Bug 2247565

Summary: NetworkManager's openconnect plugin does not support FIDO2 / WebAuthn authenticators over USB
Product: [Fedora] Fedora Reporter: W. Michael Petullo <mike>
Component: NetworkManager-openconnectAssignee: David Woodhouse <dwmw2>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 42CC: dcbw, dwmw2, lkundrak, mcatanza, n.mavrogiannopoulos, rdieter, tdawson, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2023-11-02 02:32:18 UTC 
Description of problem:
It seems that NetworkManager-openconnect-gnome might not support FIDO2 / WebAuthn authenticators over USB when performing the authentication necessary to establish a VPN. My organization's SSO (Okta) requires multifactor authentication, with one option being a USB YubiKey 5C. I am unable to connect to the VPN; the browser embedded in NetworkManager's authentication dialog says "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance."

I poked around a bit, and this is what I think:

1. NetworkManager relies on /usr/libexec/nm-openconnect-auth-dialog to authenticate.

2. /usr/libexec/nm-openconnect-auth-dialog makes use of libwebkit2gtk-4.1.so.0. This is what "this browser" above probably means.

I suspect libwebkit2gtk-4.1.so.0 does not support FIDO2 / WebAuthn authenticators over USB. Or, perhaps this functionality exists in libwebkit but is not enabled in nm-openconnect-auth-dialog.

Version-Release number of selected component (if applicable):
NetworkManager-1.44.2-1.fc39.x86_64
NetworkManager-openconnect-gnome-1.2.10-2.fc39.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Use NetworkManager's configuration tool to create a VPN configuration.
2. Set VPN protocol to "Cisco AnyConnect or OpenConnect".
3. Set the gateway to the organization's VPN server.
4. Set the user agent to "AnyConnect Linux_64 4.7.00136".

Note that step 4 seems to be necessary to compel the VPN endpoint to allow the web-based authentication to proceed.

Actual results:
"Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance."

Expected results:
The VPN should initialize.

Additional info:
Firefox 114.0+ supports FIDO2 / WebAuthn authenticators over USB (https://www.mozilla.org/en-US/firefox/114.0/releasenotes/). This means Firefox will talk directly to my YubiKey when authenticating to organizational web applications. I am able to use Firefox to visit organizational web applications using my YubiKey to authenticate, but the webkit-based nm-openconnect-auth-dialog seems to lack this functionality (I think).
Comment 1 W. Michael Petullo 2023-11-02 02:46:16 UTC 
Another data point: Using Epiphany, rather than Firefox, to connect to an organizational web application displays the same error message: "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance." Since Epiphany uses libwebkitgtk-6.0.so.4, I suspect this is further evidence that there is something missing in libwebkitgtk or in the use of libwebkitgtk.

(Note Epiphany uses libwebkitgtk-6.0.so.4, but nm-openconnect-auth-dialog uses libwebkit2gtk-4.1.so.0. I suspect these are close enough to indicate the same cause.)
Comment 2 W. Michael Petullo 2023-11-04 04:24:25 UTC 
Previous bugs related to WebAuthn/WebKit/Linux:

Upstream:
https://bugs.webkit.org/show_bug.cgi?id=205350

Fedora/RHEL:
https://bugzilla.redhat.com/show_bug.cgi?id=1793657
https://bugzilla.redhat.com/show_bug.cgi?id=1793682
Comment 3 Aoife Moloney 2024-11-13 09:58:27 UTC 
This message is a reminder that Fedora Linux 39 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 39 on 2024-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '39'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 39 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
Comment 4 Aoife Moloney 2025-02-26 12:54:34 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.