Expand passkeys to work without resident keys

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## next
 
+### :star: Feature improvements
+
+* Improve passkey authentication to support WebAuthn devices without discoverable credentials.
+
 ### :wrench: Misc
 
 * Update go dependencies:

proxy/backend-sso.go

@@ -39,6 +39,7 @@ import (
 	jwt "github.com/golang-jwt/jwt/v5"
 
 	"github.com/c2FmZQ/tlsproxy/proxy/internal/cookiemanager"
+	"github.com/c2FmZQ/tlsproxy/proxy/internal/idp"
 	"github.com/c2FmZQ/tlsproxy/proxy/internal/passkeys"
 	"github.com/c2FmZQ/tlsproxy/proxy/internal/tokenmanager"
 )
@@ -170,8 +171,9 @@ func (be *Backend) serveSSOStatus(w http.ResponseWriter, req *http.Request) {
 		Key, Value string
 	}
 	var data struct {
-		Token  string
-		Claims []kv
+		Token    string
+		Claims   []kv
+		Passkeys bool
 	}
 	for _, k := range keys {
 		if k == "iat" {
@@ -188,12 +190,13 @@ func (be *Backend) serveSSOStatus(w http.ResponseWriter, req *http.Request) {
 	}
 	req.URL.Scheme = "https"
 	req.URL.Host = req.Host
-	token, _, err := be.tm.URLToken(w, req, req.URL)
+	token, _, err := be.tm.URLToken(w, req, req.URL, nil)
 	if err != nil {
 		http.Error(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	data.Token = token
+	_, data.Passkeys = be.SSO.p.(*passkeys.Manager)
 	ssoStatusTemplate.Execute(w, data)
 }
 
@@ -204,12 +207,16 @@ func (be *Backend) serveLogin(w http.ResponseWriter, req *http.Request) {
 		http.Error(w, "invalid request", http.StatusBadRequest)
 		return
 	}
-	url, err := be.tm.ValidateURLToken(w, req, tok)
+	url, claims, err := be.tm.ValidateURLToken(w, req, tok)
 	if err != nil {
 		http.Error(w, "invalid request", http.StatusBadRequest)
 		return
 	}
-	be.SSO.p.RequestLogin(w, req, url.String())
+	var email string
+	if e, ok := claims["email"].(string); ok {
+		email = e
+	}
+	be.SSO.p.RequestLogin(w, req, url.String(), idp.WithLoginHint(email))
 }
 
 func (be *Backend) serveLogout(w http.ResponseWriter, req *http.Request) {
@@ -218,12 +225,12 @@ func (be *Backend) serveLogout(w http.ResponseWriter, req *http.Request) {
 	}
 	req.ParseForm()
 	if tokenStr := req.Form.Get("u"); tokenStr != "" {
-		url, err := be.tm.ValidateURLToken(w, req, tokenStr)
+		url, _, err := be.tm.ValidateURLToken(w, req, tokenStr)
 		if err != nil {
 			http.Error(w, "invalid request", http.StatusBadRequest)
 			return
 		}
-		be.SSO.p.RequestLogin(w, req, url.String())
+		be.SSO.p.RequestLogin(w, req, url.String(), idp.WithSelectAccount(true))
 		return
 	}
 	logoutTemplate.Execute(w, nil)
@@ -236,7 +243,7 @@ func (be *Backend) servePermissionDenied(w http.ResponseWriter, req *http.Reques
 	}
 	req.URL.Scheme = "https"
 	req.URL.Host = req.Host
-	token, url, err := be.tm.URLToken(w, req, req.URL)
+	token, url, err := be.tm.URLToken(w, req, req.URL, nil)
 	if err != nil {
 		http.Error(w, "internal error", http.StatusInternalServerError)
 		return
@@ -284,7 +291,15 @@ func (be *Backend) enforceSSOPolicy(w http.ResponseWriter, req *http.Request) bo
 		}
 		req.URL.Scheme = "https"
 		req.URL.Host = req.Host
-		token, url, err := be.tm.URLToken(w, req, req.URL)
+		var extra map[string]any
+		if claims != nil {
+			if email, ok := claims["email"].(string); ok {
+				extra = map[string]any{
+					"email": email,
+				}
+			}
+		}
+		token, url, err := be.tm.URLToken(w, req, req.URL, extra)
 		if err != nil {
 			http.Error(w, "internal error", http.StatusInternalServerError)
 			return false

