joelekstrom / fastmate

A native Fastmail-wrapper for Mac.
MIT License
194 stars 12 forks source link

Add support for WebAuthn authentication #44

Open jsfrederick opened 3 years ago

jsfrederick commented 3 years ago

Joel,

We talked over email a while ago about adding FIDO2/WebAuthn to Fastmate. Here is the link to the Apple Developer Docs: https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service

Just opening up a ticket to keep it on your radar.

Thanks!

joelekstrom commented 3 years ago

Hi! Thanks. I investigated this a bit and I think it requires Fastmail to supply a webauth service which the don’t to my knowledge. Please let me know if I’m mistaken - I’ll keep this issue open for further reference

jsfrederick commented 3 years ago

Good point, they might still be using the FIDO U2F API and not the WebAuthn API. I'll open a support ticket and ask.

They "could' be using WebAuthn and are still using the old U2F Style logon flow (UID - PW - Security Key). I'd really like to see them move to Passwordless with UV required.

jsfrederick commented 3 years ago

I just realized. I am pretty sure that Fastmail implemented WebAuthn. I can login the Fastmail iOS app on my iPhone using my YubiKey 5Ci. Since iOS ONLY supports WebAuthn (and NOT FIDO U2F), I am pretty sure that Fastmail is WebAuthn. Waiting on an answer to my support ticket to validate.

joelekstrom commented 3 years ago

They do support it internally but they need to allow the “browser” (in this case Fastmate) to use it. It’s not available to third party apps I believe (and probably for good reason)

pro-sumer commented 2 years ago

I was also able to add my YubiKey 5Ci (in Safari; see #90), but I still can't add Passkeys...

joelekstrom commented 2 years ago

I've looked a bit closer at this and to be able to support this, Fastmate needs access to the Fastmail OAuth API (https://www.fastmail.com/developer/oauth/). This is only available for select partners. I've written to them and asked for access but I wouldn't keep my expectations too high 😅

jsfrederick commented 2 years ago

Joel, can you post your Fastmail support ticket number here? We can then all open a support ticket with Fastmail and request that they add you to the "approved" OAuth providers.

pro-sumer commented 2 years ago

@joelekstrom Can you please explain how the OAuth API is going to help solving this issue?

With my current (limited) knowledge I understand why a "real" (third-party) email App, which uses IMAP/POP3/JMAP to communicate with Fastmail, would benefit from OAuth for logging in, but I don't see how OAuth would work for Fastmate (a wrapper around Fastmail's own web interface).

Looks like I can learn here? Hope you can explain this in a few lines... (if it's not too much effort)

joelekstrom commented 2 years ago

Either Webauthn or OAuth helps because it allows me to open an external browser window to do the authentication part. You’ve probably seen other apps do something like “X wants to login using Google” which opens a separate window. It’s the only way to support peripherals like Yubikey since Apple does not allow WKWebViews to do auth like this in-app.

Webauthn would certainly be preferably since Apple has built in libraries to handle it. But AFAIK Fastmail doesn’t support it

jsfrederick commented 2 years ago

OAuth is a Federated Authentication framework, think login with Google or Apple. Based on my conversations with FastMail, OAuth is how they allow 3rd party clients to authenticate using WebAuthn/FIDO tokens. Joel cannot "support" WebAuthn/FIDO directly as hes just a wrapper around a web session to Fastmail. The Web framework he uses supports WebAuthn, but FastMail does not allow it to pass that way. Utilizing OAuth, he can utilize the built in WebAuthn capability in both the web framework and the FastMail backend. At least that's how I understand this as I'm not an developer.

pro-sumer commented 2 years ago

I still don't see how Fastmate can log in using WebAuthn/OAuth and then pass tokens to the Fastmail web interface / back-end.

But I would be very happy to see that in action some day!

pro-sumer commented 2 years ago

Webauthn would certainly be preferably since Apple has built in libraries to handle it. But AFAIK Fastmail doesn’t support it

The Fastmail help page on 2FA has a section "WebAuthn/U2F or YubiKey OTP"...

(I don't know whether they fully support it; my YubiKey 5Ci works, but I can't set up a Passkey - maybe they don't allow platform authenticators?)

joelekstrom commented 2 years ago

While they do support hardware authenticators for their own Web UI, the problem is that Apple does not allow it in web views embedded inside applications. So the workaround would be auth by opening a browser.

If Fastmail allowed/support it, Fastmate could open the auth page in Safari/Chrome, get a callback with the auth token, and then store that in a local cookie so it could be used by the web UI from inside Fastmate.

pro-sumer commented 2 years ago

If Fastmail allowed/support it, Fastmate could open the auth page in Safari/Chrome, get a callback with the auth token, and then store that in a local cookie so it could be used by the web UI from inside Fastmate.

That’s what I thought/feared…

I don’t think they will ever support/allow this, but sure hope I’m wrong!

pro-sumer commented 2 years ago

Could using the Web Browser entitlement help? (Or is that iOS specific?)