Bug 1217789 - thunderbird does not support authentication with hardware key
Summary: thunderbird does not support authentication with hardware key
Status: CONFIRMED
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: X11 Applications (show other bugs)
Version: Leap 15.5
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Mozilla Bugs
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-04 17:31 UTC by Michal Suchanek
Modified: 2023-12-05 12:34 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
martin.sirringhaus: needinfo?

Attachments
step1 (59.57 KB, image/png)
2023-12-04 17:31 UTC, Michal Suchanek 		Details
step2 (68.54 KB, image/png)
2023-12-04 17:32 UTC, Michal Suchanek 		Details
step3 (79.41 KB, image/png)
2023-12-04 17:32 UTC, Michal Suchanek 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michal Suchanek 2023-12-04 17:31:24 UTC 
When signing in to Google Thunderbird waits for the hardware key to become available forever.

In a web browser the Okta authentication works.
Comment 1 Michal Suchanek 2023-12-04 17:31:44 UTC 
Created attachment 871144 [details]
step1
Comment 2 Michal Suchanek 2023-12-04 17:32:07 UTC 
Created attachment 871145 [details]
step2
Comment 3 Michal Suchanek 2023-12-04 17:32:25 UTC 
Created attachment 871146 [details]
step3
Comment 4 Martin Sirringhaus 2023-12-05 08:38:17 UTC 
I can't reproduce this on SLES (which is the same binary).

Therefore, a couple of questions:
1. Just to be sure: It's not flatpak, right?
2. Which Thunderbird version are you using?
3. Have you tried plugging the key out and back in again, while you are being prompted for it?
4. Can you reproduce the bug with the upstream tarball?
5. Please start TB from the commandline with `RUST_LOG=authenticator=debug thunderbird`

Thanks!
Comment 5 Michal Suchanek 2023-12-05 11:02:29 UTC 
1) 2) MozillaThunderbird-115.5.0-150200.8.139.1.x86_64
3) yes
4) What would be the 'upstream' these days? Mozilla offers Firefox, Pocket, Mozilla VPN .. but not Thunderbird?

5)

 RUST_LOG=authenticator=debug thunderbird |& tee thunderbird.log
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
[INFO  authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw0")): Permission denied (os error 13)
[INFO  authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw4")): Permission denied (os error 13)
[INFO  authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw1")): Permission denied (os error 13)
[INFO  authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[INFO  authenticator::transport::platform::device] new device "/dev/hidraw3"
[INFO  authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw7")): Permission denied (os error 13)
[INFO  authenticator::statemachine] error happened with device: Error: Ioerror(Some("/dev/hidraw8")): Permission denied (os error 13)
[INFO  authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[INFO  authenticator::statemachine] error happened with device: Error: requested operation is not available on device
[INFO  authenticator::statemachine] Device "/dev/hidraw3" continues with the signing process
[INFO  authenticator::statemachine] PIN Error that requires user interaction detected. Sending it back and waiting for a reply
[INFO  authenticator::statemachine] Statemachine was cancelled. Cancelling transaction now.
[INFO  authenticator::transport::platform::transaction] Transaction was cancelled.
Comment 6 Martin Sirringhaus 2023-12-05 11:19:51 UTC 
Thanks!

4.) https://www.thunderbird.net/

5.) Ok, I think I may see the problem. I'll have to verify it, but it seems your hardware token is PIN protected and maybe Thunderbird can't open the PIN-dialog and thus 'everybody' is waiting until the timeout hits.

As a workaround, you could try to open about:config ("Config editor" in the settings search) and deactivate `security.webauthn.ctap2` for now.
And/Or try a second hardware token, if you have, without a PIN.
Comment 7 Michal Suchanek 2023-12-05 11:23:52 UTC 
Yes. looks like Thunderbird is asking /dev/null for a PIN.

It will, of course, not work without one.

It correctly detects that it needs one.

Okta insists on one. In fact it registered the key without one initially and then re-registered with PIN.
Comment 8 Michal Suchanek 2023-12-05 11:31:55 UTC 
> 4.) https://www.thunderbird.net/

Does the same, except it stores the profile in a different location and needs to be set up again
Comment 9 Martin Sirringhaus 2023-12-05 11:57:48 UTC 
> As a workaround, you could try to open about:config ("Config editor" in the settings search) and deactivate `security.webauthn.ctap2` for now.

This works, btw.
I just tested this by adding a token with PIN-protection to Okta, flipped this config in Thunderbird and could log in.
Unless your hardware key does not support FIDO1 (which almost all do), you should be able to use it like this for now.
(Yes, one can bypass the PIN-protection this way. Yes, this is how the spec was designed. Don't blame me, I wasn't involved.)

This needs an upstream bugreport, though. Thunderbird should be able to display the PIN-dialog.
Comment 10 Michal Suchanek 2023-12-05 12:34:40 UTC 
Indeed, the specification does not have to make sense.