SSO with security key

Got a problem with Viscosity or need help? Ask here!

andy_p

Posts: 6
Joined: Thu Sep 06, 2012 7:25 pm

Post by andy_p » Thu Feb 01, 2024 12:38 am
I've successfully installed an openvpn server with SSO authentication, using https://github.com/jkroepke/openvpn-auth-oauth2, using a Nextcloud installation as OAuth2 Backend. When connecting, Viscosity will present a small browser window, showing the Nextcloud login page.
After entering name/password, the second factor is requested. Selecting "Nextcloud Notification" and acknowledging the request on a nextcloud device, the connection is established. When disconnecting and reconnecting, I only see "Access granted" and the connection is re-established as expected.

So far so good, working nicely, but when selecting a security key as second factor instead of nextcloud notification, Nextcloud will show "There was an error, authentification aborted".

Testing nextcloud login with Safari 17.3, I found that the browser will ask for "passkey or hardware key" selection before activating the key. The viscosity-builtin doesn't ask, but will fail immediately.

James

User avatar
Posts: 2309
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Feb 06, 2024 10:24 pm
Hi andy_p,

Frustratingly this is a limitation that Apple introduced a number of macOS updates ago: WebAuthn requests are now blocked in web views. WebAuthn is the browser API used to communicate with FIDO authentication keys.

At the time we heard that Apple was working on a solution to re-allow WebAuthn (presumably through some sort of user permission prompt or entitlement), so we didn't want to go to a huge amount of effort coming up with a work-around if Apple was soon going to address it themselves anyway. However it has been quite some time now with nothing eventuating, so our current plan is to re-visit implementing a work-around ourselves. So in short: we're aware of the issue, and we're working on it.

In the meantime, Viscosity has native FIDO support you could look at using with your tokens. You can find more information about this in the following links:
https://www.sparklabs.com/support/kb/ar ... viscosity/
https://github.com/thesparklabs/fido-auth-with-web

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1