SAML + WebAuthn Login: More verbosity or Token-Promt-PopUp

RocketChat / Rocket.Chat.Electron

Official OSX, Windows, and Linux Desktop Clients for Rocket.Chat

https://rocket.chat/

MIT License

1.59k stars 703 forks source link

SAML + WebAuthn Login: More verbosity or Token-Promt-PopUp #2441

Open b90g opened 2 years ago

b90g commented 2 years ago

Describe the bug When having 2FA WebAuthn activated on SSO/SAML the electron client isnt very transparent about what user interaction is expected from them.

What operating system and which version? Linux Debian Bullseye Which version of Rocket.Chat (Server)? 4.8 Which version of Rocket.Chat.Electron (Electron/Desktop)? latest as of writing the issue Is there any setting relevant changed? not really

To Reproduce

Login to your RC instance via SAML SSO on the desktop/electron App
have WebAuthn as 2FA in SAML

Expected behavior Getting prompted to connect & touch security token

Actual behavior

Either the token is already connected and it at least blinks so i can touch & login
or the token isnt connected and the login fails without any conclusive message.

jeanfbrito commented 2 years ago

Hello @b90g, could you show a video of how it works on the browser and on the Electron to we understand better whats happening?

b90g commented 2 years ago

https://peertube.netzbegruenung.de/videos/watch/45935f4b-f447-4550-a7ea-d1dcd26f6eab

In '17, you see Firefox having a Notification Pop Out (dont know the right terminus for it) asking me to interact with my security token
'39 electron recording starts
'59 i touch my security token, but only because i blinks.

inexperienced users might dont know what to do. i suggest to have the same pop out for interaction request with security token.

(this time i used the Snap Package on Fedora 36 btw)

steffen-kdab commented 1 year ago

I have similar problems. Rocket.Chat 5.3.2, Electron client 3.8.13, using Keycloak via Custom OAuth. On Linux, it works fine with the Yubikey, but on OSX the workflow looks "weird". I have both a Yubikey and the MacBook fingerprint reader registered as WebAuthN devices in Keycloak, but the fingerprint reader doesn't work. It never shows the fingerprint popup or seems to try to access the reader. The Yubikey works, but "blind" like the issue creator describes, ie. with no popup.

Both work fine on a browser.

KramNamez commented 1 year ago

Fascinating, I can't get it to work at all in the desktop client on Linux. (v3.9.6) With or without PIN, my security keys don't work, neither as 2FA nor for passwordless login.

Which is to say, yes, the NitroKey at least starts blinking, but it fails to ask for a PIN for passwordless and in either case it immediately fails when I touch the security key.

Ah, but I've realized we're using OIDC, not SAML... Gonna test that.