Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to enroll a FIDO authenticator (TouchID) #386

Open
mamash opened this issue Mar 14, 2023 · 1 comment
Open

Failed to enroll a FIDO authenticator (TouchID) #386

mamash opened this issue Mar 14, 2023 · 1 comment

Comments

@mamash
Copy link

mamash commented Mar 14, 2023

Hoping this is just something I'm missing.

Expected Behavior

Authenticate against Okta using a Macbook TouchID.

Current Behavior

Fails to either:

  1. Use the existing TouchID profile in the Okta method list (currently in use to authenticate against Okta for web-based services)
  2. Enroll the TouchID using --action-setup-fido-authenticator (used a working 'token:hardware: YUBICO' method here)
$ gimme-aws-creds --action-setup-fido-authenticator
*** Registering a new fido authenticator in Okta.

*** Note that webauthn authenticators must be allowed for this operation to succeed.
*** You may be prompted for MFA more than once for this run.

Using password from keyring for XXX
Multi-factor Authentication required.
Pick a factor:
[0] token:hardware: YUBICO
[1] webauthn: MacBook Touch ID
[2] webauthn: Authenticator
[3] webauthn: YubiKey 5 with NFC
[4] token:software:totp( OKTA ) : XXX
Selection: 0
Enter verification code:
Exception in thread Thread-6 (_make_credential):
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/client.py", line 510, in make_credential
    att_obj, extension_outputs = self._do_make_credential(
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/client.py", line 584, in _ctap2_make_credential
    att_obj = self.ctap2.make_credential(
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/ctap2/base.py", line 785, in make_credential
    return self.send_cbor(
           ^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/ctap2/base.py", line 675, in send_cbor
    raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x11 - CBOR_UNEXPECTED_TYPE

(further exceptions omitted)

Steps to Reproduce (for bugs)

  1. gimme-aws-creds --action-configure
  2. gimme-aws-creds --action-setup-fido-authenticator

As mentioned, the TouchID is already set up in Okta and works. (However, saml2aws doesn't support it as a method. Was hoping 'gimme-aws-creds' would.)

Your Environment

  • App Version used: 2.5.0
  • Operating System and version: macOS 13.2.1, brew package
@kholia
Copy link

kholia commented Jun 15, 2023

This issue is solved in PR #366.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kholia @mamash