Skip to content

Make acceptable AAGUID ckeck in WebAuthn stricter#48404

Open
rmartinc wants to merge 1 commit intokeycloak:mainfrom
rmartinc:issue-48388
Open

Make acceptable AAGUID ckeck in WebAuthn stricter#48404
rmartinc wants to merge 1 commit intokeycloak:mainfrom
rmartinc:issue-48388

Conversation

@rmartinc
Copy link
Copy Markdown
Contributor

@rmartinc rmartinc commented Apr 23, 2026

Closes #48388

PR to make the AAGUID check in WebAuthn strict. Previously we were accepting some corner cases that allow to inject the AAGUID from an untrusted source. The PR also limits the AAGUID to not include the none attestation (which is also untrusted). Normally the none format anonymizes the AAGUID to the zero AAGUID, so it's totally useless. I added a note as notable change, but it's between notable and breaking, a proper configuration is OK, but maybe some weird configurations can fail (like allowing none with the zero AAGUID as accepted, it's useless, you are accepting any authenticator with no attestation). I can move the note to a breaking change if you think it's more a breaking change than a notable one. The note is for 26.6.2, I'll move it if not ready for the new version. Tests added but in the old TS, we need to disable the trust-store for keycloak and that is going to be complicated in the new TS. So I prefer to not do it for this PR.

@rmartinc rmartinc requested review from a team as code owners April 23, 2026 11:28
This was referenced Apr 23, 2026
Open
Open
Open
@keycloak-github-bot
Copy link
Copy Markdown

keycloak-github-bot Bot commented Apr 23, 2026

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.MultipleTabsLoginTest#testWithAuthSessionExpiredInTheMiddle_badRedirectUri

Keycloak CI - Forms IT (chrome)

org.opentest4j.AssertionFailedError: Expected ErrorPage but was localhost (https://localhost:8543/auth/realms/test/login-actions/authenticate?execution=0bec3531-f144-465f-97c8-6d8b0e3584a5&client_id=test-app&tab_id=LZ6NbdjwwOM&client_data=eyJydSI6Imh0dHBzOi8vbG9jYWxob3N0Ojg1NDMvYXV0aC9yZWFsbXMvbWFzdGVyL2FwcC9hdXRoIiwicnQiOiJjb2RlIn0) ==> expected: <true> but was: <false>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertTrue.failNotTrue(AssertTrue.java:63)
	at org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:36)
...

Report flaky test

org.keycloak.testsuite.authz.PolicyEvaluationTest#

Keycloak CI - Base IT (3)

org.opentest4j.AssertionFailedError: expected: <PERMIT> but was: <null>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
...

org.opentest4j.AssertionFailedError: expected: <PERMIT> but was: <null>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
...

org.opentest4j.AssertionFailedError: expected: <PERMIT> but was: <null>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
...

Report flaky test

keycloak-github-bot[bot]
keycloak-github-bot Bot reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

@keycloak-github-bot keycloak-github-bot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@mabartos mabartos self-requested a review April 23, 2026 13:24
@rmartinc rmartinc requested a review from tnorimat April 23, 2026 17:29
@rmartinc
Copy link
Copy Markdown
Contributor Author

rmartinc commented Apr 23, 2026

@tnorimat I have added you as a reviewer. Your review would be awesome if you have time. If not, don't worry.

@tnorimat
Copy link
Copy Markdown
Contributor

tnorimat commented Apr 23, 2026

@rmartinc Hello, yes I will review the PR soon.

tnorimat
tnorimat reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@tnorimat tnorimat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rmartinc Hello, I added minor comments. Could you check them?
Also, it seems that you implemented the tests by arquillian integration test. Is that OK?
It seems that it might be better to implement the tests by new JUnit test.

Comment thread services/src/main/java/org/keycloak/authentication/requiredactions/WebAuthnRegister.java
break;
}
if (NoneAttestationStatement.FORMAT.equals(response.getAttestationObject().getFormat())) {
throw new WebAuthnException("Acceptable AAGUIDs requires a format different to none.");
Copy link
Copy Markdown
Contributor

@tnorimat tnorimat Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about the following?
"Acceptable AAGUIDs require an attestation format other than 'none'."

Comment thread ...se/src/test/java/org/keycloak/testsuite/webauthn/registration/WebAuthnOtherSettingsTest.java
registerDefaultUser();

webAuthnErrorPage.assertCurrent();
assertThat(webAuthnErrorPage.getError(), containsString("Acceptable AAGUIDs requires a format different to none."));
Copy link
Copy Markdown
Contributor

@tnorimat tnorimat Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about the following?
"Acceptable AAGUIDs require an attestation format other than 'none'."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mabartos mabartos Awaiting requested review from mabartos

2 more reviewers

@tnorimat tnorimat tnorimat left review comments

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

flaky-test team/cloud-native team/core-clients team/core-iam team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration

2 participants

@rmartinc @tnorimat