RPID Mismatch Loop #224
Description
When configuring the Credential Provider it is possible to set the registry attribute:
- trusted_rpids
This should correspond to the rpid of the privacyIDEA Server used in the enrollment-policy.
If these values do not match, so for example:
- Credential Provider trusted_rpids: local.de
- privacyIDEA webauthn_relying_party_id: example.local.de
Then the Credential Provider can not be used together with Passkeys, which have been enrolled with the rpid "example.local.de".
This behavior is how it should function and expected. The problem arises when using the authentication-policy passkey_trigger_by_pin.
Normally a user would login with a Passkey via the "Use Passkey" button. Here the Credential Provider answers with the standard behavior and provides the user with an input field for the otp. This is how it should function to not reveal too much information to potential attackers. The CP Log contains this entry:
SECURITY ALERT: Operation blocked. Requested RPID 'example.local.com' is not in the allowed list (trusted_rpids).
However there are scenarios, where a user would like to use the passkey, as a challenge response token. In this scenario they would activate passkey_trigger_by_pin. If the configured rpids do not match in this scenario and the user enters their username+password. Then the credential provider goes into a loop and further authentication is impossible until the credential provider has reset.
Here also the same log entry appears:
SECURITY ALERT: Operation blocked. Requested RPID 'example.local.com' is not in the allowed list (trusted_rpids).
The credential provider then asks for the PIN of the Passkey and also shows the Connecting to privacyIDEA... Screen in an infinite loop.