Python DUO-LABS WebAuthn:凭据的服务器验证失败:注册失败。错误:注册被拒绝。错误:无法验证来源
我尝试使用DUO lab的PythonPython DUO-LABS WebAuthn:凭据的服务器验证失败:注册失败。错误:注册被拒绝。错误:无法验证来源,python,flask,fingerprint,webauthn,password-less,Python,Flask,Fingerprint,Webauthn,Password Less,我尝试使用DUO lab的Pythonwebauthn包实现基于指纹的身份验证。然而,我遇到了这个错误: server validation of credential failed: registration failed. error: registration rejected. error: unable to verify origin.. 当我检查包的源代码时,我注意到这个错误无法验证源代码..是在您的验证器配置不正确时引发的 是否有一种方法可以明确说明,我只需要平台验证器,而不需
webauthn
包实现基于指纹的身份验证。然而,我遇到了这个错误:
server validation of credential failed: registration failed. error: registration rejected. error: unable to verify origin..
当我检查包的源代码时,我注意到这个错误无法验证源代码..
是在您的验证器配置不正确时引发的
是否有一种方法可以明确说明,我只需要平台
验证器,而不需要漫游
验证器,而不需要使用包的源代码?如果有,请为Flask
提供完整的工作代码(这是我在错误将我赶出Django后现在使用的代码)。我目前的配置是:
RP_ID = 'nacesdecide.herokuapp.com' #The app is currently hosted on heroku
RP_NAME = 'nacesdecides nacesdecide'
ORIGIN = 'https://nacesdecide.herokuapp.com/'
该应用程序目前位于heroku上,可以通过访问进行实时访问。我希望应用程序单独使用平台验证器
更新:
本准则的某些部分,在客户方(起草自,是:
在服务器端,我们有:
def webauthn_begin_activate():
# MakeCredentialOptions
username = request.form.get('register_username')
display_name = request.form.get('register_display_name')
if not util.validate_username(username):
return make_response(jsonify({'fail': 'Invalid username.'}), 401)
if not util.validate_display_name(display_name):
return make_response(jsonify({'fail': 'Invalid display name.'}), 401)
if User.query.filter_by(username=username).first():
return make_response(jsonify({'fail': 'User already exists.'}), 401)
#clear session variables prior to starting a new registration
session.pop('register_ukey', None)
session.pop('register_username', None)
session.pop('register_display_name', None)
session.pop('challenge', None)
session['register_username'] = username
session['register_display_name'] = display_name
challenge = util.generate_challenge(32)
ukey = util.generate_ukey()
# We strip the saved challenge of padding, so that we can do a byte
# comparison on the URL-safe-without-padding challenge we get back
# from the browser.
# We will still pass the padded version down to the browser so that the JS
# can decode the challenge into binary without too much trouble.
session['challenge'] = challenge.rstrip('=')
session['register_ukey'] = ukey
*make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
challenge, RP_NAME, RP_ID, ukey, username, display_name,
'https://example.com')*
return jsonify(make_credential_options.registration_dict)
此功能也可能会引起兴趣:
def verify_credential_info():
challenge = session['challenge']
username = session['register_username']
display_name = session['register_display_name']
ukey = session['register_ukey']
registration_response = request.form
trust_anchor_dir = os.path.join(
os.path.dirname(os.path.abspath(__file__)), TRUST_ANCHOR_DIR)
trusted_attestation_cert_required = True
self_attestation_permitted = True
none_attestation_permitted = True
webauthn_registration_response = webauthn.WebAuthnRegistrationResponse(
RP_ID,
ORIGIN,
registration_response,
challenge,
trust_anchor_dir,
trusted_attestation_cert_required,
self_attestation_permitted,
none_attestation_permitted,
uv_required=False) # User Verification
try:
webauthn_credential = webauthn_registration_response.verify()
except Exception as e:
return jsonify({'fail': 'Registration failed. Error: {}'.format(e)})
# Step 17.
#
# Check that the credentialId is not yet registered to any other user.
# If registration is requested for a credential that is already registered
# to a different user, the Relying Party SHOULD fail this registration
# ceremony, or it MAY decide to accept the registration, e.g. while deleting
# the older registration.
credential_id_exists = User.query.filter_by(
credential_id=webauthn_credential.credential_id).first()
if credential_id_exists:
return make_response(
jsonify({
'fail': 'Credential ID already exists.'
}), 401)
existing_user = User.query.filter_by(username=username).first()
if not existing_user:
if sys.version_info >= (3, 0):
webauthn_credential.credential_id = str(
webauthn_credential.credential_id, "utf-8")
webauthn_credential.public_key = str(
webauthn_credential.public_key, "utf-8")
user = User(
ukey=ukey,
username=username,
display_name=display_name,
pub_key=webauthn_credential.public_key,
credential_id=webauthn_credential.credential_id,
sign_count=webauthn_credential.sign_count,
rp_id=RP_ID,
icon_url='https://example.com')
db.session.add(user)
db.session.commit()
else:
return make_response(jsonify({'fail': 'User already exists.'}), 401)
flash('Successfully registered as {}.'.format(username))
return jsonify({'success': 'User successfully registered.'})
第二次更新:下面是我得到的完整日志:
webauthn.js:101
{id: "ATdDPQneoYF3tA6HYW8_dr2eBDy53VNoEIHRWUDfnmT2URKIs0SQ_lQ7BujdmcfM9Hc2xNH8bvLf4k3lQJ-7RX4",
rawId: "ATdDPQneoYF3tA6HYW8_dr2eBDy53VNoEIHRWUDfnmT2URKIs0SQ_lQ7BujdmcfM9Hc2xNH8bvLf4k3lQJ-7RX4",
type: "public-key",
attObj: "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjFD32HDgTSvc6zIlggmLLxXTKQyiabSwuLWNiTpJ3WQfmMoC_qX_QTuWPWHo4",
clientData: "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIj9pZFBhY2thZ2VOYW1lIjoiY29tLmFuZHJvaWQuY2hyb21lIn0", …}
attObj: "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjFD32HDgTSvcJxUiUIT6ViS4biCWKTR25PIW3beO9V5NdFAAAAALk_2WHy5kYvsSKCACJH3ngAQQE3Qz0J3qGBd7QOh2FvP3a9ngQ8ud1TaBCB0VlA355k9lESiLNEkP5UOwbo3ZnHzPR3NsTR_G7y3-JN5UCfu0V-pQECAyYgASFYID93HTRf5UtMsCsW9D5TyWQDSgMW2MDhiYWKnz3sq16zIlggmLLxXTKQyiabSwuLWNiTpJ3WQfmMoC_qX_QTuWPWHo4"
clientData: "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoidFNOS3g5RnVyWFI4dlhVdVBkVms5azhDcEhlMWMydnlrbkdwYUhseXZKYyIsIm9yaWdpbiI6Imh0dHBzOlwvXC9uYWNlc2RlY2lkZS5oZXJva3VhcHAuY29tIiwiYW5kcm9pZFBhY2thZ2VOYW1lIjoiY29tLmFuZHJvaWQuY2hyb21lIn0"
id: "ATdDPQneoYF3tA6HYW8_dr2eBDy53VNoEIHRWUDfnmT2URKIs0SQ_lQ7BujdmcfM9Hc2xNH8bvLf4k3lQJ-7RX4"
rawId: "ATdDPQneoYF3tA6HYW8_dr2eBDy53VNoEIHRWUDfnmT2URKIs0SQ_lQ7BujdmcfM9Hc2xNH8bvLf4k3lQJ-7RX4"
registrationClientExtensions: "{}"
type: "public-key"__proto__: Object
webauthn.js:107 Server validation of credential failed: Registration failed. Error: Registration rejected. Error: Unable to verify origin..
didClickRegister @ webauthn.js:107
async function (async)
didClickRegister @ webauthn.js:68
我认为问题在于
原点的值后面有一个斜杠
,原点报告为“https://nacesdecide.herokuapp.com“
:
,基本原点比较失败,因为您的的原点“https://nacesdecide.herokuapp.com/“
不等同于响应的来源:
Response: "https://nacesdecide.herokuapp.com"
ORIGIN: "https://nacesdecide.herokuapp.com/"
如果删除尾随斜杠,我敢打赌一切都会按预期进行验证。@IAmKale answer解决了最初的问题。但是,重要的是要注意,您可能会在JSON中的位置0处遇到服务器错误:意外标记<。我还没有找到具体的解决方案,但要确保不同的用户name
用于注册。此外,似乎多次注册需要不同的设备-每次注册一台设备。您的问题需要更多的代码。您是否可以将传递到navigator.credentials.creat()中的选项包括在内
,以及返回的认证响应?了解您如何调用Duo库中用于验证的任何方法也会很有帮助。@IAmKale感谢您提供的帮助。我已经根据需要提供了更多的代码片段。应该注意的是,我正在使用的eas代码是从感谢您的代码中起草的!我认为还有一件事会有帮助——您能包括console.log(newAssertionForServer)的输出吗
,就在您将newAssertionForServer
发布到您的服务器之前?有了这一块拼图,您就可以更容易地尝试并确定问题的解决方案了。@IAmKale我马上就去做。@IAmKale我现在已经通过包含日志文件更新了问题。谢谢!出现了一个新错误:server validation of credential失败:语法错误:JSON中位置0处的意外标记
。发生服务器错误。听起来您从服务器返回了非JSON。请查看浏览器开发工具的网络选项卡中的响应正文,看看您得到了什么。同时,如果我的回答解决了您最初的问题,它将帮助社区将其标记为解决方案-j只需单击它旁边的复选标记。它返回HTML,内部服务器错误
。单击“注册”按钮,指纹不会像我访问和选择平台身份验证程序时那样出现。在服务器上调用API时,是否有一种方法可以明确说明我需要在平台
身份验证程序上显示指纹?似乎您需要查看Duo Labs库输出的选项,特别是其中的“authenticatorAttachment”
属性。
Response: "https://nacesdecide.herokuapp.com"
ORIGIN: "https://nacesdecide.herokuapp.com/"