Description of problem: It seems that NetworkManager-openconnect-gnome might not support FIDO2 / WebAuthn authenticators over USB when performing the authentication necessary to establish a VPN. My organization's SSO (Okta) requires multifactor authentication, with one option being a USB YubiKey 5C. I am unable to connect to the VPN; the browser embedded in NetworkManager's authentication dialog says "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance." I poked around a bit, and this is what I think: 1. NetworkManager relies on /usr/libexec/nm-openconnect-auth-dialog to authenticate. 2. /usr/libexec/nm-openconnect-auth-dialog makes use of libwebkit2gtk-4.1.so.0. This is what "this browser" above probably means. I suspect libwebkit2gtk-4.1.so.0 does not support FIDO2 / WebAuthn authenticators over USB. Or, perhaps this functionality exists in libwebkit but is not enabled in nm-openconnect-auth-dialog. Version-Release number of selected component (if applicable): NetworkManager-1.44.2-1.fc39.x86_64 NetworkManager-openconnect-gnome-1.2.10-2.fc39.x86_64 How reproducible: Every time Steps to Reproduce: 1. Use NetworkManager's configuration tool to create a VPN configuration. 2. Set VPN protocol to "Cisco AnyConnect or OpenConnect". 3. Set the gateway to the organization's VPN server. 4. Set the user agent to "AnyConnect Linux_64 4.7.00136". Note that step 4 seems to be necessary to compel the VPN endpoint to allow the web-based authentication to proceed. Actual results: "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance." Expected results: The VPN should initialize. Additional info: Firefox 114.0+ supports FIDO2 / WebAuthn authenticators over USB (https://www.mozilla.org/en-US/firefox/114.0/releasenotes/). This means Firefox will talk directly to my YubiKey when authenticating to organizational web applications. I am able to use Firefox to visit organizational web applications using my YubiKey to authenticate, but the webkit-based nm-openconnect-auth-dialog seems to lack this functionality (I think).
Another data point: Using Epiphany, rather than Firefox, to connect to an organizational web application displays the same error message: "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance." Since Epiphany uses libwebkitgtk-6.0.so.4, I suspect this is further evidence that there is something missing in libwebkitgtk or in the use of libwebkitgtk. (Note Epiphany uses libwebkitgtk-6.0.so.4, but nm-openconnect-auth-dialog uses libwebkit2gtk-4.1.so.0. I suspect these are close enough to indicate the same cause.)
Previous bugs related to WebAuthn/WebKit/Linux: Upstream: https://bugs.webkit.org/show_bug.cgi?id=205350 Fedora/RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=1793657 https://bugzilla.redhat.com/show_bug.cgi?id=1793682