Bug 2247565 - NetworkManager's openconnect plugin does not support FIDO2 / WebAuthn authenticators over USB
Summary: NetworkManager's openconnect plugin does not support FIDO2 / WebAuthn authent...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-openconnect
Version: 39
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David Woodhouse
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-11-02 02:32 UTC by W. Michael Petullo
Modified: 2023-11-07 00:55 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
WebKit Project 205350 0 None None None 2023-11-07 00:55:30 UTC

Description W. Michael Petullo 2023-11-02 02:32:18 UTC
Description of problem:
It seems that NetworkManager-openconnect-gnome might not support FIDO2 / WebAuthn authenticators over USB when performing the authentication necessary to establish a VPN. My organization's SSO (Okta) requires multifactor authentication, with one option being a USB YubiKey 5C. I am unable to connect to the VPN; the browser embedded in NetworkManager's authentication dialog says "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance."

I poked around a bit, and this is what I think:

1. NetworkManager relies on /usr/libexec/nm-openconnect-auth-dialog to authenticate.

2. /usr/libexec/nm-openconnect-auth-dialog makes use of libwebkit2gtk-4.1.so.0. This is what "this browser" above probably means.

I suspect libwebkit2gtk-4.1.so.0 does not support FIDO2 / WebAuthn authenticators over USB. Or, perhaps this functionality exists in libwebkit but is not enabled in nm-openconnect-auth-dialog.

Version-Release number of selected component (if applicable):
NetworkManager-1.44.2-1.fc39.x86_64
NetworkManager-openconnect-gnome-1.2.10-2.fc39.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Use NetworkManager's configuration tool to create a VPN configuration.
2. Set VPN protocol to "Cisco AnyConnect or OpenConnect".
3. Set the gateway to the organization's VPN server.
4. Set the user agent to "AnyConnect Linux_64 4.7.00136".

Note that step 4 seems to be necessary to compel the VPN endpoint to allow the web-based authentication to proceed.

Actual results:
"Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance."

Expected results:
The VPN should initialize.

Additional info:
Firefox 114.0+ supports FIDO2 / WebAuthn authenticators over USB (https://www.mozilla.org/en-US/firefox/114.0/releasenotes/). This means Firefox will talk directly to my YubiKey when authenticating to organizational web applications. I am able to use Firefox to visit organizational web applications using my YubiKey to authenticate, but the webkit-based nm-openconnect-auth-dialog seems to lack this functionality (I think).

Comment 1 W. Michael Petullo 2023-11-02 02:46:16 UTC
Another data point: Using Epiphany, rather than Firefox, to connect to an organizational web application displays the same error message: "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance." Since Epiphany uses libwebkitgtk-6.0.so.4, I suspect this is further evidence that there is something missing in libwebkitgtk or in the use of libwebkitgtk.

(Note Epiphany uses libwebkitgtk-6.0.so.4, but nm-openconnect-auth-dialog uses libwebkit2gtk-4.1.so.0. I suspect these are close enough to indicate the same cause.)

Comment 2 W. Michael Petullo 2023-11-04 04:24:25 UTC
Previous bugs related to WebAuthn/WebKit/Linux:

Upstream:
https://bugs.webkit.org/show_bug.cgi?id=205350

Fedora/RHEL:
https://bugzilla.redhat.com/show_bug.cgi?id=1793657
https://bugzilla.redhat.com/show_bug.cgi?id=1793682


Note You need to log in before you can comment on or make changes to this bug.