The U2F support only allowed to register a single token. With webauthn there's a separate actuator to manage the devices. We need to evaluate and see what tooling changes we need (e.g. instead of just removing 2FA in total to unblock a user who lost their token we need to be able to remove a specific one via CLI.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | MoritzMuehlenhoff | T305518 Upgrade IDPs to CAS 6.6/Bullseye and enable webauthn | |||
| Open | None | T311236 Enable webauthn in CAS to replace U2F | |||
| Open | None | T380180 Registry of multiple webauthn devices |
Event Timeline
Comment Actions
After trying, and failing, to register a passkey, I've been digging through CAS and the java-webauthn-server source code. If we want passkeys we'll need to upgrade to Apereo CAS 7.1.X.
Because CAS can not limit the type of FIDO2 "compatible" keys to accept, we might need to upgrade. It's confusing that your password manager, browser or operating systems offers to handle the "Device Registration" and then have CAS fail with:
Unrecognized field "authenticatorDisplayName" (class com.yubico.webauthn.data.Extensions$CredentialProperties$CredentialPropertiesOutput), not marked as ignorable (one known property: "rk"]) at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 695] (through reference chain: com.yubico.data.RegistrationResponse["credential"]->com.yubico.webauthn.data.PublicKeyCredential["clientExtensionResults"]->com.yubico.webauthn.data.ClientRegistrationExtensionOutputs["credProps"]->com.yubico.webauthn.data.Extensions$CredentialProperties$CredentialPropertiesOutput["authenticatorDisplayName"])
In the W3C spec there are some indication that the authenticatorDisplayName will change again: https://github.com/w3c/webauthn/issues/2187
It's suppose to be optional, but there seems to be some implementation issues in the YubiKey code, which CAS uses.
Comment Actions
Current working configuration:
# WebAuthN cas.authn.mfa.web-authn.core.application-id=https://idp-test.wikimedia.org cas.authn.mfa.web-authn.core.relying-party-id=wikimedia.org cas.authn.mfa.web-authn.core.display-name-attribute=Wikimedia Foundation cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true cas.authn.mfa.web-authn.core.allowed-origins=https://idp-test1004.wikimedia.org,https://idp.wikimedia.org CasFeatureModule.AccountManagement.enabled=true cas.authn.pm.core.enabled=true cas.authn.mfa.web-authn.json.location=file:/etc/cas/mfa.json cas.authn.mfa.web-authn.core.allow-untrusted-attestation=True
Depending on the devices we wish to support, we may not need: cas.authn.mfa.web-authn.core.allow-untrusted-attestation=True
YubiKeys will work with the default "False", but cheaper keys like uTrust FIDO2 Security Keys will not.
Comment Actions
To trigger webauthn for select users, we'll just reuse the groovy script from u2f and set the mfa-method field in LDAP to mfa-webauthn
cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location=file:/etc/cas/global_principal_attribute_predicate.groovy
Comment Actions
cas.theme.default-theme-name=wikimedia # WebAuthN cas.authn.mfa.web-authn.core.application-id=https://idp-test.wikimedia.org cas.authn.mfa.web-authn.core.relying-party-id=wikimedia.org cas.authn.mfa.web-authn.core.display-name-attribute=Wikimedia Foundation cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true cas.authn.mfa.web-authn.core.allowed-origins=https://idp-test1004.wikimedia.org,https://idp.wikimedia.org CasFeatureModule.AccountManagement.enabled=true cas.authn.pm.core.enabled=true cas.authn.mfa.web-authn.json.location=file:/etc/cas/mfa.json cas.authn.mfa.web-authn.core.allow-untrusted-attestation=True cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location=file:/etc/cas/global_principal_attribute_predicate.groovy