openconnect-gp-okta icon indicating copy to clipboard operation
openconnect-gp-okta copied to clipboard

Published 20 hours ago verified publisher icon zdave

Add support for FIDO2 WebAuthn MFA

Open ALescouet opened this issue 2 years ago • 3 comments

Add Okta FIDO2 WebAuthn workflow as a possible second factor using the fido2 python library.

Use --factor-priority webauthn to change this new factor priority.

Signed-off-by: Alexis Lescouet [email protected]

ALescouet avatar Sep 29 '22 17:09 ALescouet

@zdave What are your thoughts on this PR? I couldn't test with other hardware tokens but it works with the Yubikey 5, I also own an older yubikey 4 that I could test with if you feel that is needed.

ALescouet avatar Oct 14 '22 08:10 ALescouet

I don't have access to a GlobalProtect+Okta VPN any more, so I can't really test anything. I'd be happy to submit this if it's working for you though. A few comments:

  • If you're going to use click.echo and click.prompt it would be good to convert the existing print/input calls to use these too.
  • I would make the fido2 import optional, like pyotp is, so people don't need to install it unless they want to use it.
  • There's quite a bit of FIDO2 MFA logic so I would pull it out into its own function.
  • The websafe_decode(websafe_encode(obj)) bit in the b64 function seems like a no-op. If it isn't, should add a comment explaining what is going on!

zdave avatar Oct 27 '22 00:10 zdave

@zdave Thank you for reviewing this PR. I think I addressed all your comments, please tell me if anything else needs modifying.

ALescouet avatar Oct 27 '22 15:10 ALescouet