dearsky/pico-fido
1
0
Fork 0
Code Issues 46 Pull Requests 1 Actions Packages Projects Releases 22 Wiki Activity

Unable to use WebAuth authentication on websites that utilize the Casdoor solution. #145

New Issue
Closed
opened 2025-04-29 20:13:22 +08:00 by IsayIsee · 5 comments
IsayIsee commented 2025-04-29 20:13:22 +08:00 (Migrated from github.com)
Copy Link

Firmware Version: 6.6.0

I deployed a private instance of Casdoor and encountered an issue while adding the WebAuth authentication method. Everything seemed normal: the selection box popped up correctly, I entered the token password as usual, and the browser prompted that the registration was successful. However, when I checked the Passkeys, there was no data. I then tested on the official Casdoor website: https://demo.casdoor.com/, and the result was the same. I used both Firefox and Google Chrome for testing, and the outcome was identical.

Firmware Version: 6.6.0 I deployed a private instance of Casdoor and encountered an issue while adding the WebAuth authentication method. Everything seemed normal: the selection box popped up correctly, I entered the token password as usual, and the browser prompted that the registration was successful. However, when I checked the Passkeys, there was no data. I then tested on the official Casdoor website: https://demo.casdoor.com/, and the result was the same. I used both Firefox and Google Chrome for testing, and the outcome was identical.
polhenarejos commented 2025-04-29 23:29:08 +08:00 (Migrated from github.com)
Copy Link

I do not see how to register the key in https://demo.casdoor.com/signup

I do not see how to register the key in https://demo.casdoor.com/signup
hsluoyz commented 2025-04-30 01:36:14 +08:00 (Migrated from github.com)
Copy Link

@IsayIsee provide a video to reproduce the issue you claimed

@IsayIsee provide a video to reproduce the issue you claimed
IsayIsee commented 2025-04-30 08:26:18 +08:00 (Migrated from github.com)
Copy Link

@hsluoyz I can't record video,so take a screenshot to illustrate

Image

Image

Image

Image

Image

Image

Image

Image

Image

Image

Image

Image

Image

Image

no passkeys in token key

Image

@hsluoyz I can't record video,so take a screenshot to illustrate ![Image](https://github.com/user-attachments/assets/6b6371bb-450d-4d8a-8abc-eaa7cd5a2f30) ![Image](https://github.com/user-attachments/assets/65ecf768-9261-4a50-adf6-ec8bf563b6aa) ![Image](https://github.com/user-attachments/assets/45c25755-120a-4eb0-a91d-efea3602da2a) ![Image](https://github.com/user-attachments/assets/923002c8-4362-423f-9a4f-ebdcb116484a) ![Image](https://github.com/user-attachments/assets/67ca865b-54c0-4839-a97c-7920ca422626) ![Image](https://github.com/user-attachments/assets/90612faf-ea2e-48c9-8175-100f57cefae2) ![Image](https://github.com/user-attachments/assets/79069ae7-0121-4afa-b2f0-fc983bcdbd77) ![Image](https://github.com/user-attachments/assets/160a446a-a553-445e-b4f9-45ebcd01d9e0) ![Image](https://github.com/user-attachments/assets/9c752b6d-23ce-439a-a776-c347aa3867a7) ![Image](https://github.com/user-attachments/assets/71cc6792-96b1-46be-a8aa-7c2faa5c8ddb) ![Image](https://github.com/user-attachments/assets/d5ce247e-bf05-471d-8e6f-65fd1eb3a8d4) ![Image](https://github.com/user-attachments/assets/1c71c3ef-77c3-44b6-aa99-7ee479838495) ![Image](https://github.com/user-attachments/assets/8e57f17b-dceb-4b15-9f1b-951aa8a2f7a3) ![Image](https://github.com/user-attachments/assets/4ff7a2af-840e-4c46-8b2d-da4686e166f2) no passkeys in token key ![Image](https://github.com/user-attachments/assets/e475a4aa-0e84-457d-9519-a95b1f9d2dee)
polhenarejos commented 2025-04-30 17:46:38 +08:00 (Migrated from github.com)
Copy Link

What does it say last screenshot?
Having no keys is normal as they are non-resident.

What does it say last screenshot? Having no keys is normal as they are non-resident.
polhenarejos commented 2025-05-02 20:02:03 +08:00 (Migrated from github.com)
Copy Link

The registration process seems broken. When you click "Add Webauthn" to register your key, the request does not contain resident key flag, so no resident key is created (and this is why you don't see in the yubico app).
Then, when you want to log in, the web SHOULD provide a list of potential credentials to see which one matches with the registered, but NO list is sent, so no credentials are provided and therefore, it cannot login.

It's a design error. If you do not create resident keys, you must provide a credential list on login. On the contrary, if you create a resident key, then you must not provide a credential list on login. But you cannot create a resident key and do not provide a credential list because it will fail, as it happens.

The registration process seems broken. When you click "Add Webauthn" to register your key, the request does not contain resident key flag, so no resident key is created (and this is why you don't see in the yubico app). Then, when you want to log in, the web SHOULD provide a list of potential credentials to see which one matches with the registered, but NO list is sent, so no credentials are provided and therefore, it cannot login. It's a design error. If you do not create resident keys, you must provide a credential list on login. On the contrary, if you create a resident key, then you must not provide a credential list on login. But you cannot create a resident key and do not provide a credential list because it will fail, as it happens.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dearsky
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dearsky/pico-fido#145
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?