Passwordless Authentication not Working in Firefox

padwa · June 28, 2020, 11:36pm

Passwordless authentication is not Working in Firefox at all, I cant add any tokens to any account.
U2F is working fine in Firefox.
There are HTTP 500 Errors logged for example.com/settings/api/personal/webauthn/registration

Using Google Chrome, adding keys is working like expected on some accounts, on others, after clicking on add WebAuthn device, nothing is happening, and adding the key dont works. On accounts where this is the Case, there are HTTP 403 Errors logged for example.com/settings/api/personal/webauthn/registration, and in the Nextcloud Logs is nothing logged.

[/details]

Nextcloud version (eg, 18.0.2): 19.0.0
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04 LTS
Apache or nginx version (eg, Apache 2.4.25): 2.4.41
PHP version (eg, 7.1): 7.4

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N):Y

Steps to replicate it:

Log in to Account with Firefox Browser
Try to add a token for Passwordless authentication

The output of your Nextcloud log in Admin > Logging:

{"reqId":"*****","level":3,"time":"2020-06-28T23:14:57+00:00","remoteAddr":"*****","user":"*****","app":"index","method":"POST","url":"/settings/api/personal/webauthn/registration","message":{"Exception":"Assert\\InvalidArgumentException","Message":"The attestation statement format \"packed\" is not supported.","Code":32,"Trace":[{"file":"/var/www/nextcloud/3rdparty/beberlei/assert/lib/Assert/Assertion.php","line":1769,"function":"createException","class":"Assert\\Assertion","type":"::"},{"file":"/var/www/nextcloud/3rdparty/web-auth/webauthn-lib/src/AttestationStatement/AttestationStatementSupportManager.php","line":37,"function":"true","class":"Assert\\Assertion","type":"::"},{"file":"/var/www/nextcloud/3rdparty/web-auth/webauthn-lib/src/AttestationStatement/AttestationObjectLoader.php","line":83,"function":"get","class":"Webauthn\\AttestationStatement\\AttestationStatementSupportManager","type":"->"},{"file":"/var/www/nextcloud/3rdparty/web-auth/webauthn-lib/src/PublicKeyCredentialLoader.php","line":120,"function":"load","class":"Webauthn\\AttestationStatement\\AttestationObjectLoader","type":"->"},{"file":"/var/www/nextcloud/3rdparty/web-auth/webauthn-lib/src/PublicKeyCredentialLoader.php","line":80,"function":"createResponse","class":"Webauthn\\PublicKeyCredentialLoader","type":"->"},{"file":"/var/www/nextcloud/3rdparty/web-auth/webauthn-lib/src/PublicKeyCredentialLoader.php","line":107,"function":"loadArray","class":"Webauthn\\PublicKeyCredentialLoader","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/WebAuthn/Manager.php","line":147,"function":"load","class":"Webauthn\\PublicKeyCredentialLoader","type":"->"},{"file":"/var/www/nextcloud/apps/settings/lib/Controller/WebAuthnController.php","line":101,"function":"finishRegister","class":"OC\\Authentication\\WebAuthn\\Manager","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":170,"function":"finishRegistration","class":"OCA\\Settings\\Controller\\WebAuthnController","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":100,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":137,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php","line":47,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"function":"__invoke","class":"OC\\AppFramework\\Routing\\RouteActionHandler","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":297,"function":"call_user_func"},{"file":"/var/www/nextcloud/lib/base.php","line":1007,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/3rdparty/beberlei/assert/lib/Assert/Assertion.php","Line":2752,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0","version":"19.0.0.12","id":"5ef9247c51a08"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '*****',
  'secret' => '*****',
  'trusted_domains' =>
  array (
    0 => '*****',
  ),
  'trusted_proxies' =>
  array (
    0 => '*****',
  ),
  'datadirectory' => '*****',
  'dbtype' => 'mysql',
  'version' => '19.0.0.12',
  'overwrite.cli.url' => '*****',
  'htaccess.RewriteBase' => '/',
  'dbname' => '*****',
  'dbhost' => '*****',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '*****',
  'dbpassword' => '*****',
  'installed' => true,
  'instanceid' => '*****',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '*****',
    'port' => *****,
    'dbindex' => 0,
    'password' => '*****'
  ),
  'mail_smtpmode' => '*****',
  'mail_smtpsecure' => '*****,
  'mail_sendmailmode' => '*****',
  'mail_from_address' => '*****',
  'mail_domain' => '*****',
  'mail_smtpauthtype' => '*****',
  'mail_smtpauth' => ******,
  'mail_smtphost' => '*****',
  'mail_smtpport' => '*****',
  'mail_smtpname' => '******',
  'mail_smtppassword' => '*****',
  'maintenance' => false,
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
);

padwa · June 29, 2020, 9:16am

I’ve just figured out, that only Users that are in the “admin” group can add Webauthn devices, all others can’t, and a HTTP 403 error is logged.

Adding Webauthn devices with users in other groups fails, if they click on “Add WebAuthn Device”, nothing happens. There are 403 errors for example.com/settings/api/personal/webauthn/registration logged.

Using Firefox adding WebAuthhn Devices is never working, also when the user is in “admin” group. There are the HTTP 500 Errors for example.com/settings/api/personal/webauthn/registration logged.

anon71540698 · June 29, 2020, 10:38am

You are not alone

Rick_Ruggiero · July 8, 2020, 11:57pm

Hi Henry, did you eventually get this working ? I have found the same error after a vanilla install on Ubuntu Server 20.04 LTS. Cheers, Rick.

anon71540698 · July 9, 2020, 12:48pm

Yes, I did.

Just follow @kesselb edit of the apps/settings/lib/Controller/WebAuthnController.php file.
In other words just add @NoSubadminRequired in the three places.

It does work, regular users can now activate passwordless login…

mjanssens · August 17, 2020, 9:51am

Just to prevent people from manual editing, the fix is merged in Nextcloud 19.0.1.

abijma · March 30, 2021, 12:37pm

i have 19.0.7 installed and still facing the issue with firefox. connecting NitroKey Fido2 gives error " format “packed” is not supported" with Chrome it workes seamless.