Within Cockpit we have recently looked at WebAuthn for a passwordless authentication and authorization. Tracked under COCKPIT-1390.

As we look at SSSD and FreeIPA passkey integration for registering and authenticating we need changes to make it possible for us to use web domains for hosting Cockpit together with system realms.

With us using a browser to serve Cockpit and to generate WebAuthn responses, we have little control over the assertion response generated as browsers are very strict on origin validity and follow the WebAuthn spec fully. Since SSSD/FreeIPA's passkey implementation mostly follows FIDO2 there hasn't been much reason to allow for a different input mechanism when a hardware token isn't detected and kerberos isn't being used.

As we get the WebAuthn assertion response from the browser and hand it off to the backend/server, we need to input that to SSSD/FreeIPA in a way that works for all systems that have SSSD and FreeIPA configured. As SSSD/FreeIPA cannot detect any hardware tokens (since the browser is sandboxed and generates the WebAuthn assertion) we need a way to hand clientDataJSON and assertion to SSSD/FreeIPA.

Yubico's pam-u2f has a manual mode where you input clientData, origin, authenticatorData, and assertion in stdin during authentication. To me it would make sense to use either PAM-related variables for sending input or asking the input in stdin using something like base64 to make life easier.

Acceptance Criteria

1. SSSD/FreeIPA allows for an input mechanism for WebAuthn passkey response that can work without hardware token access.
2. SSSD/FreeIPA can receive clientDataJSON, authenticator data, and assertion signature and verify the passkey

Notes

• Yubico's pam-u2f has a manual mode that makes takes the output of fido2-assert tool.
• Would be nice to make sure both discoverable (resident) and non-discoverable (non-resident) keys work. Where user is provided through userHandle in a discoverable key instead of separately.