Rocket.Chat.Electron icon indicating copy to clipboard operation
Rocket.Chat.Electron copied to clipboard

Published 20 hours ago verified publisher icon RocketChat

SAML + WebAuthn Login: More verbosity or Token-Promt-PopUp

Open b90g opened this issue 2 years ago • 4 comments

Describe the bug When having 2FA WebAuthn activated on SSO/SAML the electron client isnt very transparent about what user interaction is expected from them.

What operating system and which version? Linux Debian Bullseye Which version of Rocket.Chat (Server)? 4.8 Which version of Rocket.Chat.Electron (Electron/Desktop)? latest as of writing the issue Is there any setting relevant changed? not really

To Reproduce

  1. Login to your RC instance via SAML SSO on the desktop/electron App
  2. have WebAuthn as 2FA in SAML

Expected behavior Getting prompted to connect & touch security token

Actual behavior

  • Either the token is already connected and it at least blinks so i can touch & login
  • or the token isnt connected and the login fails without any conclusive message.

b90g avatar Jun 29 '22 11:06 b90g

Hello @b90g, could you show a video of how it works on the browser and on the Electron to we understand better whats happening?

jeanfbrito avatar Jun 29 '22 16:06 jeanfbrito

https://peertube.netzbegruenung.de/videos/watch/45935f4b-f447-4550-a7ea-d1dcd26f6eab

  • In '17, you see Firefox having a Notification Pop Out (dont know the right terminus for it) asking me to interact with my security token
  • '39 electron recording starts
  • '59 i touch my security token, but only because i blinks.

inexperienced users might dont know what to do. i suggest to have the same pop out for interaction request with security token.

(this time i used the Snap Package on Fedora 36 btw)

b90g avatar Jun 30 '22 08:06 b90g

I have similar problems. Rocket.Chat 5.3.2, Electron client 3.8.13, using Keycloak via Custom OAuth. On Linux, it works fine with the Yubikey, but on OSX the workflow looks "weird". I have both a Yubikey and the MacBook fingerprint reader registered as WebAuthN devices in Keycloak, but the fingerprint reader doesn't work. It never shows the fingerprint popup or seems to try to access the reader. The Yubikey works, but "blind" like the issue creator describes, ie. with no popup.

Both work fine on a browser.

steffen-kdab avatar Nov 23 '22 00:11 steffen-kdab

Fascinating, I can't get it to work at all in the desktop client on Linux. (v3.9.6) With or without PIN, my security keys don't work, neither as 2FA nor for passwordless login.

Which is to say, yes, the NitroKey at least starts blinking, but it fails to ask for a PIN for passwordless and in either case it immediately fails when I touch the security key.

Ah, but I've realized we're using OIDC, not SAML... Gonna test that.

KramNamez avatar Aug 30 '23 14:08 KramNamez