Rocket.Chat.ReactNative icon indicating copy to clipboard operation
Rocket.Chat.ReactNative copied to clipboard
verified publisher icon RocketChat

OAuth login with Webauthn not working in Webview

Open o- opened this issue 1 year ago • 7 comments

Description:

We set up Rocket with external OAuth using Keycloak. When Keycloak is configured for second factor authentication using Webauthn, authentication fails with the Rocket native Android app.

Environment Information:

  • Rocket.Chat Server Version: 6.8.0
  • Rocket.Chat App Version: 4.48.0 and 4.49.0
  • Device Name: Pixel 6a
  • OS Version: Android 14

Steps to reproduce:

  1. Setup a keycloak instance, see e.g. https://www.keycloak.org/getting-started/getting-started-docker
  2. Setup rocket chat with keycloak, see https://docs.rocket.chat/use-rocket.chat/authentication/saml/keycloak
  3. Configure webauthn. see e.g. https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/
  4. On the phone visit https:///realms//account/#/security/signingin and click "Set up security Key" -> Register and add the phone as a second factor.
  5. Open Rocket Android app and enter the workspace name.
  6. Click on "Continue with Keycloak Login"
  7. Provide credentials to Keycloak
  8. Try WebAuthn Authenticator as second factor

Expected behavior:

WebAuthn should work. When I log in with Chrome on the same phone I am asked for the screen pin and the phone successfully authenticates using WebAuthn with Keycloak.

Actual behavior:

Response "Failed to authenticate by the Security Key" from Keycloak.

Probably the reason is that Android Webview does not support webauthn, see https://groups.google.com/a/chromium.org/g/blink-dev/c/qCJhuuZH5p0 .

Additional context:

The best would be to open external OAuth authentification links using the device browser instead of opening them inside the app. Most other apps when configured with OIC or OAuth follow this approach.

o- avatar May 20 '24 20:05 o-

Hey. We have plans to make it possible to make login on external browsers which would add support to physical security keys to all services (we did it to Google already https://github.com/RocketChat/Rocket.Chat.ReactNative/issues/2703 https://github.com/RocketChat/Rocket.Chat.ReactNative/issues/2284), but we can't do it right now, sadly. There are more important items atm.

diegolmello avatar May 21 '24 13:05 diegolmello

That's a shame. Rocket.Chat is the last service we have that doesn't work nicely with Passkeys, and the only reason we still have to support TOTPs for MFA, so we'd love to see that change at some point.

Do you have any idea when you'll get around to it? Any sort of roadmap, or is it purely "we'll get around to it eventually, hopefully"? (It's understandable if it's the latter, though obviously I'm hoping for something more concrete.)

KramNamez avatar Aug 26 '24 09:08 KramNamez

Hey @KramNamez

Unfortunately, the answer is that we'll get around to it eventually.

We are currently focused on closing accessibility gaps and new end-to-end encryption requirements on mobile.

milton-rucks avatar Aug 26 '24 14:08 milton-rucks

Fair enough - those are both pretty obviously huge and important topics too. Fingers crossed that you get around to it shortly after those :)

KramNamez avatar Aug 26 '24 14:08 KramNamez

Any Update on this?

Czujackt avatar Mar 20 '25 21:03 Czujackt

Any news here?

aenonGit avatar Sep 16 '25 06:09 aenonGit

This is also an issue for me and it would be nice to have any updates on this. We use AWS Cognito as OAuth provider with passkeys and our users are always confused that it does not work.

machadolucas avatar Nov 28 '25 15:11 machadolucas