Passkey login error - this key does not look familiar #9094
Description
Version
v4.39.1
Deployment Method
Docker
Reverse Proxy
Caddy
Reverse Proxy Version
No response
Description
I have 2 servers with 2 authelia instances having the same problem.
My yubikeys (I have 2) can be added and I can use them for 2fa login by entering my user and pass first, but when I try to use the Sign in with a passkey option, the keys are not recognized. I enter my pin, the key is blinking but the error pops:
The security key doesn't look familiar. Please try a different one.
There is no next step for entering the password (for 2fa).
I tried 2 different webauthn configs, none works:
webauthn:
enable_passkey_login: true
attestation_conveyance_preference: direct
filtering:
prohibit_backup_eligibility: true
metadata:
enabled: true
validate_trust_anchor: true
validate_entry: true
validate_status: true
validate_entry_permit_zero_aaguid: false
and
webauthn:
disable: false
enable_passkey_login: true
display_name: 'Authelia'
attestation_conveyance_preference: 'indirect'
timeout: '60 seconds'
filtering:
permitted_aaguids: []
prohibited_aaguids: []
prohibit_backup_eligibility: false
selection_criteria:
attachment: ''
discoverability: 'preferred'
user_verification: 'preferred'
metadata:
enabled: false
validate_trust_anchor: true
validate_entry: true
validate_entry_permit_zero_aaguid: false
validate_status: true
validate_status_permitted: []
validate_status_prohibited:
- 'REVOKED'
- 'USER_KEY_PHYSICAL_COMPROMISE'
- 'USER_KEY_REMOTE_COMPROMISE'
- 'USER_VERIFICATION_BYPASS'
- 'ATTESTATION_KEY_COMPROMISE'
Reproduction
go to a protected service or to the auth.domain.com page and try to
Sign in with a passkey
- I am promped for the pin
- I press the key
- I am presented with the above error (key not familiar)
Expectations
To be signed directly in (in case of a 1st factor) or to be presented the next screen to fill in my pass (for 2fa).
Configuration (Authelia)
theme: auto
default_2fa_method: totp
server:
address: tcp://0.0.0.0:9091/
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
log:
level: debug
file_path: /config/log/authelia.log
keep_stdout: true
totp:
disable: false
algorithm: sha512
digits: 8
period: 30
skew: 1
secret_size: 40
webauthn:
enable_passkey_login: true
attestation_conveyance_preference: direct
filtering:
prohibit_backup_eligibility: true
metadata:
enabled: true
validate_trust_anchor: true
validate_entry: true
validate_status: true
validate_entry_permit_zero_aaguid: false
authentication_backend:
refresh_interval: 5m
password_reset:
disable: false
file:
path: /config/users_database.yml
watch: false
search:
email: false
case_insensitive: false
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: true
access_control:
default_policy: two_factor
session:
name: authelia_session
same_site: lax
inactivity: 5m
expiration: 1h
remember_me: 1M
cookies:
- domain: {{ env "DOMAIN_A" }}
authelia_url: https://auth.{{ env "DOMAIN_A" }}
default_redirection_url: https://{{ env "DOMAIN_A" }}
redis:
host: authelia_redis
port: 6379
regulation:
max_retries: 3
find_time: 2m
ban_time: 30m
storage:
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: false
template_path: /config/email_templates
identity_providers:
oidc:
jwks:
- key: {{ secret "/config/jwks/rsa.2048.pem" | mindent 10 "|" | msquote }}
lifespans:
access_token: 1h
authorize_code: 1m
id_token: 1h
refresh_token: 90m
enable_client_debug_messages: false
enforce_pkce: public_clients_only
cors:
endpoints:
- authorization
#- pushed-authorization-request
- token
- revocation
- introspection
- userinfo
allowed_origins: "*"
allowed_origins_from_client_redirect_uris: false
clients:
- client_id: portainer
client_name: Portainer #generate secret: docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72
client_secret: '$pbkdf2-sha512$310000$secret'
public: false
authorization_policy: two_factor
redirect_uris:
- https://portainer.domain.com
scopes:
- openid
- groups
- email
- profile
consent_mode: implicit
userinfo_signed_response_alg: none
- client_id: grafana
client_name: Grafana
client_secret: '$pbkdf2-sha512$310000$secret'
public: false
authorization_policy: two_factor
redirect_uris:
- https://graph.domain.com/login/generic_oauth
scopes:
- openid
- profile
- groups
- email
consent_mode: implicit
userinfo_signed_response_alg: none
- client_id: miniflux
client_name: Miniflux RSS Reader
client_secret: '$pbkdf2-sha512$310000$secret'
public: false
authorization_policy: two_factor
redirect_uris:
- https://flux.domain.com/oauth2/oidc/callback
scopes:
- openid
- profile
- groups
- email
consent_mode: implicit
userinfo_signed_response_alg: noneBuild Information
~/shared/pidocker » docker run authelia/authelia:latest authelia build-info ciss@rpi
Last Tag: v4.39.1
State: tagged clean
Branch: v4.39.1
Commit: 9a22f5c30b216b6d1aa1f80b6a36fac62e9f7727
Build Number: 41283
Build OS: linux
Build Arch: arm64
Build Compiler: gc
Build Date: Tue, 18 Mar 2025 14:49:44 +1100
Extra:
Go:
Version: go1.24.1 X:nosynchashtriemap
Module Path: github.com/authelia/authelia/v4
Executable Path: github.com/authelia/authelia/v4/cmd/autheliaLogs (Authelia)
time=
