Cannot get yubikey working

iwalker · January 28, 2022, 2:29pm

Hi,

I’ve installed Discourse, and generally everything is working fine. However, when I attempt to add my Yubikey as a security key, I keep getting this error:

The origin of the authentication request does not match the server origin.

I cannot find any particular configuration option that would fix this. I’ve tried configuring CORS, but it didn’t make any difference. How can I get it to work?

Thanks in advance

Simsnet · January 28, 2022, 4:28pm

Could the hostname of your forum be different from what you’re accessing it through?

For instance, is your app.yml hostname the same as what you put in your browser?

iwalker · January 28, 2022, 4:44pm

The hostname matches. The only thing is, the instance is behind an nginx proxy, so it may well be that the problem is here. However the proxy configuration is effectively SSL offload, so it’s a case of:

Web Browser → Nginx proxy (https) → Discourse (http)

So the connection between the browser and nginx is HTTPS, but between the proxy and discourse it’s on port 80.

I did just enable CORS on my lab machine that I had setup, as I also had the problem here, but it wasn’t until I did full HTTPS with CORS that I could register my Yubikey. Force SSL was also enabled as well.

I did put both http and https in the COR config in discourse for the one behind the proxy, but it didn’t make any difference. So I think it’s potentially down to the nginx proxy config, or I may need to move it from proxying between 443 and port 80, to proxy to port 443 on discourse instead.

adrelanos · February 23, 2023, 8:55am

We’ve also got such a report. Also using a TLS terminating nginx reverse proxy in from of discourse. The error message doesn’t help to figure out what needs to change in the server configuration.

code references:

github.com

discourse/discourse/blob/main/config/locales/server.en.yml#L987


      
            smtp_server_busy_error: "The SMTP server is currently busy, try again later."
            smtp_unhandled_error: "There was an unhandled error when communicating with the SMTP server. %{message}"
            imap_unhandled_error: "There was an unhandled error when communicating with the IMAP server. %{message}"
            connection_error: "There was an issue connecting with the server, check the server name and port and try again."
            timeout_error: "Connection to the server timed out, check the server name and port and try again."
            unhandled_error: "Unhandled error when testing email settings. %{message}"
          webauthn:
            validation:
              invalid_type_error: "The webauthn type provided was invalid. Valid types are webauthn.get and webauthn.create."
              challenge_mismatch_error: "The provided challenge does not match the challenge generated by the authentication server."
              invalid_origin_error: "The origin of the authentication request does not match the server origin."
              malformed_attestation_error: "There was an error decoding the attestation data."
              invalid_relying_party_id_error: "The Relying Party ID of the authentication request does not match the server Relying Party ID."
              user_verification_error: "User verification is required."
              unsupported_public_key_algorithm_error: "The provided public key algorithm is not supported by the server."
              unsupported_attestation_format_error: "The attestation format is not supported by the server."
              credential_id_in_use_error: "The credential ID provided is already in use."
              public_key_error: "The public key verification for the credential failed."
              ownership_error: "The security key is not owned by the user."
              not_found_error: "A security key with the provided credential ID could not be found."
              unknown_cose_algorithm_error: "The algorithm used for the security key is not recognized."

github.com

discourse/discourse/blob/main/lib/webauthn/security_key_base_validation_service.rb#L21-L24


      
          def validate_origin
            return if origin_match?
            raise(InvalidOriginError, I18n.t("webauthn.validation.invalid_origin_error"))
          end

github.com

discourse/discourse/blob/main/lib/webauthn/security_key_base_validation_service.rb#L58-L60


      
          def origin_match?
            client_data["origin"] == @challenge_params[:origin]
          end

What do you mean by full HTTPS?

JammyDodger · January 9, 2024, 9:32pm

13 posts were split to a new topic: How to use FIDO2 with Discourse behind a reverse proxy?

Topic		Replies	Views
Login fails with "Unknown error" support	5	2038	December 13, 2019
Trouble configuring discourse with reverse proxy installation	3	1271	September 16, 2022
Fresh install returning 502 Bad Gateway installation unsupported-install	28	332	April 11, 2024
Can't get Discourse to work on different ports installation	2	1267	March 9, 2021
Discourse deploy on lightsail: "connection refused" installation	12	1068	August 22, 2022

Cannot get yubikey working

Related Topics