FIDO2 Support

[Gameheld]

Currently, only TOTP is supported. Since I only have FIDO2 authentication for my Moodle, it would be great if it would be supported as well.

[septatrix]

That's not really feasible, TOTP is a simple form field which we can parse/fill but FIDO2 must be handled by the browser using JavaScript AFAIK. The alternative here would be to use the Moodle API which can work with a token, however, that would limit support for non-Moodle stuff with RWTH SSO. I think that would be Sciebo, maybe also the video service (OpenCast?) but I am not sure about that

[D-VR]

That's not really feasible, TOTP is a simple form field which we can parse/fill but FIDO2 must be handled by the browser using JavaScript AFAIK. The alternative here would be to use the Moodle API which can work with a token, however, that would limit support for non-Moodle stuff with RWTH SSO. I think that would be Sciebo, maybe also the video service (OpenCast?) but I am not sure about that

+1 Adding TOTP support is easy, having actual FIDO2 support would require more effort.
Probably the "easiest" way would be to launch an actual browser window you have to log into with FIDO. This could also be the default fallback if no 2FA method is configured.

[D-VR]

My idea to accomplish this would be use Selenium or Playwright, which launches a browser window to the SSO, the user completes the FIDO and we extract the auth token.

Example code how it could look like:

from playwright.sync_api import sync_playwright

def login_with_fido_and_get_token(sso_url):
    with sync_playwright() as p:
        # Launch the browser
        browser = p.chromium.launch(headless=False)  # Set to False to show browser UI
        context = browser.new_context()
        page = context.new_page()

        # Navigate to the SSO login page
        page.goto(sso_url)

        # Wait for user to complete login (e.g., button click to finalize)
        print("Please complete the FIDO login in the browser.")
        page.wait_for_url("**/redirect_url_after_login", timeout=30000)  # Adjust the timeout as needed

        # Extract the token from cookies, URL, or response
        cookies = context.cookies()
        for cookie in cookies:
            if cookie['name'] == 'auth_token':  # Replace with the actual token cookie name
                auth_token = cookie['value']
                break
        else:
            auth_token = None  # Handle cases where token isn't found

        # Clean up
        browser.close()

        return auth_token

This solution should be the most future proof as we don't have to maintain any FIDO auth ourselves and it would be compatible with other non password based logins. Of course only if it works in the first place

However this should probably be an conditional install for syncmymoodle as afaik selenium and playwrite would need substantial dependencies (We probably need to get a Chromedriver?)

If someone has interest in this and a FIDO key, feel free to make an PR :)