Skip to content

Add FIDO2/WebAuthn (security key) support for Authentik#1529

Open
arharovets wants to merge 2 commits into
Versent:masterfrom
arharovets:authentik-webauthn
Open

Add FIDO2/WebAuthn (security key) support for Authentik#1529
arharovets wants to merge 2 commits into
Versent:masterfrom
arharovets:authentik-webauthn

Conversation

@arharovets

Copy link
Copy Markdown

The Authentik provider only answers the ak-stage-authenticator-validate stage with a typed code (TOTP/static), so users whose Authentik account uses a tap-only FIDO2/WebAuthn security key cannot log in via the CLI at all. The only workaround is the Browser provider but it requires Playwright which only works on Ubuntu.

When the authenticator-validate stage offers a webauthn device and no --mfa-token is supplied, we perform a FIDO assertion against the hardware key and submit it as the webauthn field, instead of submitting a blank code. This reuses the shared FIDO client already used by the Okta and Keycloak providers (okta.NewFidoClient/ChallengeU2F over go-u2fhost).

The behaviour is fully backward compatible: TOTP users keep passing --mfa-token (the code path is unchanged), and responses without a webauthn device fall through to the existing code path.

Note: this uses the U2F/CTAP1 path, which works for tap-only keys where user verification is not required.

Additionally, this preserves loginDetails.URL:
authentikContext now carries its own working url field; updateURL mutates that instead of loginDetails.URL. Previously, the entry URL was overwritten with the final flow step so SaveCredentials stored the password under the wrong key and the saved password was never found on later runs (constant re-prompting; the keychain "Get returned error … item could not be found" message), and the SAML cache key was likewise corrupted.

The Authentik provider only answers the `ak-stage-authenticator-validate` stage with a typed code (TOTP/static), so users whose Authentik account uses a tap-only FIDO2/WebAuthn security key cannot log in via the CLI at all. The only workaround is the Browser provider but it requires Playwright which only works on Ubuntu.

When the `authenticator-validate` stage offers a webauthn device and no `--mfa-token` is supplied, we perform a FIDO assertion against the hardware key and submit it as the `webauthn` field, instead of submitting a blank code. This reuses the shared FIDO client already used by the Okta and Keycloak providers (`okta.NewFidoClient`/`ChallengeU2F` over `go-u2fhost`).

The behaviour is fully backward compatible: TOTP users keep passing `--mfa-token` (the code path is unchanged), and responses without a webauthn device fall through to the existing code path.

Note: this uses the U2F/CTAP1 path, which works for tap-only keys where user verification is not required.

Additionally, this preserves `loginDetails.URL`:
`authentikContext` now carries its own working url field; `updateURL` mutates that instead of `loginDetails.URL`. Previously, the entry URL was overwritten with the final flow step so `SaveCredentials` stored the password under the wrong key and the saved password was never found on later runs (constant re-prompting; the keychain "Get returned error … item could not be found" message), and the SAML cache key was likewise corrupted.
@arharovets arharovets changed the title Add FIDO2/WebAuthn (security key) support Add FIDO2/WebAuthn (security key) support for Authentik Jun 25, 2026
doPostQuery ignores the error from res.Location(): a non-redirect response with no Location header (4xx/5xx from a WAF or upstream, or a redirect missing the header) makes res.Location() return (nil, ErrNoLocation), so loc.String() dereferences a nil *url.URL and panics. Return a wrapped error including the status code instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant