.yml conf file : > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > * web-authn: core: relying-party-id: myuniv.com > <http://myuniv.com> relying-party-name: Myuniv > allowed-origins: https://mycaserver.myuniv.com > <https://mycaserver.myuniv.com> trusted-device-enabled: true > application-id: https://www.myuniv.com <https://www.myuniv.com> > multiple-device-registration-enabled: true > expire-devices-time-unit: days expire-devices: 1 crypto: > encryption: key: blahblahblah signing: > key: blahblahblah redis: *REDIS_SETTINGS trusted: core: > auto-assign-device-name: true device-registration-enabled: > true authentication-context-attribute: > isFromTrustedMultifactorAuthentication redis: *REDIS_SETTINGS > crypto: enabled: true signing: key: > blahblahblah encryption: key: blahblahblah > device-fingerprint: cookie: enabled: true > max-age: 32400 crypto: enabled: true > signing: key: blahblahblah encryption: > key: blahblahblah* > > Le vendredi 4 avril 2025 à 12:32:19 UTC+2, Marcin Roman a écrit : > > I have the following error while registering webauthn device: > > cas-1 | WARN [org.apereo.cas.util.function.FunctionUtils] > org.jooq.lambda.UncheckedException: org.jose4j.lang.JoseException: A JWS > Compact Serial > ization must have exactly 3 parts separated by period ('.') characters > cas-1 | AbstractCipherExecutor.java:verifySignature:188 > cas-1 | > BaseStringCipherExecutor.java:lambda$verifyAndDecrypt$4:275 > > cas-1 | FunctionUtils.java:lambda$doIf$3:110 > cas-1 | BaseStringCipherExecutor.java:verifyAndDecrypt:276 > > cas-1 | > cas-1 | ERROR [com.yubico.core.WebAuthnServer] Finishing > registration failed with: > [{"requestId":"RrsDjYZ_0OdXVZVHrc6vlzi9PY5LgHl24FLzQNMvipA","c > > redential":{"type":"public-key","id":"z1eGOqoRqmHhygGUE1kyCA","response":{"attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUuf0Jy6JrTSc3v_jT6n5lX > > cyyjI5N15H48XYSQgQYslJZAAAAAOqbjWZNAR0hPOS2tIy1ddQAEM9XhjqqEaph4coBlBNZMgilAQIDJiABIVgg9nQz46BdHSLuhytk05Yhu7N60cInFW2JgTdPcOm_h5EiWCChwxUO3OiZ8YNengMO8tpi6 > > ghHggZ5x87lxxKO9ws2HA","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiV1B4c281d25NYS00WWhtYXBxcTRFNDMyV0NwYWZwRXg5Z2ZCMGlCc3BQdyIsIm9 > > yaWdpbiI6Imh0dHBzOi8vbG9naW4udW1jcy5wbCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"},"clientExtensionResults":{"credProps":{"rk":true}}},"sessionToken":"mBzKQBz_dw1WGUV9a > KNO3nCwdS3BfF-QYqgTEW6pM30"}] > cas-1 | org.apereo.cas.util.crypto.DecryptionException: null > cas-1 | at > org.apereo.cas.util.EncodingUtils.decryptJwtValue(EncodingUtils.java:480) > ~[cas-server-core-util-api-7.2.1-SNAPSHOT.jar:7.2.1-SNA > PSHOT] > > cas.authn.mfa.web-authn.core.application-id=https://login.umcs.pl > cas.authn.mfa.web-authn.core.allowed-origins=https://login.umcs.pl > cas.authn.mfa.web-authn.core.relying-party-id=login.umcs.pl > cas.authn.mfa.web-authn.core.relying-party-name=Uniwersytet Marii > Curie-Skłodowskiej > cas.authn.mfa.web-authn.core.display-name-attribute=sAMAccountName > cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true > cas.authn.mfa.web-authn.core.qr-code-authentication-enabled=true > cas.authn.mfa.web-authn.core.expire-devices=99 > cas.authn.mfa.web-authn.core.trusted-device-enabled=true > cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true > > I have also deleted keystore.jwks when upgrading to 7.2. > > Do you have any idea whst's wrong? > > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9191af7-a1db-4860-828c-5c403814a83en%40apereo.org.
