Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stages/authenticator_webauthn: add MDS support #9114

Merged
merged 16 commits into from
Apr 8, 2024
Merged

stages/authenticator_webauthn: add MDS support #9114

merged 16 commits into from
Apr 8, 2024

Conversation

BeryJu
Copy link
Member

@BeryJu BeryJu commented Apr 2, 2024
edited
Loading

Details

Use FIDO Alliances' MDS database to allow restricting which WebAuthn devices may be used.

Also adds some slight QOL improvements like defaulting the webauthn device name to the MDS aaguid description

TODO:

  • GH workflow to automate fetching the MDS database once a month (or every 2 weeks or so)
  • Add tests for enrolling different device types

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested review from a team as code owners April 2, 2024 23:36
@netlify Netlify
Copy link

netlify bot commented Apr 2, 2024
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit adeb8ea
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/660eae19a130790008a4a977
😎 Deploy Preview https://deploy-preview-9114--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@netlify Netlify
Copy link

netlify bot commented Apr 2, 2024
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit adeb8ea
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/660eae1931e795000807599e
😎 Deploy Preview https://deploy-preview-9114--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@BeryJu BeryJu requested a review from a team as a code owner April 3, 2024 10:44
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 3, 2024
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-adeb8ea4c5165969cea8ebb615bf1b4f19a63b27
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-adeb8ea4c5165969cea8ebb615bf1b4f19a63b27-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-adeb8ea4c5165969cea8ebb615bf1b4f19a63b27

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-adeb8ea4c5165969cea8ebb615bf1b4f19a63b27-arm64

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu BeryJu requested a review from a team as a code owner April 3, 2024 14:33
BeryJu added 16 commits April 4, 2024 15:40
@BeryJu
web: align style to show current user for webauthn enroll
40201f4 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
ask for aaguid
1db1312 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
initial MDS import
def8e9a 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add API
f1d3ab6 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add restriction
78339d6 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix api, add actual restriction
87b09cb 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
default authenticator name based on aaguid
c77ad0b 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
connect device with device type
c61f743 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix typo in webauthn stage name
26ac213 
this typo has been around for 3 years 8708e48#diff-bb4aee4a37f4b95c8daa7beb6bf6251d8d2b6deb8c16dce0cd7cb0d6cd71900aR16

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add fido2 dep
b1b5e1b 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add CI pipeline to automate updating blob
31f6d3b 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix tests, include device type
d90175a 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add tests
f173975 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
exclude icon for now
b75b86c 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add passkeys aaguid
703ada2 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
make special unknown device type work, add docs
adeb8ea 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the stages/authenticator_webauthn/aaguid branch from 5bfa4cc to adeb8ea Compare April 4, 2024 13:41
@BeryJu BeryJu merged commit 9f6dca1 into main Apr 8, 2024
63 checks passed
@BeryJu BeryJu deleted the stages/authenticator_webauthn/aaguid branch April 8, 2024 10:21
kensternberg-authentik added a commit that referenced this pull request Apr 9, 2024
@kensternberg-authentik
Merge branch 'main' into dev
c84be1d 
* main: (25 commits)
  root: fix readme (#9178)
  enterprise: fix audit middleware import (#9177)
  web: bump @spotlightjs/spotlight from 1.2.16 to 1.2.17 in /web in the sentry group (#9162)
  web: bump API Client version (#9174)
  stages/authenticator_webauthn: add MDS support (#9114)
  website/integrations: Update Nextcloud OIDC secret size limitation (#9139)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#9170)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#9171)
  web: bump the rollup group in /web with 3 updates (#9164)
  web: bump @codemirror/legacy-modes from 6.3.3 to 6.4.0 in /web (#9166)
  web: bump ts-pattern from 5.1.0 to 5.1.1 in /web (#9167)
  core: bump github.com/go-ldap/ldap/v3 from 3.4.6 to 3.4.7 (#9168)
  core, web: update translations (#9156)
  root: fix redis username in lifecycle (#9158)
  web: ak-checkbox-group for short, static, multi-select events (#9138)
  root: fix startup (#9151)
  core: Bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 (#9146)
  core: Bump twilio from 9.0.3 to 9.0.4 (#9143)
  web: Bump country-flag-icons from 1.5.10 to 1.5.11 in /web (#9144)
  web: Bump typescript from 5.4.3 to 5.4.4 in /web (#9145)
  ...
@BeryJu BeryJu mentioned this pull request Apr 10, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@BeryJu