Cannot get yubikey working

Hi,

I’ve installed Discourse, and generally everything is working fine. However, when I attempt to add my Yubikey as a security key, I keep getting this error:

The origin of the authentication request does not match the server origin.

I cannot find any particular configuration option that would fix this. I’ve tried configuring CORS, but it didn’t make any difference. How can I get it to work?

Thanks in advance :slight_smile:

1 Like

Could the hostname of your forum be different from what you’re accessing it through?

For instance, is your app.yml hostname the same as what you put in your browser?

The hostname matches. The only thing is, the instance is behind an nginx proxy, so it may well be that the problem is here. However the proxy configuration is effectively SSL offload, so it’s a case of:

Web Browser → Nginx proxy (https) → Discourse (http)

So the connection between the browser and nginx is HTTPS, but between the proxy and discourse it’s on port 80.

I did just enable CORS on my lab machine that I had setup, as I also had the problem here, but it wasn’t until I did full HTTPS with CORS that I could register my Yubikey. Force SSL was also enabled as well.

I did put both http and https in the COR config in discourse for the one behind the proxy, but it didn’t make any difference. So I think it’s potentially down to the nginx proxy config, or I may need to move it from proxying between 443 and port 80, to proxy to port 443 on discourse instead.

We’ve also got such a report. Also using a TLS terminating nginx reverse proxy in from of discourse. The error message doesn’t help to figure out what needs to change in the server configuration.

code references:

https://github.com/discourse/discourse/blob/main/lib/webauthn/security_key_base_validation_service.rb#L21-L24

https://github.com/discourse/discourse/blob/main/lib/webauthn/security_key_base_validation_service.rb#L58-L60

What do you mean by full HTTPS?

13 posts were split to a new topic: How to use FIDO2 with Discourse behind a reverse proxy?

This topic was automatically closed after 861 days. New replies are no longer allowed.