C++ native application using WebAuthn.dll with WebAuthn.h for FIDO2 authentication from an IdP,, fails with HTTP ERROR :403

Mahaboob Aslam 1 Reputation point
2021-01-22T09:10:27.567+00:00

I am writing C++ native application using WebAuthn.dll using WebAuthn.h for FIDO2 for an IdP.
In this application, i am using the following APIs of WebAuthn.dll

Developer Environment:
++++++++++++++++++++++

OS: Windows10
Version: 1909
VisualStudio : 2019
Windows SDK version: 10.0.18362.0
Reference header file: https://github.com/microsoft/webauthn.h

To fill the structures for the below API to "MakeCredential"
we are making a call to the following URLs with the respective payloads in Json format:

For Registration:
+++++++++++++++++

These 3 calls are post calls
1)
URL: "https://url/...."

Payload: {"username":"","password":""}

2)
URL: https://url/....

Payload: {"factorType":"webauthn","provider":"FIDO","stateToken":""}

3)
Client data for registration: {"type":"webauthn.create","challenge":"","origin":"https://url","crossOrigin":false}

URL: https://url/....

Payload: {"attestation":"", "clientData":"","stateToken":""}

This attestation data is obtained from the below call from the output parameter "PWEBAUTHN_CREDENTIAL_ATTESTATION" i.e., pbAttestationObject from the below API MakeCredential().
Step3 payload data attestation and clientData is converted to base64 fomat...

API for Registration:
+++++++++++++++++++++

HRESULT WINAPI WebAuthNAuthenticatorMakeCredential(
In HWND hWnd,
In PCWEBAUTHN_RP_ENTITY_INFORMATION pRpInformation,
In PCWEBAUTHN_USER_ENTITY_INFORMATION pUserInformation,
In PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS pPubKeyCredParams,
In PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData,
_In_opt_ PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS pWebAuthNMakeCredentialOptions,
_Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION *ppWebAuthNCredentialAttestation);

For Authentication:
+++++++++++++++++++

To fill the structures for the below API to "MakeCredential"
we are making a call to the following URLs with the respective payloads in Json format:

These 3 calls are POST calls
1)
URL : https://url/....

Payload: {"username":"","password":""}

2)
URL: https://url/....

Payload: {"stateToken":""}

3)
Client data for authentication: {"type":"webauthn.get","challenge":"","origin":"https://url","crossOrigin":false}

URL:https://url/....

Payload: {"authenticatorData":"","clientData":"","signatureData":"","stateToken":""}

Here the authenticatorData and signatureData are obtained from this "PWEBAUTHN_ASSERTION" structure which is an output parameter for GetAssertion() call from the below api.
The data is then converted to base64 format, and then sent to the Relying party server for Verification... using a post call

API for Authentication:
+++++++++++++++++++++++

HRESULT WINAPI WebAuthNAuthenticatorGetAssertion(
In HWND hWnd,
In LPCWSTR pwszRpId,
In PCWEBAUTHN_CLIENT_DATA pWebAuthNClientData,
_In_opt_ PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS pWebAuthNGetAssertionOptions,
_Outptr_result_maybenull_ PWEBAUTHN_ASSERTION *ppWebAuthNAssertion);

These two APIs talk to the TPM to makecredentials during Registration and GetAssertion durinn the Authentication process.

When i use these apis in my code i get S_OK response during the registration and Authentication, when i trap on my fingerprint reader of My PC using Windows Hello

With the attestation data received from MakeCredential API's "PWEBAUTHN_CREDENTIAL_ATTESTATION output parameter pbAttestationObject" ,
And make a call to IDp for registration with the challenge, i am able to get registered in the relying party server.

Again with the Authenticator data received from WebAuthNAuthenticatorGetAssertion()'s PWEBAUTHN_ASSERTION structure's data pbAuthenticatorData
which is an output parameter i am not able to get Authentication success from the Relying party server when i make a post call.
I get an Http error 403 forbidden......

i have also refered to this blog in the following link:
https://social.msdn.microsoft.com/Forums/en-US/16692253-327c-4247-b657-42e484d84a53/webauthndll-in-windows-10-ltsc?forum=windowssecurity

As discussed in the blog for "WebAuthn.dll in windows 10 ltsc RRS feed Archived Forums > Application Security for Windows Desktop"
I am running the application with Admin previlages....
But still i get an Http error 403 forbidden ......

Both the Registration and Authentication or two part of my code which is as a single Application.

Could any one help me out in this regards to get my authentication Success..

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,779 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Carl Fan 6,836 Reputation points
    2021-01-26T10:08:43.08+00:00

    Hi,
    According to your description, I suggest that you'd better post this issue to Application Security for Windows Desktop - Msdn forum. As they will be more professional on your issue, it's a right place you could get more help.
    https://social.msdn.microsoft.com/Forums/en-US/home?forum=windowssecurity
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    0 comments No comments