Support WebAuthn

[rustycl0ck]

First of all thank you so much for building this nice wrapper. This made it so much easier for me to connect to my VPN from Linux system.

However, I recently switched from traditional OTP based MFA to a security key (YubiKey) based MFA. But I can't seem to get it to work with openconnect-sso because it does not open a new popup dialog box which should ask me to connect my YubiKey and tap it.

Logs:

$ openconnect-sso --server vpn.server.company.com/ssl --authenticate shell --browser-display-mode shown
[info     ] Authenticating to VPN endpoint [openconnect_sso.app] address=vpn.server.company.com/ssl name=
[info     ] Response received              [openconnect_sso.authenticator] id=main message=Please complete the authentication process in the AnyConnect Login window. title=Login
[info     ] Browser started                [webengine] startup_info=StartupInfo(url='https://vpn.server.company.com/+CSCOE+/saml/sp/login?tgname=SSL_Profile&acsamlcap=v2', credentials=None)
[info     ] Loading page                   [webengine] url=https://vpn.server.company.com/+CSCOE+/saml/sp/login?tgname=SSL_Profile&acsamlcap=v2
js: WARNING: `getUserProfile` does not support requests for  dsc .
js: Refused to load the image 'https://duo.com/' because it violates the following Content Security Policy directive: "img-src 'self'  ".

js: Refused to load the image 'https://duo.com/' because it violates the following Content Security Policy directive: "img-src 'self'  ".

js: Refused to load the image 'https://duo.com/' because it violates the following Content Security Policy directive: "img-src 'self'  ".

^C 
$

Ignore the js: errors, they have always been there even when this was working fine with OTP based MFA.

---

The browser screen asks for login credentials, then upon successful login, shows the following screen:

After clicking the Use Security Key button, I expect to see a new dialog box but nothing happens. The screen changes to following but nothing appears:

Would be great if you can point me in the right direction for troubleshooting. Is this expected behavior? Is this a problem specific to WebAuthn or is it not possible to show any new popup dialog boxes in the current openconnect-sso login flow?

[vlaci]

I am using QtWebEngine under the hood. I'd assume if it supports fido/webauthn, it should work. This issue could give you some pointers, as qutebrowser uses the same engine: https://github.com/qutebrowser/qutebrowser/issues/3043. It seams to depend on greatly the exact version/variant of qt installed.

[rustycl0ck]

Thanks @vlaci for pointing to that issue, it was helpful. I verified that I have the latest version of QT, so at least that's sorted.

I also tried to open "https://demo.yubico.com/webauthn-technical/registration" in the openconnect-sso browser (directly by overriding this with await browser.authenticate_at("https://demo.yubico.com/webauthn-technical/registration", credentials), and was able to register and authenticate with YubiKey on the demo page.

From what I deduce now, the problem is that pop-up windows (or new browser tabs/windows) don't open in the openconnect-sso browser. That is the only difference on the demo website and in my VPN server authentication flow. The demo website is all on a single page while my authentication flow tries to open it in a new pop-up window.

I also tried opening a random web page (https://duckduckgo.com) to verify this and could confirm that right click on a link on the page and then selecting Open link in new tab as well as Open link in new window does not work. There is no new window or tab opened but clicking any link and opening it in the same window works fine.

I don't have experience with Python multiprocessing or asyncio, but I'm trying to wrap my head around the openconnect-sso code to see if I can pinpoint the problematic part. Would be great if you could have a look and suggest if it is going to be a minor fix or if it will require some refactoring.

[vlaci]

Ok, so the authentication window supposed to open on a new pop-up window and not part of the same page? What is the relationship between the orginal page and the pop-up? i.e. will the popup close automatically and the authentication flow continues on the original page?

Currently the browser implements only a single browser window/tab/page. You can experiment with the browser by calling Process.run directly from a script, not via multiprocessing: https://github.com/vlaci/openconnect-sso/blob/b5ccc6ec500c80a444b60eabb0f33c11221645c7/openconnect_sso/browser/webengine_process.py#L67

I have also found the following guide on how to handle pop-ups: https://doc.qt.io/archives/qt-5.6/qtwebengine-webenginewidgets-simplebrowser-example.html#managing-webwindows I currently don't have time to implement this but I am glad to help if I can.

[rustycl0ck]

Yes the pop-up window will close automatically and return the control to the original page.

Thanks for the links, I'll try to play around and see if I can get it to work.