Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-150878

Allowlist for WebAuthn origin during authentication

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • sssd
    • rhel-idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None

      Within Cockpit we have recently looked at WebAuthn for a passwordless authentication and authorization. Tracked under COCKPIT-1390.

      As we look at SSSD and FreeIPA passkey integration for registering and authenticating we need changes to make it possible for us to use web domains for hosting Cockpit together with system realms.

      Since SSSD and FreeIPA support FIDO2 it hasn't needed to care about client assertions of origins or a client's clientDataJSON generation.

      We need a way to customize an allowlist, similarly to WebAuthn's /.well-known/webauthn so that we can sign in using the browser.

      Acceptance Criteria

      1. SSSD/FreeIPA can receive clientDataJSON and assertion that contains an origin that differs from the realm itself
      2. The different origin needs to be in an allowlist or otherwise pre-approved prior to authentication to verify the validity of the content
      3. If customers want to be more strict: SSSD/FreeIPA can host an accessible URL https://<realmName>/.well-known/webauthn so that browser WebAuthn can use that domain during authentication

      Notes

      • Yubico's libfido2 fully supports WebAuthn and would work with the browser generated assertion response. 

              ipedrosa@redhat.com Iker Pedrosa
              fgustavs@redhat.com Freya Gustavsson
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: