Skip to content

GUACAMOLE-2281: Add WebAuthn passthrough relay over auth-challenge.#1218

Open
aleitner wants to merge 1 commit into
apache:mainfrom
aleitner:GUACAMOLE-2281-webauthn-passthrough
Open

GUACAMOLE-2281: Add WebAuthn passthrough relay over auth-challenge.#1218
aleitner wants to merge 1 commit into
apache:mainfrom
aleitner:GUACAMOLE-2281-webauthn-passthrough

Conversation

@aleitner

@aleitner aleitner commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Adds a WebAuthn passthrough relay that runs ceremonies on the user's local authenticator on behalf of a remote session. The server opens an inbound auth-challenge stream carrying the ceremony request body; the relay runs the WebAuthn ceremony and replies on an outbound auth-response stream.

guacamole-common-js (Client.js)

sendAuthChallenge and sendAuthResponse returning a Guacamole.OutputStream the caller writes the body to.
onauthchallenge and onauthresponse events firing with (stream, mimetype, challengeId).
Matching auth-challenge and auth-response instruction handlers.
Angular client

ManagedClient routes inbound auth-challenge streams to ManagedWebAuthn based on mimetype (application/x-webauthn-create+json or application/x-webauthn-get+json), acking unsupported mimetypes.
ManagedWebAuthn assembles the challenge body off the stream, runs the ceremony via the existing webAuthnService under an AbortController keyed by challenge_id, and writes the credential or error JSON back on an auth-response stream.
On tunnel CLOSED, abortAll dismisses the local authenticator UI for any ceremonies left in flight.

Guacamole Server PR

Comment thread guacamole/src/main/frontend/src/app/client/types/ManagedWebAuthn.js Outdated
Comment thread guacamole/src/main/frontend/src/app/client/types/ManagedWebAuthn.js Outdated
Comment thread guacamole/src/main/frontend/src/app/client/types/ManagedClient.js Outdated
Comment thread guacamole/src/main/frontend/src/app/webauthn/services/webAuthnService.js Outdated
Comment thread guacamole/src/main/frontend/src/app/client/types/ManagedWebAuthn.js Outdated
@aleitner aleitner force-pushed the GUACAMOLE-2281-webauthn-passthrough branch 4 times, most recently from 30fa8e1 to 7d9d4ca Compare June 4, 2026 08:25
@necouchman necouchman marked this pull request as draft June 5, 2026 01:14
@aleitner aleitner marked this pull request as ready for review June 8, 2026 05:37

@bbennett-ks bbennett-ks left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed this reviewing the server side.

Comment thread guacamole-common-js/src/main/webapp/modules/Client.js Outdated
@aleitner aleitner force-pushed the GUACAMOLE-2281-webauthn-passthrough branch 2 times, most recently from 26d3fdf to bf1a524 Compare June 9, 2026 03:07

@bbennett-ks bbennett-ks left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@aleitner aleitner force-pushed the GUACAMOLE-2281-webauthn-passthrough branch 2 times, most recently from 5b8e72c to d40302f Compare June 17, 2026 03:59
Adds a WebAuthn passthrough relay that runs ceremonies on the user's
local authenticator on behalf of a remote session. The server opens an
inbound auth-challenge stream carrying the ceremony request body; the
relay runs the WebAuthn ceremony and replies on an outbound
auth-response stream.

Updates to guacamole-common-js (Client.js):

 - sendAuthChallenge and sendAuthResponse methods returning a
   Guacamole.OutputStream the caller writes the body to.

 - onauthchallenge and onauthresponse events firing with
   (stream, mimetype, challengeId) for inbound streams.

 - Matching auth-challenge and auth-response instruction handlers.

Updates to the Angular client:

 - ManagedClient routes inbound auth-challenge streams to
   ManagedWebAuthn based on mimetype (application/x-webauthn-create+json
   or application/x-webauthn-get+json), acking unsupported mimetypes.

 - ManagedWebAuthn assembles the challenge body off the stream, runs
   the ceremony via the existing webAuthnService under an
   AbortController keyed by challenge_id, and writes the credential or
   error JSON back on an auth-response stream.

 - On tunnel CLOSED, abortAll dismisses the local authenticator UI for
   any ceremonies left in flight.
@aleitner aleitner force-pushed the GUACAMOLE-2281-webauthn-passthrough branch from d40302f to d8de0f6 Compare June 22, 2026 07:49
@aleitner aleitner changed the title GUACAMOLE-2281: Add WebAuthn passthrough relay over req/done/cancel. GUACAMOLE-2281: Add WebAuthn passthrough relay over auth-challenge. Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants