authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

eID webauth support

Open samip5 opened this issue 3 years ago • 6 comments

Is your feature request related to a problem? Please describe. I would love to utilize the ID cards that have smartcards in them, like eID in a lot of European countries, like Finland and Estonia.

Describe the solution you'd like I would like to see eID auth to be supported in Authentik.

Additional context https://github.com/konstantint/eid-webauth-samples/tree/master/python

samip5 avatar Feb 19 '22 20:02 samip5

@samip5 , because I'd be interested in such a feature as well, I'm trying to help by specifying this request a bit more, and maybe find a few possible obstacles beforehand.

One that comes to my mind immediately: I see no problem for my application (i.e. one that's under my control) to trust any official electronic source of information. Here, in Germany where I live, that would be the eID on the official ID cards (Personalausweis). Technically, my application would accept any authentication against the official "AusweisApp2" (the interface to the ID hardware).

I see a problem on the other side: How can I make sure that AusweisApp2 actually trusts my application, in order to allow authentication and possibly the disclosure of personal data? If I read this description correctly, it says "Your online business partner [i.e. my application] must have a valid government certificate to request your data. You can also view this certificate." I doubt that, as I hobbyist, I qualify for such a certificate. Or that it's feasible for me to obtain it, or to fulfil the safety requirements to keep one.

Is this just Germany, and other countries might have (optional, additional) lower levels of security? In fact, I believe that this level of security might actually hve prevented the wide-spread use of eID in Germany.

agrimpelhuber avatar Feb 23 '22 07:02 agrimpelhuber

@agrimpelhuber Do your cards have client certificate for authentication? I have made test project https://github.com/olkitu/eid-auth-php to use these client certificates to authenticate using certificates in National ID Cards. My test have tested against Finnish & Estonian cards and I have added theory support for German and Italian cards.

Using certificates in cards do not require any third party integration - just need update CRL's (Revoke lists) and trust CA.

olkitu avatar Feb 23 '22 17:02 olkitu

I'm no expert, so I cannot answer that question on technical level, sorry. I wouldn't even know where to look, or how.

The only thing I can do is to ask dumb questions on a logical level to push on the discussion. Therefore, I try put put the way I have read the stuff about the German ID cards into plain words. When I, as a user, would encounter an application that offers eID as an authentication method, what message does it give me?

Application says: "Yeah, dear vistor, I trust you to log in, because I can determine that you are in possession of a valid governent-issued eID"

Is that what you mean with the client certificate - that the application is able to determine the validity of the ID card?

That might work. However, the way that I perceive it, there's an additional component along the way, at least with German cards. During the authentication process, the software "AusweisApp2" (that interfaces with the card reader) gives a message to the user, just before he enters his PIN:

AusweisApp2 says: "Dear Visitor, you are in the progress of disclosing your personal data to the following application"

And that's my point: Due to a lack of experience and ways to test, I have no idea whether that application needs to be officially certified, of if any application can interface with AusweisApp2, and it just tells the user

"the application you are about to sign in is not officially certified, so do it at your own risk".

agrimpelhuber avatar Feb 23 '22 20:02 agrimpelhuber

@agrimpelhuber Do you have such an ID card with the reader software? If so, please try the example @olkitu provided and see what it says.

samip5 avatar Feb 25 '22 10:02 samip5

I can add that all of the Swedish eID providers can be connected via SAML2 via a provider, but they require a subscription.

As for the German AusweisApp2, you will need to connect to a eIDAS provider (also a subscription) to authenticate against the app (many of which can also be integrated via SAML), you can make and run your own but need a certificate for that.

This is a good writeup of the German system: https://github.com/erri120/eID-explained

scheibling avatar May 13 '22 05:05 scheibling

this is most likely blocked by #2859 as after looking at the examples most of these eIDs seem to certificates

BeryJu avatar Mar 21 '24 17:03 BeryJu