Help with Passkeys in a Self-Hosted setup

[jordanhandy]

Hello,

Passkeys don't seem to be working with my setup. Hoping for some guidance. When I visit my accounts URL (as a redirect from Passkeys under the Security menu), a popup says "could not retrieve passkeys" or similar. When I attempt to name a new passkey, I'm met with "couldn't add passkey".

Some of my config:

museum.yaml

webauthn:
    # Our "Relying Party" ID. This scopes the generated credentials.
    # See: https://www.w3.org/TR/webauthn-3/#rp-id
    rpid: accounts.mydomain.com
    # Whitelist of origins from where we will accept WebAuthn requests.
    # See: https://github.com/go-webauthn/webauthn
    rporigins:
       # - "http://localhost:3001"
        - "https://accounts.mydomain.com"
...

apps:
  accounts: https://accounts.mydomain.com

compose.yaml

...
web:
    image: ghcr.io/ente-io/web
    # Uncomment what you need to tweak.
    ports:
      - 3000:3000 # Photos web app
      - 3001:3001 # Accounts
      - 3002:3002 # Public albums
      - 3003:3003 # Auth
      - 3004:3004 # Cast
    environment:
      NEXT_PUBLIC_ENTE_ENDPOINT: https://web.mydomain.com
      NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT: https://albums.mydomain.com
      NEXT_PUBLIC_ENTE_ACCOUNTS_URL: https://accounts.mydomain.com

When I visit the page, the server logs show a GET taking place, but I don't see much else. Wondering if there is another logging location to check

In the above *.mydomain is changed to my actual TLD

Thanks for the help

[kzshantonu]

Just use mydomain.com for rp* values

[kzshantonu]

@jordanhandy Ok I just checked my config. Try mydomain.com for rpid and https://accounts.mydomain.com for rporigins

[jordanhandy]

@kzshantonu unfortunately still not working. I tried what you suggested (and the inverse, where rpid is the full address) and included each variation of the domain in the rporigins value as a list, and also as a single value. No such luck.

I appreciate the suggestions, though

Is it possible for you to share your entire config file? Can you mask your domains and other sensitive info? Maybe there's another dependent piece I'm missing?

[kzshantonu]

@jordanhandy of course here you go

[jordanhandy]

@kzshantonu

Thank you for your help! I was able to solve this. Not sure exactly which edit was the fix, but (in case someone else has the same issue) I made the following edits to my files as they didn't exist prior:

compose.yaml

• Under the environment key for the museum service, I added the NEXT_PUBLIC_ENTE_ENDPOINT value to point back to my API custom domain
• Under the environment key for the web service, I added values for the NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT, ENTE_API_ORIGIN, and ENTE_ALBUMS_ORIGIN

museum.yaml

• Under the webauthn section, I ensured my rpid and rporigins values were as you suggested with the root domain and subpaths respectively
• Under the apps section, I removed the key for auth (not sure where I found to put this in, but it doesn't appear officially documented under apps anyway

Thanks again. Most likely the fix was the environment variables in the compose file is my guess.

[VIEWVIEWVIEW]

I just had the same issue. It is the webauthn values which fixed the issue. Setting the additional endpoints wasn't necessary. :)

@kzshantonu
museum.yaml

* Under the `webauthn` section, I ensured my `rpid` and `rporigins` values were as you suggested with the root domain and subpaths respectively

* Under the `apps` section, I removed the key for `auth` (not sure where I found to put this in, but it doesn't appear officially documented under `apps` anyway

Thanks again. Most likely the fix was the environment variables in the compose file is my guess.