Add WebAuthn protocol and use of passkeys in Tuleap.
There are two main usage of passkeys that are targeted:
- Strength sensitive part of the application
Regarding authentication, the goal is to support Passkeys as authentication factor (to replace usage of passwords) in the situation where Tuleap is the authentication authority. It's not planned to add support of Passkeys as second factor (2FA) because
- It would require a massive refactoring of the authentication backend
- Using passkeys as authentication factor already bake-in 2FA
- If you really need 2FA, you can connect to a 3rd party auth system that will do it for you and then use OpenID Connect.
At the moment, it's however not possible to use passkeys as authentication factor without leaking information about the user:
To use passkey as first authentication factor you first need a form with one input: the username. Then you ask the backend for registered passkeys linked to this username. It's a possible leak, you can know by testing all possible username who have (or have not) registered a passkey. You can avoid that by creating false passkey for users without one, but a pattern can be detected and it becomes useless, there is no ideal solutions. The documentation also enumerate some other leaks. In a general way, at the current state of WebAuthn API, it's not recommended to do primary authentication with it.