Some more context…

1. I created two keys using Edge. (1) was a local key and (2) was the iPhone key (using QR code)

Platform Info

iPhone 14
iPhone OS 17.3.1

Wonder if this is some variant of T244088: Logging in at another wiki than WebAuth was set up fails, due to the different mobile domain...

Wonder if this is some variant of T244088: Logging in at another wiki than WebAuth was set up fails, due to the different mobile domain...

I believe they are separate because I also observed T244088 ( i can't log into wikivoyage with the wikipedia passkey) . but for T244088 I have a workaround : (1) log in on wikipedia (2) open up wikivoyage (on desktop)

video working experience using "show desktop site" on mobile safari

if we have measurements of "Authentication process was interrupted " we could segment by user -agent or device to measure incidence of this issue.

I'm blocked by another variant of this issue: login from a separate windows machine. I'm being prompted to "insert usb security key" but i have two passkeys registered : (1) from iphone and (1) from another windows machine. I would expect the option to pop a QR-CODE to proceed using iphone passkey

STEPS TO REPEAT (2 windows machine variant)

1. create (2) passkeys on windows machine-A
2. try to login on windows machine-B

ACTUAL RESULTS

I'm prompted "insert your security key into usb port" -- with no alternative credential.

EXPECTED RESULTS

I should be prompted for qr-code passkey authentication to use my iphone.
{F42403350}

this bug is pretty serious. I'd like to disable 2-FA but i also want to help get it fixed. I'll be locked out of my account if something happens to my first login session

That USB popup looks very Windows/Edge specific. I don't think the message is in our code, or anything we bring in via vendor.

In T358771#9603441, @Reedy wrote:

That USB popup looks very Windows/Edge specific. I don't think the message is in our code, or anything we bring in via vendor.

check out the "actual" vs "expected" (both are Edge experiences , 1 wikipedia and 1 github). I believe the site provides a list of eligible devices to the browser.

(i'm a bit new to webauthn) it seems that the site (wikipedia) sends a list of token public keys / token IDs to the browser to initiate token-based authentication.

I believe wikipedia may be truncating the eligible token list , hence the "insert USB token" prompt

More visual review of the protocol here:

https://webauthn.me/

https://github.com/wikimedia/mediawiki-extensions-WebAuthn/blame/37f30cd/src/Key/WebAuthnKey.php#L112-L117

	protected $credentialTransports = [
		PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_USB,
		PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_NFC,
		PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_BLE,
		PublicKeyCredentialDescriptor::AUTHENTICATOR_TRANSPORT_INTERNAL
	];

It is the first one in the list, but...

I believe "HYBRID" is the one that supports the iPhone /passkey based login : https://web.dev/articles/passkey-registration

Is it possible that L112-L117 are for the credential setup phase, and that the authentication phase presents the list stored in the database?

Just brainstorming based on what I'm seeing

Here's my list of tokens on wikimedia

Had a look in the DB for your entries. You indeed have two devices enrolled.

Your windows one has been used 3 times, your iphone 0 (apparently, based on the counters).

They both list the same transports:

"transports":["usb","nfc","ble","internal"],

interesting.

"windows-pc" -- this one is internal (windows hello / TPM)
"iphone" -- this one is iPhone Passkey (added via QR-code) . I think it's supposed to be "hybrid"

I can break into the login phase (using chrome devtools) at https://en.wikipedia.org/w/extensions/WebAuthn/resources/login.js L3 and reproduce the issue.

I'm going to see if i can inject "hybrid" into the request to see if that fixes the issue. It may take me a while b/c i don't know the code

https://github.com/wikimedia/mediawiki-extensions-WebAuthn/blob/979220702ab45fb4755ed45bd38cbbb05a411c22/resources/login.js#L3 in the repo

I will note upfront, we're using an old version of the webauthn libraries; specifically 3.3.12, which is 2 years old - https://packagist.org/packages/web-auth/webauthn-lib#v3.3.12

We can't upgrade to the 4.x (or newer versions) until T319432: Migrate WMF production from PHP 7.4 to PHP 8.1 has happend, basically.

https://packagist.org/packages/web-auth/webauthn-lib#v4.0.0
https://packagist.org/packages/web-auth/webauthn-lib#4.8.2

wow it worked!

tl;dr adding hybrid to list of transports fixes the issue

STEPS TO DEBUG

1. login until authn prompt & cancel the token prompt
2. set breakpoint at WebAuthn/resources/login.js L8 (after authenticator is assigned)
3. hit "reload" to break
4. open console and modify the allowCredentials object like this (inspect allowCredentials to find the index of your iphone cred-- the example below is my two creds) ...

authenticator.authInfo.allowCredentials[1].transports.push('hybrid')

5. "use another device" & proceed to login on iphone

screenshot evidence. video inbound
{F42406516}

debug session showing how to fix

https://github.com/wikimedia/mediawiki-vendor/blob/4e138440c4dfeb4896816143c1964da09fea12b6/web-auth/webauthn-lib/src/PublicKeyCredentialDescriptor.php#L26-L29

https://github.com/web-auth/webauthn-lib/blob/v4.0/src/PublicKeyCredentialDescriptor.php#L18-L26

https://github.com/web-auth/webauthn-lib/blob/4.8.2/src/PublicKeyCredentialDescriptor.php#L18-L34

The only mention I can find of hybrid is in two bug reports - https://github.com/search?q=repo%3Aweb-auth%2Fwebauthn-framework+hybrid&type=issues

We can certainly add it with https://github.com/wikimedia/mediawiki-extensions-WebAuthn/blame/37f30cd/src/Key/WebAuthnKey.php#L112-L117 but that feels odd that the vendor library seems to know nothing about hybrid...

