Google oauth flow can't use hardware security key
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: git, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0
Steps to reproduce:
Tried to log in to a Google account with 2FA activated using a hardware security key (Solokey2 in this case).
Actual results:
When requested "complete sign-in using your security key" (ie: touch my security key to confirm) by the Google login flow popup, the touch/confirmation is never registered and i can't finish logging in.
I can see the solokey reacting to my touch and the led changing colour, so it's connected and registering my touch.
I one option i can think of is that nothing is detecting that it might need to have its PIN entered to unlock it first.
Expected results:
The login popup should properly detect the key, ask for a PIN if necessary, and allow me to log in.
Weirder, this is my second time logging in to this account on Thunderbird, this time on a second, freshly installed machine (running Fedora Silverblue 39). On the other machine, running Fedora 39 (regular, ot Sirlverblue) the log in flow worked fine.
|
Reporter | |
Comment 1•1 year ago
|
||
OK, i figured it out, and it's not a Thunderbrd issue per se, but it is a bug for this tracker (i think!) because it's falls under MZLA's responsibility :)
Using Fedora Silverblue means everything¹ is a flatpak. The Thunderbird flatpak from Flathub does not by default request access to all USB devices. Allowing device=all access made the browser page doing the auth flow find the Solokey and interact with it. (I did this the easy way using Flatseal). I was able to then log in.
Notably, as soon as the authentication requested the security key, it started blinking, which it didn't before.
So closing this and opening a bug against flatpak packaging of Thunderbird.
- most graphical applications
Description
•