2025-03-25T09:51:02+02:00
level=
debug
msg=
Loaded Configuration Sources
files=
[/config/configuration.yml]
filters=
[template]
time=
2025-03-25T09:51:02+02:00
level=
debug
msg=
Logging Initialized
fields.level=
debug
file=
/config/log/authelia.log
format=
keep_stdout=
true
time=
2025-03-25T09:51:02+02:00
level=
debug
msg=
Process user information
gid=
1000
uid=
1000
time=
2025-03-25T09:51:02+02:00
level=
warning
msg=
Configuration: access_control: no rules have been specified so the 'default_policy' of 'two_factor' is going to be applied to all requests
time=
2025-03-25T09:51:02+02:00
level=
info
msg=
Authelia v4.39.1 is starting
time=
2025-03-25T09:51:02+02:00
level=
info
msg=
Log severity set to debug
time=
2025-03-25T09:51:03+02:00
level=
debug
msg=
Registering OpenID Connect 1.0 client with client id 'portainer' and policy 'two_factor'
time=
2025-03-25T09:51:03+02:00
level=
debug
msg=
Registering OpenID Connect 1.0 client with client id 'grafana' and policy 'two_factor'
time=
2025-03-25T09:51:03+02:00
level=
debug
msg=
Registering OpenID Connect 1.0 client with client id 'miniflux' and policy 'two_factor'
time=
2025-03-25T09:51:03+02:00
level=
info
msg=
Storage schema is being checked for updates
time=
2025-03-25T09:51:03+02:00
level=
info
msg=
Storage schema is already up to date
time=
2025-03-25T09:51:05+02:00
level=
info
msg=
Startup complete
time=
2025-03-25T09:51:05+02:00
level=
info
msg=
Listening for non-TLS connections on '[::]:9091' path '/'
server=
main
service=
server
time=
2025-03-25T09:51:28+02:00
level=
debug
msg=
Mark 1FA authentication attempt made by user 'godmode'
method=
POST
path=
/api/firstfactor
remote_ip=
192.168.1.153
time=
2025-03-25T09:51:28+02:00
level=
debug
msg=
Successful 1FA authentication attempt made by user 'godmode'
method=
POST
path=
/api/firstfactor
remote_ip=
192.168.1.153
time=
2025-03-25T09:51:34+02:00
level=
debug
msg=
Mark TOTP authentication attempt made by user 'godmode'
method=
POST
path=
/api/secondfactor/totp
remote_ip=
192.168.1.153
time=
2025-03-25T09:51:34+02:00
level=
debug
msg=
Successful TOTP authentication attempt made by user 'godmode'
method=
POST
path=
/api/secondfactor/totp
remote_ip=
192.168.1.153
time=
2025-03-25T09:51:47+02:00
level=
debug
msg=
Sending an email to user to confirm identity for session elevation
id=
fe66aa77-34de-4d08-9a03-456255311f71
method=
POST
path=
/api/user/session/elevation
remote_ip=
192.168.1.153
signature=
0c71ebbae063b72c94e2bbeeb133850a121e0f00e97cf2bb60113ecb942258a1352f1f0f49fa8d0ac6a5884d703918b110c0f352fe59d7a2cbe5b8eaa97b0b09
username=
godmode
time=
2025-03-25T09:51:59+02:00
level=
debug
msg=
Getting user details for notification
method=
DELETE
path=
/api/secondfactor/webauthn/credential/1
remote_ip=
192.168.1.153
time=
2025-03-25T09:51:59+02:00
level=
debug
msg=
Getting user addresses for notification
method=
DELETE
path=
/api/secondfactor/webauthn/credential/1
remote_ip=
192.168.1.153
time=
2025-03-25T09:51:59+02:00
level=
debug
msg=
Sending an email to user godmode (\"status quo\" <hello@irvi.net>) to inform them of an important event.
method=
DELETE
path=
/api/secondfactor/webauthn/credential/1
remote_ip=
192.168.1.153
time=
2025-03-25T09:52:27+02:00
level=
debug
msg=
Getting user details for notification
method=
POST
path=
/api/secondfactor/webauthn/credential/register
remote_ip=
192.168.1.153
time=
2025-03-25T09:52:27+02:00
level=
debug
msg=
Getting user addresses for notification
method=
POST
path=
/api/secondfactor/webauthn/credential/register
remote_ip=
192.168.1.153
time=
2025-03-25T09:52:27+02:00
level=
debug
msg=
Sending an email to user godmode (\"status quo\" <hello@irvi.net>) to inform them of an important event.
method=
POST
path=
/api/secondfactor/webauthn/credential/register
remote_ip=
192.168.1.153
time=
2025-03-25T09:53:39+02:00
level=
debug
msg=
Mark 1FA authentication attempt made by user 'godmode'
method=
POST
path=
/api/firstfactor
remote_ip=
192.168.1.153
time=
2025-03-25T09:53:39+02:00
level=
debug
msg=
Successful 1FA authentication attempt made by user 'godmode'
method=
POST
path=
/api/firstfactor
remote_ip=
192.168.1.153
time=
2025-03-25T09:53:49+02:00
level=
debug
msg=
Mark WebAuthn authentication attempt made by user 'godmode'
method=
POST
path=
/api/secondfactor/webauthn
remote_ip=
192.168.1.153
time=
2025-03-25T09:53:49+02:00
level=
debug
msg=
Successful WebAuthn authentication attempt made by user 'godmode'
method=
POST
path=
/api/secondfactor/webauthn
remote_ip=
192.168.1.153Logs (Proxy / Application)
Documentation
No response
Generative AI
No
Pre-Submission Checklist
-
I agree to follow the Code of Conduct
-
This is a bug report and not a support request
-
I have read the security policy and this bug report is not a security issue or security related issue
-
I have either included the complete configuration file or I am sure it's unrelated to the configuration
-
I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant
-
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
-
I have checked for related proxy or application logs and included them if available
-
I have checked for related issues and checked the documentation