Skip to content

stages/authenticator_validate: add ability to limit webauthn device types#9180

Merged
BeryJu merged 6 commits intomainfrom
stages/authenticator_validate/limit-webauthn-types
Apr 11, 2024
Merged

stages/authenticator_validate: add ability to limit webauthn device types#9180
BeryJu merged 6 commits intomainfrom
stages/authenticator_validate/limit-webauthn-types

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Apr 8, 2024
edited
Loading

Details

Similarly to #9114, allow restricting which types of WebAuthn devices can be used to authenticate. This is especially useful when users have multiple WebAuthn passkeys that might be required for different scenarios

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested review from a team as code owners April 8, 2024 17:44
@netlify
Copy link

netlify bot commented Apr 8, 2024
edited
Loading

Deploy Preview for authentik-docs canceled.

Name Link
🔨 Latest commit 3e6467b
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/6617aa069e59ad000812c2d3

@netlify
Copy link

netlify bot commented Apr 8, 2024
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit 3e6467b
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/6617aa0697eb360008c1d667

@codecov
Copy link

codecov bot commented Apr 8, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 97.14286% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 92.41%. Comparing base (2698d90) to head (3e6467b).
Report is 7 commits behind head on main.

Files Patch % Lines
...thentik/stages/authenticator_validate/challenge.py 84.61% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9180      +/-   ##
==========================================
+ Coverage   92.40%   92.41%   +0.01%     
==========================================
  Files         646      646              
  Lines       31851    31910      +59     
==========================================
+ Hits        29431    29489      +58     
- Misses       2420     2421       +1
Flag Coverage Δ
e2e 50.41% <11.42%> (-0.06%) ⬇️
integration 26.31% <5.71%> (-0.04%) ⬇️
unit 89.81% <97.14%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu force-pushed the stages/authenticator_validate/limit-webauthn-types branch 2 times, most recently from c6caf37 to aafbd8c Compare April 8, 2024 18:51
@github-actions
Copy link
Contributor

github-actions bot commented Apr 8, 2024
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-3e6467b8eb4136c8458406cd77245d3215397b85
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-3e6467b8eb4136c8458406cd77245d3215397b85-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-3e6467b8eb4136c8458406cd77245d3215397b85

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-3e6467b8eb4136c8458406cd77245d3215397b85-arm64

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu BeryJu force-pushed the stages/authenticator_validate/limit-webauthn-types branch from aafbd8c to 8c96d9c Compare April 8, 2024 21:39
@BeryJu BeryJu requested a review from a team as a code owner April 8, 2024 21:39
BeryJu added 2 commits April 10, 2024 20:09
@BeryJu
stages/authenticator_validate: add ability to limit webauthn device t…
60b7d9d 
…ypes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
reword
c8cf1d8 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the stages/authenticator_validate/limit-webauthn-types branch from edf4cdd to c8cf1d8 Compare April 10, 2024 18:09
BeryJu added 2 commits April 10, 2024 20:45
@BeryJu
require enterprise attestation when a device restriction is configure…
bb3238e 
…d as we need the aaguid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add tests
6b5b999 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu changed the title stages/authenticator_validate: add ability to limit webauthn device t… stages/authenticator_validate: add ability to limit webauthn device types Apr 10, 2024
BeryJu added 2 commits April 10, 2024 20:55
@BeryJu
improve error message
58b6cc1 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add more tests
3e6467b 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the stages/authenticator_validate/limit-webauthn-types branch from d94b991 to 3e6467b Compare April 11, 2024 09:14
@BeryJu BeryJu merged commit fd44bc2 into main Apr 11, 2024
@BeryJu BeryJu deleted the stages/authenticator_validate/limit-webauthn-types branch April 11, 2024 11:10
kensternberg-authentik added a commit that referenced this pull request Apr 12, 2024
@kensternberg-authentik
Merge branch 'main' into dev
cacdf64 
* main:
  website/docs: add more info and links about enforciing unique email addresses (#9154)
  core: bump goauthentik.io/api/v3 from 3.2024022.7 to 3.2024022.8 (#9215)
  web: bump API Client version (#9214)
  stages/authenticator_validate: add ability to limit webauthn device types (#9180)
  web: bump API Client version (#9213)
  core: add user settable token durations (#7410)
  core, web: update translations (#9205)
  web: bump typescript from 5.4.4 to 5.4.5 in /tests/wdio (#9206)
  web: bump chromedriver from 123.0.2 to 123.0.3 in /tests/wdio (#9207)
  core: bump sentry-sdk from 1.44.1 to 1.45.0 (#9208)
  web: bump typescript from 5.4.4 to 5.4.5 in /web (#9209)
  website: bump typescript from 5.4.4 to 5.4.5 in /website (#9210)
  core: bump python from 3.12.2-slim-bookworm to 3.12.3-slim-bookworm (#9211)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BeryJu