Webauthn attestation fails with truststore

Hi everybody,

I am trying to setup webauthn authentication as a second factor and encouter the following issue.

When registering the webauthn authenticator, it fails with an ‘invalid cert path’ message in the logs (full log below). I suspect that keycloak fails to verify the authentificator attestation.

In the realm webauthn configuration the Attestation Conveyance Preference param is set to none. So from my understanding keycloak should not try to deal the attestation.

The administration guide states : “If you want to omit this attestation statement trustworthiness validation, please disable this truststore or set the WebAuthn policy’s configuration item “Attestation Conveyance Preference” to “none”.”

Disabling the truststore does fix the webauthn registration process, but we need this truststore for LDAPs.

It looks like a bug to me, maybe I missed something…
Has someone encoutered this issue ? Is there another way to disable webauthn attestation verification ?

Log message :

2020-05-20 17:44:30,429 WARN  [org.keycloak.authentication.requiredactions.WebAuthnRegister] (default task-4) webauthn-error-registration
2020-05-20 17:44:30,430 WARN  [org.keycloak.events] (default task-4) type=CUSTOM_REQUIRED_ACTION_ERROR, realmId=cnrs, clientId=https://tcgdspjanus.users.interne, userId=827ccb2c-f868-44b1-a247-2935c1755c13, ipAddress=172.16.112.82, error=invalid_registration, credential_type=webauthn, auth_method=saml, web_authn_registration_error_detail='invalid cert path', custom_required_action=webauthn-register, response_type=code, web_authn_registration_error=webauthn-error-registration, redirect_uri=http://tcgdspjanus.users.interne/Shibboleth.sso/SAML2/POST, remember_me=false, code_id=8e5b5e5b-dd2f-42c0-bea2-e79447b6d554, response_mode=query, username=colin.bontemps, authSessionParentId=8e5b5e5b-dd2f-42c0-bea2-e79447b6d554, authSessionTabId=kvABveydwEY

Many thanks in advance !

Colin