The OAuth login browser window does not support WebAuthn on Android

krzys-h commented 2 years ago

Description:

We use Keycloak as an authentication provider for Rocket.Chat via OAuth. Users who set up 2FA via WebAuthn (e.g. YubiKey) are unable to log in, because the WebView window that Rocket.Chat opens for OAuth logins does not support WebAuthn.

Not supporting WebAuthn in WebView seems to be an intentional design decision. The recommendation seems to be that Android Custom Tabs should be used for OAuth flows in native apps instead. See RFC 8252 and this excellent video from Google. Implementing it this way also has an additional benefit of allowing the user to skip the login with external provider if they are already signed in the browser. Also see a related issue in the ownCloud native app: https://github.com/owncloud/android/issues/2036

Environment Information:

Rocket.Chat Server Version: 4.4.1
Rocket.Chat App Version: 4.26.2.30996
Device Name: Samsung Galaxy S8+
OS Version: Android 9

Steps to reproduce:

Setup an OAuth authentication provider which uses WebAuthn
Try to log in using the mobile app

Expected behavior:

The login flow works

Actual behavior:

The login flow fails with a "WebAuthn not supported" error.

diegolmello commented 2 years ago

That's interesting. We've been talking about the solution you mentioned. Thanks for reporting this.

samuk commented 2 years ago

Subscribe

KramNamez commented 1 year ago

Is there any progress on this?

RocketChat / Rocket.Chat.ReactNative