feat(coderd): add FIDO2/WebAuthn hardware key authentication for workspace connections#22077
Draft
illera88 wants to merge 2 commits intocoder:mainfrom
Draft
feat(coderd): add FIDO2/WebAuthn hardware key authentication for workspace connections#22077illera88 wants to merge 2 commits intocoder:mainfrom
illera88 wants to merge 2 commits intocoder:mainfrom
Conversation
…rkspace connections
Add server-side WebAuthn credential management and JWT-based connection
authentication using FIDO2 hardware security keys (YubiKey, etc.).
Server:
- WebAuthn registration/assertion endpoints under /api/v2/users/{user}/webauthn/
- Short-lived connection JWTs issued after successful key verification
- JTI replay cache prevents token reuse (single-use with --fido2-token-duration=0)
- Enforcement at coordination endpoint (SSH, port-forward, VS Code Remote)
- Three server flags: --require-fido2-connect, --fido2-token-duration,
--require-fido2-user-verification
- Database migration for webauthn_credentials table + webauthn_connect crypto key
Client:
- coder webauthn register/list/delete CLI commands
- coder-fido2 helper binary (separate Go module, CGo + libfido2)
- ConnectionAuthProvider interface for extensibility (future: biometrics, keychain)
- Transparent FIDO2 flow in coder ssh and coder port-forward
Security:
- Session TTL (5min) prevents ceremony session exhaustion
- Body size limits (64KB) on finish/verify endpoints
- Credential name length validation (128 chars)
- Origin canonicalization (scheme://host[:port] only)
- Proxy auth bypass (workspace proxies skip FIDO2 enforcement)
- RBAC enforcement on all credential operations
|
I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d7195cfa2e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…s in list, clean up - Only enforce JTI replay cache when --fido2-token-duration=0 (single-use). Tokens with positive duration are reusable within their validity window. - Return 403 instead of 500 for authorization errors in list credentials. - Remove verbose comments from deployment struct fields. - Remove PRD from docs. - Document HA limitation for single-use JTI replay cache.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add FIDO2/WebAuthn hardware security key authentication for sensitive workspace operations (SSH, port forwarding). When enabled via
--require-fido2-connect, users must physically touch their security key before connecting to workspaces.Architecture
Why a separate
coder-fido2helper binary?FIDO2 authentication requires communicating with USB HID devices (YubiKeys, etc.) via the operating system's USB stack. This requires
libfido2, a C library, which means CGo. The maincoderbinary is pure Go and must stay that way for cross-compilation and distribution. To solve this:cmd/coder-fido2/is a separate Go module with its owngo.mod. It uses CGo +libfido2for USB HID communication. It's a small standalone binary (~300 lines) that handlesregisterandassertCTAP2 operations.cli/fido2/in the main module contains pure Go shell-out wrappers (RunRegister,RunAssert) that execute the helper binary, passing JSON on stdin and reading JSON on stdout. Exit codes signal touch timeout (2) or PIN required (3).coderCLI stays pure Go. It calls the helper only when a FIDO2 security key is needed.There are emerging pure-Go FIDO2 libraries (e.g.,
mohammadv184/go-fido2usingpuregofor CGo-free USB HID) that could eliminate the helper binary in the future. This is tracked as a follow-up.Server-side
/api/v2/users/{user}/webauthn/--fido2-token-duration=0)webauthn_credentialstableClient-side
coder webauthn register/list/deleteCLI commandsConnectionAuthProviderinterface for extensibility (future: biometrics, OS keychain)coder sshandcoder port-forwardServer flags
--require-fido2-connectfalse--fido2-token-duration5m0s= single-use)--require-fido2-user-verificationfalseSecurity properties
Known limitations
coder-fido2helper must be built and installed separately