Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14144

Unable to add more than 6 acceptable AAGUIDs for WebAuthn

    Details

    • Steps to Reproduce:
      Hide
      • Log into Keycloak Admin Console as an admin
      • Go to Authentication -> WebAuthn Policy
      • Add 6 AAGUIDs (eg 00000000-0000-0000-0000-000000000000) to the Acceptable AAGUIDs field. This will be successful.
      • Add a 7th AAGUID. This will fail with an error message "javax.persistence.PersistenceException: org.hibernate.exception.DataException: could not execute statement".
      Show
      Log into Keycloak Admin Console as an admin Go to Authentication -> WebAuthn Policy Add 6 AAGUIDs (eg 00000000-0000-0000-0000-000000000000) to the Acceptable AAGUIDs field. This will be successful. Add a 7th AAGUID. This will fail with an error message "javax.persistence.PersistenceException: org.hibernate.exception.DataException: could not execute statement".
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Summary

      Only 6 AAGUIDs can be added to the Acceptable AAGUID field under WebAuthn Policy of the Keycloak Admin Console because the underlying database column only allows 255 characters. We should be able to whitelist more than 6 AAGUIDs.

      Details

      An authenticator device used by WebAuthn contains an AAUID that can be used to identify the type of the authenticator. Each AAGUID is 36 characters long including hyphens (ex. 00000000-0000-0000-0000-000000000000).

      These AAGUID can be whitelisted in Keycloak Admin Console via Authentication -> WebAuthn Policy -> Acceptable AAGUIDs. This list of AAGUIDs is then converted into one comma separated string by org.keycloak.models.jpa.RealmAdapter.setWebAuthnPolicy() then inserted into the "value" column of "realm_attribute" table in Keycloak's database.

      However, because this column is only 255 characters long, only six AAGUID can be added (6 x 36 AAGUID characters + 5 commas = 221 total characters). Adding more than 6 will fail with an error message.

      There should be support for whitelisting more than 6 AAGUIDs.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                andy.kim.unity3d Andy Kim
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: