User16539857494684566264 (Customer) asked a question.
FIDO/webauthn factor activation
When trying to activate a FIDO2 token throws the API with the endpoint :
{{url}}/api/v1/users/{{userId}}/factors/{{factorId}}/lifecycle/activate
I receive this error:
attestedRpIdHash in authData did not match SHA256 hash of any trusted hostnames, which consist of the hostnames of the request URL and of this org's trusted origins.
I have configured Trusted origin and I'm using the URL defined on it for RPID.
What can be the problem?
Thanks in Advance.
Fred
Hello @User16539857494684566264 (Customer) Thank you for reacting out to our Community!
By default, you do not need to add any URL's in Trusted Origin when setting up FIDO2. However further looking into this, could this be a case where you would like to configure FIDO2 for a tenant with Custom Domain? If so, you can enroll for WebAuthn from a custom domain but the user must log into that custom domain (d.domain.com) in order for WebAuthn to work. However, the user cannot log into the Okta domain (i.e. d.okta.com) and use the same WebAuthn to log in. The user must reset the Webauthn MFA (from the custom domain) and re-enroll from the okta.com domain to use webauthn and vice versa. You should be able to test for this behaviour to confirm.
There was an Idea for this, please see:
https://ideas.okta.com/app/#/case/126309
However this was closed because of migration to the new platform. You would want to re-submit one.
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.