Trouble using passkeys on Ping Authenticate

[dionorgua]

Have you searched for an existing issue?

• Yes, I tried searching and reviewed the pinned issues

Brief Summary

Hi,

I'm trying to use KeepassXC to authenticate on company portal that uses PingID auth (https://www.pingidentity.com/en.html)
I was able to enroll KeepassXC as 'biometrics' authentcation.

But authentication step doesn't work. Sometimes no message from KeepassXC (I think because authentication happens immediately during page load and browser extension is not able to inject code). But when request is captured, keepassxc shows "no logins found"

{
  "challenge": "EDITED1",
  "enterpriseAttestationPossible": false,
  "rpId": "pingone.eu",
  "timeout": 120000,
  "userVerification": "required",
  "allowCredentials": [
    {
      "id": "EDITED2",
      "transports": [
        "internal"
      ],
      "type": "public-key"
    }
  ]
}

I've tried to debug it. And found that KeepassXC compare 'allowCredentials' with credentialId field of passkey. But for my case it's not same as EDITED2. I think it's because of type=public-key. So to match it properly it's required to get public part from private key..

Note: even skipping this check for now (so that entry is actually used) for some reason it don't accept response. Not sure why. PingID reloads page before trying to authenticate and before showing error message, so it's hard to capture something.

Steps to Reproduce

Hard to reproduce because it's not public service

Expected Versus Actual Behavior

No response

KeePassXC Debug Information

KeePassXC - Version 2.8.0-snapshot
Build Type: Snapshot
Revision: fb022cb

Qt 5.15.15
Debugging mode is enabled.

Operating system: Debian GNU/Linux trixie/sid
CPU architecture: x86_64
Kernel: linux 6.11.9-amd64

Enabled extensions:
- Auto-Type
- Browser Integration
- Passkeys

Cryptographic libraries:
- Botan 3.6.1

Operating System

Linux

Linux Desktop Environment

KDE

Linux Windowing System

X11

[droidmonkey]

The only value allowed for type is public-key. This is much more about how did you register the passkey and is that actually correct. The reason you can't match it because the key is invalid for the site you are attempting to use it on.

[varjolintu]

You can enable debug logging from the extension settings and see the console for any messages during authentication. What kind of error message does the site show?

Btw. What is the length of challenge? It should be at least 16 characters.

[dionorgua]

@droidmonkey I think you're right. I found JS code where to dump request and response that is sent to server. And I can confirm that EDITED2 is same when I'm authenticating with Yubikey.

So I'm 99.9% sure that for my account it don't even try to authenticate using "Biometrics" ( this is how KeepassDX passkey was enrolled) at all. Most likely it's controlled by company IT.

At the same there is still 'race condition' because browser extension injects code too late (authentication is triggered automatically somewhere in on_load). I would say that on Chromium it's almost impossible to give KeepassXC chance to authenticate. On Firefox it requires 3-5 page reloads. I'll probably report it later if I observe it on publically available website.

PS. @varjolintu challenge is OK (more than 16 chars)

Thanks!

[droidmonkey]

Ping is either making an assumption that you are using OS Native authenticator, or corporate policy is enforcing that to be the case. That would explain the race condition. They really should wait for everything to settle before issuing an authenticator request.

[dionorgua]

No. It's my personal linux machine without any 'corporate' stuff. I think they did it on purpose to make 'Greasemonkey' like experience much harder.

Not being able to authenticate at all via passkeys is most likely corporate policy. But thing that sometimes KeepassXC is not even trying to catch authentication request is some sort of limitation of how browser integration works.

I think it should be easy enough to reproduce by creating test website that do authentication somewhere in on_load handler.

[varjolintu]

@dionorgua If you are familiar with loading extension manually, you can try this branch where I tested script injection where it happens before page load: https://github.com/keepassxreboot/keepassxc-browser/tree/fix/load_passkeys_scripts_at_document_start

[dionorgua]

@varjolintu I've checked this by loading temporary addon in Firefox. And I can confirm that on Firefox (my primary browser) I can try to authenticate every time. And every time I'm getting message "No logins found" from browser extension.

PS. I've found another thing. Ping ID have no "Passkeys" support (or it's not enabled for me). But it has "Security key" (this is how I use Yubikey) and "Biometrics" authentication. I think they should be somehow different if used without browser extension. But I've found that KeepassXC-browser now intercepts both. And I'm able to enroll passkey to both slots (but they are displayed with different icons in Ping UI). I'm sure that it was not possible some times ago. And now the most important difference: With this patched browser extension I'm able to authenticate every time using this "Security Key". It works exactly same way as "Webauthn demo" or any other passkey-enabled website.

@varjolintu should I reopen this issue or create new one in browser extension repo?

So I would be very happy if this branch can be merged.

[varjolintu]

@dionorgua Let's reopen this and I'll try to finish that PR.