Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth login with Webauthn not working in Webview #5681

Open
o- opened this issue May 20, 2024 · 4 comments
Open

OAuth login with Webauthn not working in Webview #5681

o- opened this issue May 20, 2024 · 4 comments
Labels
🐛 bug

Comments

@o-
Copy link

o- commented May 20, 2024

Description:

We set up Rocket with external OAuth using Keycloak. When Keycloak is configured for second factor authentication using Webauthn, authentication fails with the Rocket native Android app.

Environment Information:

  • Rocket.Chat Server Version: 6.8.0
  • Rocket.Chat App Version: 4.48.0 and 4.49.0
  • Device Name: Pixel 6a
  • OS Version: Android 14

Steps to reproduce:

  1. Setup a keycloak instance, see e.g. https://www.keycloak.org/getting-started/getting-started-docker
  2. Setup rocket chat with keycloak, see https://docs.rocket.chat/use-rocket.chat/authentication/saml/keycloak
  3. Configure webauthn. see e.g. https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/
  4. On the phone visit https:///realms//account/#/security/signingin and click "Set up security Key" -> Register and add the phone as a second factor.
  5. Open Rocket Android app and enter the workspace name.
  6. Click on "Continue with Keycloak Login"
  7. Provide credentials to Keycloak
  8. Try WebAuthn Authenticator as second factor

Expected behavior:

WebAuthn should work. When I log in with Chrome on the same phone I am asked for the screen pin and the phone successfully authenticates using WebAuthn with Keycloak.

Actual behavior:

Response "Failed to authenticate by the Security Key" from Keycloak.

Probably the reason is that Android Webview does not support webauthn, see https://groups.google.com/a/chromium.org/g/blink-dev/c/qCJhuuZH5p0 .

Additional context:

The best would be to open external OAuth authentification links using the device browser instead of opening them inside the app. Most other apps when configured with OIC or OAuth follow this approach.
@diegolmello
Copy link
Member

Hey. We have plans to make it possible to make login on external browsers which would add support to physical security keys to all services (we did it to Google already #2703 #2284), but we can't do it right now, sadly. There are more important items atm.

@KramNamez
Copy link

That's a shame. Rocket.Chat is the last service we have that doesn't work nicely with Passkeys, and the only reason we still have to support TOTPs for MFA, so we'd love to see that change at some point.

Do you have any idea when you'll get around to it? Any sort of roadmap, or is it purely "we'll get around to it eventually, hopefully"? (It's understandable if it's the latter, though obviously I'm hoping for something more concrete.)

@milton-rucks
Copy link

Hey @KramNamez

Unfortunately, the answer is that we'll get around to it eventually.

We are currently focused on closing accessibility gaps and new end-to-end encryption requirements on mobile.

@KramNamez
Copy link

Fair enough - those are both pretty obviously huge and important topics too. Fingers crossed that you get around to it shortly after those :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@o- @diegolmello @milton-rucks @KramNamez