How to use FIDO2 with Discourse behind a reverse proxy?

Has anyone ever figured out how to use FIDO2 with Discourse behind a reverse proxy? I’m having this issue using the web.socketed.template.yml template with a forum behind a Cloudflare Tunnel.

Neither Yubikey 2FA nor the new Passkey logins are working for me.

Is this on a dev environment? You might need to override this bit temporarily:

And it is also likely helpful to use the --forward-host flag when running the server, i.e. bin/ember-cli -u --forward-host.

No, this is a production install.

What error messages are you getting?

What is the full URL of the failed request, /auth.json?

Ah, no: /session/passkey/auth.json

Ok, so your server thinks that it is not running on the hostname that the browser is requesting. The security key / passkey generation procedure has to ensure that the the hostname of the browser matches that of the server (keys are generated per hostname).

Can you log into your Rails console and check what the output of Discourse.current_hostname is? If it doesn’t match the URL you use to access the site, that’s the problem.

1 Like

Note, this could be a http vs https issue as well. I see the logo is looking for a URL under http:// on your site.

1 Like

Discourse.current_hostname does match the URL I use to access the site. Is there a way to see what Discourse thinks the hostname my browser is requesting is?

1 Like

What do you get for Discourse.base_url in the console?

1 Like

Ah, that is set to an http:// URL (with the correct hostname). I’m using the setup described here to make Discourse accessible to Cloudflare Tunnel:

Oh, I think I got it. Enabling the force https setting in Discourse seems to have fixed it, I’m not sure why it was off. I don’t think it was necessary in the default config before adding another reverse proxy in front of it. Thanks for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.