Open jsfrederick opened 3 years ago
joelekstrom
commented
3 years ago Hi! Thanks. I investigated this a bit and I think it requires Fastmail to supply a webauth service which the don’t to my knowledge. Please let me know if I’m mistaken - I’ll keep this issue open for further reference
jsfrederick
commented
3 years ago Good point, they might still be using the FIDO U2F API and not the WebAuthn API. I'll open a support ticket and ask.
They "could' be using WebAuthn and are still using the old U2F Style logon flow (UID - PW - Security Key). I'd really like to see them move to Passwordless with UV required.
jsfrederick
commented
3 years ago I just realized. I am pretty sure that Fastmail implemented WebAuthn. I can login the Fastmail iOS app on my iPhone using my YubiKey 5Ci. Since iOS ONLY supports WebAuthn (and NOT FIDO U2F), I am pretty sure that Fastmail is WebAuthn. Waiting on an answer to my support ticket to validate.
joelekstrom
commented
3 years ago They do support it internally but they need to allow the “browser” (in this case Fastmate) to use it. It’s not available to third party apps I believe (and probably for good reason)
pro-sumer
commented
1 year ago I was also able to add my YubiKey 5Ci (in Safari; see #90), but I still can't add Passkeys...
joelekstrom
commented
1 year ago I've looked a bit closer at this and to be able to support this, Fastmate needs access to the Fastmail OAuth API (https://www.fastmail.com/developer/oauth/). This is only available for select partners. I've written to them and asked for access but I wouldn't keep my expectations too high 😅
jsfrederick
commented
1 year ago Joel, can you post your Fastmail support ticket number here? We can then all open a support ticket with Fastmail and request that they add you to the "approved" OAuth providers.
pro-sumer
commented
1 year ago @joelekstrom Can you please explain how the OAuth API is going to help solving this issue?
With my current (limited) knowledge I understand why a "real" (third-party) email App, which uses IMAP/POP3/JMAP to communicate with Fastmail, would benefit from OAuth for logging in, but I don't see how OAuth would work for Fastmate (a wrapper around Fastmail's own web interface).
Looks like I can learn here? Hope you can explain this in a few lines... (if it's not too much effort)
joelekstrom
commented
1 year ago Either Webauthn or OAuth helps because it allows me to open an external browser window to do the authentication part. You’ve probably seen other apps do something like “X wants to login using Google” which opens a separate window. It’s the only way to support peripherals like Yubikey since Apple does not allow WKWebViews to do auth like this in-app.
Webauthn would certainly be preferably since Apple has built in libraries to handle it. But AFAIK Fastmail doesn’t support it
jsfrederick
commented
1 year ago OAuth is a Federated Authentication framework, think login with Google or Apple. Based on my conversations with FastMail, OAuth is how they allow 3rd party clients to authenticate using WebAuthn/FIDO tokens. Joel cannot "support" WebAuthn/FIDO directly as hes just a wrapper around a web session to Fastmail. The Web framework he uses supports WebAuthn, but FastMail does not allow it to pass that way. Utilizing OAuth, he can utilize the built in WebAuthn capability in both the web framework and the FastMail backend. At least that's how I understand this as I'm not an developer.
pro-sumer
commented
1 year ago I still don't see how Fastmate can log in using WebAuthn/OAuth and then pass tokens to the Fastmail web interface / back-end.
But I would be very happy to see that in action some day!
pro-sumer
commented
1 year ago Webauthn would certainly be preferably since Apple has built in libraries to handle it. But AFAIK Fastmail doesn’t support it
The Fastmail help page on 2FA has a section "WebAuthn/U2F or YubiKey OTP"...
(I don't know whether they fully support it; my YubiKey 5Ci works, but I can't set up a Passkey - maybe they don't allow platform authenticators?)
joelekstrom
commented
1 year ago While they do support hardware authenticators for their own Web UI, the problem is that Apple does not allow it in web views embedded inside applications. So the workaround would be auth by opening a browser.
If Fastmail allowed/support it, Fastmate could open the auth page in Safari/Chrome, get a callback with the auth token, and then store that in a local cookie so it could be used by the web UI from inside Fastmate.
pro-sumer
commented
1 year ago If Fastmail allowed/support it, Fastmate could open the auth page in Safari/Chrome, get a callback with the auth token, and then store that in a local cookie so it could be used by the web UI from inside Fastmate.
That’s what I thought/feared…
I don’t think they will ever support/allow this, but sure hope I’m wrong!
pro-sumer
commented
1 year ago Could using the Web Browser entitlement help? (Or is that iOS specific?)
Joel,
We talked over email a while ago about adding FIDO2/WebAuthn to Fastmate. Here is the link to the Apple Developer Docs: https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service
Just opening up a ticket to keep it on your radar.
Thanks!