Skip to content

Failed to enroll a FIDO authenticator (TouchID) #386

New issue
New issue
Open
Open
Failed to enroll a FIDO authenticator (TouchID)#386
@mamash

Description

@mamash
mamash
opened on Mar 14, 2023

Hoping this is just something I'm missing.

Expected Behavior

Authenticate against Okta using a Macbook TouchID.

Current Behavior

Fails to either:

  1. Use the existing TouchID profile in the Okta method list (currently in use to authenticate against Okta for web-based services)
  2. Enroll the TouchID using --action-setup-fido-authenticator (used a working 'token:hardware: YUBICO' method here)
$ gimme-aws-creds --action-setup-fido-authenticator
*** Registering a new fido authenticator in Okta.

*** Note that webauthn authenticators must be allowed for this operation to succeed.
*** You may be prompted for MFA more than once for this run.

Using password from keyring for XXX
Multi-factor Authentication required.
Pick a factor:
[0] token:hardware: YUBICO
[1] webauthn: MacBook Touch ID
[2] webauthn: Authenticator
[3] webauthn: YubiKey 5 with NFC
[4] token:software:totp( OKTA ) : XXX
Selection: 0
Enter verification code:
Exception in thread Thread-6 (_make_credential):
Traceback (most recent call last):
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/client.py", line 510, in make_credential
    att_obj, extension_outputs = self._do_make_credential(
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/client.py", line 584, in _ctap2_make_credential
    att_obj = self.ctap2.make_credential(
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/ctap2/base.py", line 785, in make_credential
    return self.send_cbor(
           ^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/gimme-aws-creds/2.5.0/libexec/lib/python3.11/site-packages/fido2/ctap2/base.py", line 675, in send_cbor
    raise CtapError(status)
fido2.ctap.CtapError: CTAP error: 0x11 - CBOR_UNEXPECTED_TYPE

(further exceptions omitted)

Steps to Reproduce (for bugs)

  1. gimme-aws-creds --action-configure
  2. gimme-aws-creds --action-setup-fido-authenticator

As mentioned, the TouchID is already set up in Okta and works. (However, saml2aws doesn't support it as a method. Was hoping 'gimme-aws-creds' would.)

Your Environment

  • App Version used: 2.5.0
  • Operating System and version: macOS 13.2.1, brew package

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions