When using hardware which I do not own, I want to use a hardware key instead of putting my password. I got a nitrokey 3C for that purpose.
Registration on discourse fails. Also here on meta.discourse.org
p.s. Registering the key as second factor worked in a linux (debian) + chromium, but not when I try to log in.
What browser are you using?
Whatās the error you get?
Are there any additional details in the dev console?
this is on debian chromium (and on ubuntu firefox the same; also the same on firefox nightly (snap) on debian )
After pressing the button on the key
āThe passkey registration process either timed out, was cancelled or is not allowed.ā
Error is not helpful; nothing special on the console.
The request to https://meta.discourse.org/u/register_passkey.json gives http 500 with {āstatusā:500,āerrorā:āInternal Server Errorā} payload.
Would the request data help?
id=owBYLgKCahnu_YBKKDAaTdK7LOlDFzwJ9kJPvXfntmdfbyOzs35ddeOM0KnNqHiu6bwBTLu17fF2A7QkNfCE5wJQPdOrG5MIB-9Hek6KoX4wcA
rawId=owBYLgKCahnu/YBKKDAaTdK7LOlDFzwJ9kJPvXfntmdfbyOzs35ddeOM0KnNqHiu6bwBTLu17fF2A7QkNfCE5wJQPdOrG5MIB+9Hek6KoX4wcA==
type=public-key
attestation=o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjB06zu7aykTbz9dy22doBbDg8EboPkWBAWR4JLQn8z1TTFAAAAewAAAAAAAAAAAAAAAAAAAAAAUqMAWC4CgmoZ7v2ASigwGk3SuyzpQxc8CfZCT71357ZnX28js7N+XXXjjNCpzah4rum8AUy7te3xdgO0JDXwhOcCUD3TqxuTCAfvR3pOiqF+MHCkAQEDJyAGIVggy/MDuHan5fRjuKIQp7zkGku7P6p/8s2B4kfectFHcF6ha2htYWMtc2VjcmV09A==
clientData=eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiTmpRMVpUazJaVE00WlRRNE1UZGxOamd3TVdJNE5XVm1ZV1F5TkRObE1EVmlZek0zTURkbU1qZzJPR1V6TnpRd05HUmxZamRrTVdRMk1tWTEiLCJvcmlnaW4iOiJodHRwczovL21ldGEuZGlzY291cnNlLm9yZyIsImNyb3NzT3JpZ2luIjpmYWxzZX0=
name=Main Passkey
Does it work on https://webauthn.io/ ?
yes, registering and authenticating
I just tried registering a new U2F key here on meta and Iām seeing this error in the console which probably explains it:
NotAllowedError: The operation either timed out or was not allowed.
See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.
I dont get the error description at w3.org ; So it is the implementation broken? I donāt seem to get the error in the console, so anything I can contribute?
Weāll need to look at this - I think browsers have implemented additional requirements (as noted in the link) since we first developed this.
Thanks @agr for identifying this issue, Iāve pushed out a fix here:
Updating your Discourse to the latest version should now resolve the issue, but if you still encounter any issues please do let us know
Registering worked fine. That was fast 
But login / auth.js gives me a 500 response
Confirmed; I see:
NoMethodError (undefined method 'hash_function' for an instance of COSE::Algorithm::EdDSA)
lib/discourse_webauthn/authentication_service.rb:99:in 'DiscourseWebauthn::AuthenticationService#authenticate_security_key'
app/controllers/session_controller.rb:399:in 'SessionController#passkey_login'
app/controllers/application_controller.rb:443:in 'block in ApplicationController#with_resolved_locale'
app/controllers/application_controller.rb:443:in 'ApplicationController#with_resolved_locale'
app/controllers/application_controller.rb:1089:in 'ApplicationController#ensure_dont_cache_page'
lib/middleware/omniauth_bypass_middleware.rb:35:in 'Middleware::OmniauthBypassMiddleware#call'
lib/middleware/crawler_hooks.rb:11:in 'Middleware::CrawlerHooks#call'
lib/content_security_policy/middleware.rb:12:in 'ContentSecurityPolicy::Middleware#call'
lib/middleware/anonymous_cache.rb:420:in 'Middleware::AnonymousCache#call'
lib/middleware/csp_script_nonce_injector.rb:12:in 'Middleware::CspScriptNonceInjector#call'
config/initializers/008-rack-cors.rb:26:in 'Discourse::Cors#call'
lib/middleware/default_headers.rb:13:in 'Middleware::DefaultHeaders#call'
config/initializers/100-quiet_logger.rb:20:in 'DiscourseRackQuietAssetsLogger#call'
config/initializers/100-silence_logger.rb:29:in 'SilenceLogger#call'
lib/middleware/enforce_hostname.rb:23:in 'Middleware::EnforceHostname#call'
lib/middleware/request_tracker.rb:321:in 'Middleware::RequestTracker#call'
lib/middleware/overload_protections.rb:22:in 'Middleware::OverloadProtections#call'
lib/middleware/processing_request.rb:14:in 'Middleware::ProcessingRequest#call'
in the logs when I try to use my Solo 2