Webauthn/Yubikey devices don't work on secondary sites during sign in
Summary
Reproduced on 15.11.2-ee
When signing into a secondary site with a user that has a registered Webauthn or Yubikey on their account, and the user attempts to use the correct registered Webauth device for the 2FA step, the attempt fails with either of the following error messages:
- Chrome:
You're using a security key that's not registered with this website
- Firefox:
This device has not been registered with us. (InvalidStateError)
Steps to reproduce
- Setup a GitLab Geo environment with separate URLs.
- On the primary site, configure your user with 2FA and add an Webauthn device.
- Sign out of the primary site, and sign back in to confirm you are able to use the registered Webauthn device to pass 2FA.
- Sign into your secondary site - when prompted for your registered Wedauth device, activate it. The attempt will fail with the errors mentioned in the summary.
- As a workaround, the user can fallback to TOTP 2FA.
Example Project
N/A
What is the current bug behavior?
When signing into a secondary site with a user that has a registered Webauthn or Yubikey on their account, and the user attempts to use the correct registered Webauth device for the 2FA step, the attempt fails.
What is the expected correct behavior?
When signing into a secondary site with a user that has a registered Webauthn or Yubikey on their account, and the user attempts to use the correct registered Webauth device for the 2FA step, the attempt should succeed.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)