Description of problem: It seems that NetworkManager-openconnect-gnome might not support FIDO2 / WebAuthn authenticators over USB when performing the authentication necessary to establish a VPN. My organization's SSO (Okta) requires multifactor authentication, with one option being a USB YubiKey 5C. I am unable to connect to the VPN; the browser embedded in NetworkManager's authentication dialog says "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance." I poked around a bit, and this is what I think: 1. NetworkManager relies on /usr/libexec/nm-openconnect-auth-dialog to authenticate. 2. /usr/libexec/nm-openconnect-auth-dialog makes use of libwebkit2gtk-4.1.so.0. This is what "this browser" above probably means. I suspect libwebkit2gtk-4.1.so.0 does not support FIDO2 / WebAuthn authenticators over USB. Or, perhaps this functionality exists in libwebkit but is not enabled in nm-openconnect-auth-dialog. Version-Release number of selected component (if applicable): NetworkManager-1.44.2-1.fc39.x86_64 NetworkManager-openconnect-gnome-1.2.10-2.fc39.x86_64 How reproducible: Every time Steps to Reproduce: 1. Use NetworkManager's configuration tool to create a VPN configuration. 2. Set VPN protocol to "Cisco AnyConnect or OpenConnect". 3. Set the gateway to the organization's VPN server. 4. Set the user agent to "AnyConnect Linux_64 4.7.00136". Note that step 4 seems to be necessary to compel the VPN endpoint to allow the web-based authentication to proceed. Actual results: "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance." Expected results: The VPN should initialize. Additional info: Firefox 114.0+ supports FIDO2 / WebAuthn authenticators over USB (https://www.mozilla.org/en-US/firefox/114.0/releasenotes/). This means Firefox will talk directly to my YubiKey when authenticating to organizational web applications. I am able to use Firefox to visit organizational web applications using my YubiKey to authenticate, but the webkit-based nm-openconnect-auth-dialog seems to lack this functionality (I think).
Another data point: Using Epiphany, rather than Firefox, to connect to an organizational web application displays the same error message: "Security key or biometric authenticator is not supported on this browser. Contact your admin for assistance." Since Epiphany uses libwebkitgtk-6.0.so.4, I suspect this is further evidence that there is something missing in libwebkitgtk or in the use of libwebkitgtk. (Note Epiphany uses libwebkitgtk-6.0.so.4, but nm-openconnect-auth-dialog uses libwebkit2gtk-4.1.so.0. I suspect these are close enough to indicate the same cause.)
Previous bugs related to WebAuthn/WebKit/Linux: Upstream: https://bugs.webkit.org/show_bug.cgi?id=205350 Fedora/RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=1793657 https://bugzilla.redhat.com/show_bug.cgi?id=1793682
This message is a reminder that Fedora Linux 39 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 39 on 2024-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '39'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 39 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle. Changing version to 42.