Aha

https://forums.developer.apple.com/forums/thread/710784

The QR code flow will be publicly formalized in an upcoming version of the CTAP2 spec. It uses the "hybrid" transport (formerly known as "caBLE").

final public const AUTHENTICATOR_TRANSPORT_CABLE = 'cable';

Which was added in https://github.com/web-auth/webauthn-lib/commit/6634a25e60c3a791f156673b82bb27c21ba7a562 (4.0.5+)

Can you run your test again for me, and see if cable indeed works instead of hybrid?

I'd be happier hard coding cable, with a TODO left to replace it with the proper upstream usage later...

yep cable works like hybrid

Great, I appreciate the debugging. This makes a patch fairly easy. Though, I will admit upfront, I don't know how well this will behave with stuff saved in the DB...

Change 1008987 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/WebAuthn@master] WebAuthnKey: Add "cable" to credentialTransports

https://gerrit.wikimedia.org/r/1008987

happy to help -- great partnership on this

with stuff saved in the DB...

I'll let you know if the transports reflects the new commit or if I need to re-install the credential (it's from the db)

I've also asked Upstream if we've got a chance of getting https://github.com/web-auth/webauthn-lib/commit/6634a25e60c3a791f156673b82bb27c21ba7a562 backported into the 3.3.x branch, and a followup release...

https://github.com/web-auth/webauthn-framework/issues/574

can I help testing out the change on the test env?

In T358771#9612543, @Tonymetz wrote:

can I help testing out the change on the test env?

Not really, yet. I'm pretty sure your testing confirms it's the right fix, at least for new DB entries. It's obviously currently unclear how that works for existing rows, and whether we need to do anything about it (yet).

It needs merging (ie C+2) in our version control, then it'll be live on the Beta-Cluster-Infrastructure...

what's a good way to track the launch status for this fix? i'm sorry I don't know too much about the deployment process

In T358771#9603948, @gerritbot wrote:

Change 1008987 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/WebAuthn@master] WebAuthnKey: Add "cable" to credentialTransports

https://gerrit.wikimedia.org/r/1008987

There'll be a comment like ^ saying this has been merged. Then depending on when it is merged, it should be rolled out on Wikimedia wikis within a week, or two at the most, depending on whether it is merged before the branch cut.

There may be another variant of the issue when logging in on meta.wikipedia.org. It seems that the viable webauthn credential list is being filtered either by site or by login device before being presented to the browser. I get a different experience on different browsers.

STEPS

1. use iPAD (safari) to log into "wikipedia library" via oauth e.g. https://meta.wikimedia.org/w/index.php?returnto=Special:OAuth/authenticate&returntoquery=%26oauth_consumer_key%3xxxxxbaf%26oauth_token%3Dxxxexxxxxxxx&title=Special:UserLogin&uselang=en&centralAuthAutologinTried=1&centralAuthError=Not+centrally+logged+in
2. enter username + password
3. try to use usb-c token or iphone passkey

ACTUAL RESULTS
iphone passkey does not work despite it being connected to the account. error message "Passkey was not found" (not exact)

EXPECTED RESULTS
both usb-c token and iphone passkey should work

any ETA on this one?

No, if there were any updates they would be here.

Can I ask what the blocker is?

There is no "blocker", only lack of unlimited time and lack of unlimited developer resources and lack of empty to-do lists - see also https://www.mediawiki.org/wiki/Bug_management/Development_prioritization

Reedy and I already got this fixed and he submitted a patch. So we're just waiting for it to get merged. What is blocking that?

It seems the commit was made Mar 5 so it's been 6 weeks. Can you guess how many more weeks it is going to be?

@Aklapper I don't appreciate the dismissive tone being used. I invested a lot of effort working together with Reedy to reproduce, debug & help formulate a fix. At the very least you could help clarify exactly what the next steps are here.

As mentioned before, the next step is that some other maintainer must review and approve ("+2") the change. For WebAuthn, that "someone" would most likely be me. However I am not planning to review any WebAuthn patches before I get some patches of my own merged there, and the constant pings in this task are very effective at bringing this patch to the very back of my mental to-do list.

1. it is a one-line change
2. it is a back-port of code from the webauthn repo
3. reedy & I recorded our testing procedure above with video and code samples

What is there to do?

I'm a diligent volunteer and you are burning a bridge here.

@taavi any updates on the webauthn tasks merge progress? Are we looking at another 6 weeks?

Webauthn security tokens are not being passed to wikifunctions.org

I have 2 passkeys (1 windows 11 and 1 iPhone) , and neither are recognized on wikifunctions.org

STEPS

1. Visit wikifunctions.org —> login
2. Enter username + cred
3. Receive 2fa prompt

EXPECTED RESULTS
Existing passkeys should work

ACTUAL RESULTS
No passkeys work

@taavi are we targeting 2024 or 2025 on this one?

@Tonymetz: Such comments are pretty unhelpful. "We" are not targeting any years.

what would be helpful would be an estimate.

a monthly reminder that ...

1. it is a one-line change
2. it is a back-port of code from the webauthn repo
3. reedy & I recorded our testing procedure above with video and code samples

In T358771#9830254, @Tonymetz wrote:

a monthly reminder that ...

Hi Tony,

there's no one that needs a reminder about this. if you want to do something productive, do Gerrit reviews of other changes on other tasks. in any case, you should not be commenting here.

the people who want to use webauthn do. What's the point of the feature if it's broken?