Implement the Touch ID credential picker #14493
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Branched from #14492, target changes to master automatically once the base is merged. I suggest reviewing commit-by-commit, as the first few commits are just refactoring and moving a few types around. |
|
Example UX: $ tsh login --proxy=zarquon --auth=passwordless
> Using platform authenticator, follow the OS prompt
(touches sensor)
> [1] wan1
> [2] wan2
> [3] wan3
> Choose the user for login: wan2
(logged in) |
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
e26cf95 to
def5b95
Compare
codingllama
force-pushed
the
codingllama/touchid-picker2
branch
from
a60d82d to
546716a
Compare
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
def5b95 to
0f0e7d2
Compare
codingllama
force-pushed
the
codingllama/touchid-picker2
branch
from
546716a to
82516e7
Compare
espadolini
reviewed
Jul 18, 2022
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
0f0e7d2 to
7ab54c5
Compare
codingllama
force-pushed
the
codingllama/touchid-picker2
branch
from
82516e7 to
8869cc8
Compare
|
Thanks, Edoardo! |
capnspacehook
approved these changes
Jul 18, 2022
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
7ab54c5 to
098cc74
Compare
codingllama
force-pushed
the
codingllama/touchid-picker2
branch
from
8869cc8 to
03aa7cb
Compare
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
098cc74 to
642d112
Compare
codingllama
force-pushed
the
codingllama/touchid-picker2
branch
from
03aa7cb to
07f3618
Compare
|
Thanks, folks. @espadolini PTAL? |
espadolini
approved these changes
Jul 18, 2022
codingllama
force-pushed
the
codingllama/touchid-guard
branch
3 times, most recently
from
bee523a to
055aea4
Compare
codingllama
force-pushed
the
codingllama/touchid-picker2
branch
from
07f3618 to
baef09b
Compare
codingllama
force-pushed
the
codingllama/touchid-picker2
branch
from
baef09b to
a43f14a
Compare
codingllama
force-pushed
the
codingllama/touchid-picker2
branch
from
a43f14a to
2112a12
Compare
codingllama
added a commit
that referenced
this pull request
Jul 19, 2022
Implement the Touch ID credential picker. During passwordless authentication, when more than one login is present in Enclave credentials, `tsh` now asks the end user to pick their desired login. Credential picker terminal prompts are preceded by a system Touch ID prompt, which is then reused for authentication, provided less than 10 seconds pass in the meantime. I've done a couple of refactors to make the `CredentialInfo` structs similar between the `webauthncli` and `touchid` packages, so it's easier to trace parallels between them. #13901 * Refactor touchid.CredentialInfo * Refactor wancli.CredentialInfo * Move fido2_prompt*.go to prompt*.go * Define the touchid credential picker API * Add Touch ID credential picker tests * Implement touchid credential picker
codingllama
added a commit
that referenced
this pull request
Jul 19, 2022
Implement the Touch ID credential picker. During passwordless authentication, when more than one login is present in Enclave credentials, `tsh` now asks the end user to pick their desired login. Credential picker terminal prompts are preceded by a system Touch ID prompt, which is then reused for authentication, provided less than 10 seconds pass in the meantime. I've done a couple of refactors to make the `CredentialInfo` structs similar between the `webauthncli` and `touchid` packages, so it's easier to trace parallels between them. To avoid double-prompting users during Touch ID authentication we have to set a grace period in the underlying LAContext and share it between the functions. Note that AuthContextGuard (native) uses the LAContext explicitly, whereas Authenticate (native) uses it through the SecItemCopyMatching query dictionary. #14493: * Refactor touchid.CredentialInfo * Refactor wancli.CredentialInfo * Move fido2_prompt*.go to prompt*.go * Define the touchid credential picker API * Add Touch ID credential picker tests * Implement touchid credential picker #13901: * Allow explicit Touch ID prompts Backports #14492 and #14493. Closes #13901.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement the Touch ID credential picker.
During passwordless authentication, when more than one login is present in Enclave credentials,
tshnow asks the end user to pick their desired login. Credential picker terminal prompts are preceded by a system Touch ID prompt, which is then reused for authentication, provided less than 10 seconds pass in the meantime.I've done a couple of refactors to make the
CredentialInfostructs similar between thewebauthncliandtouchidpackages, so it's easier to trace parallels between them.#13901