proxy/internal/idp/idp.go

@@ -0,0 +1,59 @@
+// MIT License
+//
+// Copyright (c) 2024 TTBT Enterprises LLC
+// Copyright (c) 2024 Robin Thellend <[email protected]>
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+
+package idp
+
+type LoginOptions struct {
+	loginHint     string
+	selectAccount bool
+}
+
+func (o LoginOptions) LoginHint() string {
+	return o.loginHint
+}
+
+func (o LoginOptions) SelectAccount() bool {
+	return o.selectAccount
+}
+
+type Option func(*LoginOptions)
+
+func WithLoginHint(v string) Option {
+	return func(o *LoginOptions) {
+		o.loginHint = v
+	}
+}
+
+func WithSelectAccount(v bool) Option {
+	return func(o *LoginOptions) {
+		o.selectAccount = v
+	}
+}
+
+func ApplyOptions(opts []Option) LoginOptions {
+	var lo LoginOptions
+	for _, opt := range opts {
+		opt(&lo)
+	}
+	return lo
+}

proxy/internal/oidc/client.go

@@ -38,6 +38,8 @@ import (
 	"time"
 
 	jwt "github.com/golang-jwt/jwt/v5"
+
+	"github.com/c2FmZQ/tlsproxy/proxy/internal/idp"
 )
 
 // Config contains the parameters of an OIDC provider.
@@ -144,7 +146,8 @@ func New(cfg Config, er EventRecorder, cm CookieManager) (*ProviderClient, error
 	return p, nil
 }
 
-func (p *ProviderClient) RequestLogin(w http.ResponseWriter, req *http.Request, originalURL string) {
+func (p *ProviderClient) RequestLogin(w http.ResponseWriter, req *http.Request, originalURL string, opts ...idp.Option) {
+	loginOptions := idp.ApplyOptions(opts)
 	ou, err := url.Parse(originalURL)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -187,6 +190,12 @@ func (p *ProviderClient) RequestLogin(w http.ResponseWriter, req *http.Request,
 	if p.cfg.HostedDomain != "" {
 		ep += "&hd=" + url.QueryEscape(p.cfg.HostedDomain)
 	}
+	if hint := loginOptions.LoginHint(); hint != "" {
+		ep += "&login_hint=" + url.QueryEscape(hint)
+	}
+	if loginOptions.SelectAccount() {
+		ep += "&prompt=select_account"
+	}
 	p.cm.SetNonce(w, nonceStr)
 	http.Redirect(w, req, ep, http.StatusFound)
 	p.er.Record("oidc auth request")

proxy/internal/passkeys/auth-template.html

@@ -23,6 +23,11 @@
 #message {
   width: fit-content;
 }
+#loginid {
+  font-size: 125%;
+  margin-top: 2rem;
+  text-align: center;
+}
 </style>
 </head>
 <body>
@@ -32,26 +37,27 @@
     <a class="button" href="{{.Self}}?get=RegisterNewID&redirect={{.Token}}">Register New Identity</a>
 {{- end }}
 {{- if ne .Mode "Login" }}
-    <a class="button" onclick="switchAccount({{.Self}}+'?get=Login&redirect={{.Token}}');">Switch Account</a>
+    <a class="button" onclick="switchAccount({{.Token}});">Switch Account</a>
 {{- end }}
   </div>
   <div id="message">
 {{- if eq .Mode "Login" }}
     <div class="big">🛂</div>
     <div>Authentication required to access</div>
     <div id="target"><a href="{{.URL}}">{{.DisplayURL}}</a></div>
-    <div><a class="button big" onclick="loginWithPasskey({{.Token}});">Continue</a></div>
+    <div><input id="loginid" value="{{.Email}}" placeholder="Email" /></div>
+    <div><a class="button big" onclick="loginWithPasskey({{.Token}}, document.getElementById('loginid').value);">Continue</a></div>
 {{- end }}
 {{- if eq .Mode "RefreshID" }}
     <div>{{.Email}}</div>
-    <div><a class="button" onclick="loginWithPasskey({{.Token}});">Refresh ID</a></div>
+    <div><a class="button" onclick="loginWithPasskey({{.Token}}, {{.Email}});">Refresh ID</a></div>
 {{- end }}
 {{- if eq .Mode "RegisterNewID" }}
     <div>{{.Email}}</div>
   {{- if .IsAllowed }}
     {{- if .IsRegistered }}
     <div>Already Registered</div>
-    <div><a class="button big" onclick="loginWithPasskey({{.Token}});">Continue</a></div>
+    <div><a class="button big" onclick="loginWithPasskey({{.Token}}, {{.Email}});">Continue</a></div>
     {{- else }}
     <div><a class="button" onclick="registerPasskey({{.Token}});">Register This Identity</a></div>
     {{- end }}

proxy/internal/passkeys/manage-template.html

@@ -20,6 +20,7 @@
   gap: 0;
   padding: 0;
   border: solid 1px #606060;
+  background-color: white;
 }
 #keys > div {
   border: solid 1px #404040;