search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.12k stars 10.36k forks source link

SSO Login does not support FIDO keys #29784

Open KramNamez opened 1 year ago

KramNamez commented 1 year ago

Description:

To log in to the Rocket.Chat desktop app, I have to log in via our Keycloak instance for SSO. Since I set up my FIDO keys (a NitroKey and a Yubikey) with PINs, I can no longer use them in this process. I have to switch over to the password-based login flow and use a TOTP as the 2nd factor.

Rocket.Chat should instead prompt me for the PIN for the FIDO keys and continue with the passwordless login flow (or at the very least use them for 2FA).

Edit: In fact, they do not work at all, with or without PINs. Having deactivated my TOTP (as I only want to use unphishable credentials), I can no longer use the desktop app.

Steps to reproduce:

  1. Set up a webauthn key for passwordless login in Keycloak and configure a PIN for it.
  2. Try to use it to log in to Rocket.Chat.

Expected behavior:

Rocket.Chat redirects to Keycloak, where I am prompted for the PIN and log in with my FIDO key.

Actual behavior:

Rocket.Chat redirects to Keycloak, where I am not prompted for a PIN and my FIDO keys simply fail to work.

Server Setup Information:

Client Setup Information

KramNamez commented 1 year ago

Correction: The desktop app doesn't support using security keys at all.

KramNamez commented 11 months ago

It turns out that with setting "attestation conveyance preference" to "none" and "user verification" to "discouraged", I can at least use the FIDO authenticators as 2FA in the desktop app.

This is still a rather strange limitation, especially as the usual "touch your security key" popup from the browser fails to appear. You just have to know that it's working anyway.

Plus, it should also be able to ask for a PIN and allow for passwordless flows.