We use Keycloak as an authentication provider for Rocket.Chat via OAuth. Users who set up 2FA via WebAuthn (e.g. YubiKey) are unable to log in, because the WebView window that Rocket.Chat opens for OAuth logins does not support WebAuthn.
Not supporting WebAuthn in WebView seems to be an intentional design decision. The recommendation seems to be that Android Custom Tabs should be used for OAuth flows in native apps instead. See RFC 8252 and this excellent video from Google. Implementing it this way also has an additional benefit of allowing the user to skip the login with external provider if they are already signed in the browser. Also see a related issue in the ownCloud native app: https://github.com/owncloud/android/issues/2036
Environment Information:
Rocket.Chat Server Version: 4.4.1
Rocket.Chat App Version: 4.26.2.30996
Device Name: Samsung Galaxy S8+
OS Version: Android 9
Steps to reproduce:
Setup an OAuth authentication provider which uses WebAuthn
Try to log in using the mobile app
Expected behavior:
The login flow works
Actual behavior:
The login flow fails with a "WebAuthn not supported" error.
Description:
We use Keycloak as an authentication provider for Rocket.Chat via OAuth. Users who set up 2FA via WebAuthn (e.g. YubiKey) are unable to log in, because the WebView window that Rocket.Chat opens for OAuth logins does not support WebAuthn.
Not supporting WebAuthn in WebView seems to be an intentional design decision. The recommendation seems to be that Android Custom Tabs should be used for OAuth flows in native apps instead. See RFC 8252 and this excellent video from Google. Implementing it this way also has an additional benefit of allowing the user to skip the login with external provider if they are already signed in the browser. Also see a related issue in the ownCloud native app: https://github.com/owncloud/android/issues/2036
Environment Information:
Steps to reproduce:
Expected behavior:
The login flow works
Actual behavior:
The login flow fails with a "WebAuthn not supported" error.