Passkey User Verification device

[phsmadja]

Initial Revision - support of Passkey User Verification device (fingerprint). Fallback to PIN if the verification fails or the device does not support user verification. Adding command to obtain device information of the device supporting key handle (passkey mapping).

[alexey-tikhonov]

Unit tests are failing:

[ RUN      ] test_select_authenticator
[  ERROR   ] --- No entries for symbol __wrap_fido_dev_has_pin.
src/tests/cmocka/test_passkey_child.c:276: error: Could not get value to mock function __wrap_fido_dev_has_pin
src/tests/cmocka/test_passkey_child.c:942: note: Previously returned mock value was declared here
[  FAILED  ] test_select_authenticator

[ RUN      ] test_request_assert
[  ERROR   ] --- 0x36 != 0
[   LINE   ] --- src/tests/cmocka/test_passkey_child.c:1157: error: Failure!
[  FAILED  ] test_request_assert

[ RUN      ] test_authenticate_integration
[  ERROR   ] --- Test failed with exception: Segmentation fault(11)
[  FAILED  ] test_authenticate_integration
[ RUN      ] test_get_assert_data_integration
[  ERROR   ] --- Test failed with exception: Segmentation fault(11)
[  FAILED  ] test_get_assert_data_integration

see, for example, https://download.copr.fedorainfracloud.org/results/@sssd/pr7997/fedora-41-x86_64/09156446-sssd/builder-live.log.gz

[alexey-tikhonov]

Diff (https://github.com/SSSD/sssd/pull/7997/files) looks very weird. Is this because of newline character change?

[phsmadja]

Hi Alexey.I am new according sssd dev. I use emacs and i dont understand the problem of  intempestives new lines.If you can also  help me to fix the test procédures :), i will appreciate.The objective of the dev is to support device supporting user verification (fingerprint) and pin as fallback.   Thanks for your comments. Philippe Envoyé à partir de Outlook pour AndroidDe : Alexey A Tikhonov ***@***.***>Envoyé : jeudi, juin 12, 2025 5:21:41 PMÀ : SSSD/sssd ***@***.***>Cc : phsmadja ***@***.***>; Author ***@***.***>Objet : Re: [SSSD/sssd] Passkey User Verification device (PR #7997)alexey-tikhonov left a comment (SSSD/sssd#7997)Unit tests are failing:[ RUN ] test_select_authenticator [ ERROR ] --- No entries for symbol __wrap_fido_dev_has_pin. src/tests/cmocka/test_passkey_child.c:276: error: Could not get value to mock function __wrap_fido_dev_has_pin src/tests/cmocka/test_passkey_child.c:942: note: Previously returned mock value was declared here [ FAILED ] test_select_authenticator [ RUN ] test_request_assert [ ERROR ] --- 0x36 != 0 [ LINE ] --- src/tests/cmocka/test_passkey_child.c:1157: error: Failure! [ FAILED ] test_request_assert [ RUN ] test_authenticate_integration [ ERROR ] --- Test failed with exception: Segmentation fault(11) [ FAILED ] test_authenticate_integration [ RUN ] test_get_assert_data_integration [ ERROR ] --- Test failed with exception: Segmentation fault(11) [ FAILED ] test_get_assert_data_integration see, for example, ***@***.***/pr7997/fedora-41-x86_64/09156446-sssd/builder-live.log.gz—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.

[ikerexxe]

I think the IDE has played a trick on you because it has changed the indentation in all passkey related files and made it very difficult to review the changes.

In addition, SSSD understands the user-verification as any additional authentication factor (either be it the fingerprint or the PIN), so if it is enabled it will always request them and the fallback will be handled by SSSD silently. What is it exactly you are trying to achieve with this PR?

[phsmadja]

Hello, Thanks for your message.What i did - briefly. Add a new command to obtain device information: does the device support user verification ?  if  no,  display the  pin interface as usual. If yes, do not display pin interface which is useless and inform the user she/he has perform user verification (fingerprint). If the UV fails  fallback to  pin use case. Note.  About intempestive new lines,   i will try to fix.  About the test failures. I do not know how to run the test suite (i am new in sssd software development) Thanks for your help and any remarks, fixes,  suggestions ...The best.Philippe Envoyé à partir de Outlook pour AndroidDe : Iker Pedrosa ***@***.***>Envoyé : vendredi, juin 13, 2025 11:21:52 AMÀ : SSSD/sssd ***@***.***>Cc : phsmadja ***@***.***>; Author ***@***.***>Objet : Re: [SSSD/sssd] Passkey User Verification device (PR ***@***.*** commented on this pull request.I think the IDE has played a trick on you because it has changed the indentation in all passkey related files and made it very difficult to review the changes.In addition, SSSD understands the user-verification as any additional authentication factor (either be it the fingerprint or the PIN), so if it is enabled it will always request them and the fallback will be handled by SSSD silently. What is it exactly you are trying to achieve with this PR?—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.

[phsmadja]

Hello, I fixed the file formatting. The differences are now easier to understand. Still in progress to understand why the passkey tests fail. I still have issue to “make check” with “Missing new line at the eof” : src/tests/system/data/test_ipa/certificate The same for test_passkey scripts. The best Philippe De : Iker Pedrosa ***@***.***> Envoyé : vendredi 13 juin 2025 11:22 À : SSSD/sssd ***@***.***> Cc : phsmadja ***@***.***>; Author ***@***.***> Objet : Re: [SSSD/sssd] Passkey User Verification device (PR #7997) @ikerexxe commented on this pull request. I think the IDE has played a trick on you because it has changed the indentation in all passkey related files and made it very difficult to review the changes. In addition, SSSD understands the user-verification as any additional authentication factor (either be it the fingerprint or the PIN), so if it is enabled it will always request them and the fallback will be handled by SSSD silently. What is it exactly you are trying to achieve with this PR? — Reply to this email directly, view it on GitHub <#7997 (review)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJT5YRLE7GOHOTKNEOUXE6T3DKJ3BAVCNFSM6AAAAAB7FVIVS2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDSMRUGAYDKMBSHE> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AJT5YRNIJKN5Y6UIUN2SPOT3DKJ3BA5CNFSM6AAAAAB7FVIVS2WGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTVOJDDKK.gif> Message ID: ***@***.*** ***@***.***> >

[phsmadja]

Hello,
The build of my passkeyuv branch tagged "fix passkey integration tests" (21 jun 2025) is fully successfull.
Could you tell me what is the next step to have an external revue of the code ?
Of course, all remarks, suggestions, updates, fixes, propositions are welcome !
The best. Philippe.

[ikerexxe]

This concept seems to align well with a preflight mode for FIDO2 authentication, where the system first assesses the environment and available device configuration options, such as user-verification. If the system already possesses validated user-verification information, it should be possible to omit the PIN request during the authentication stage. Am I understanding this correctly?

If so, we're already working on a similar pattern in #7631 and #7983. However, these PRs don't yet incorporate the omission of the PIN request when user-verification has been validated by other means, as our current focus is on establishing a robust passkey/FIDO2 authentication workflow within the GUI.

[phsmadja]

Hello Ike,
my proposition is an implementation of a preflight mode. According the device capabilities, the user interface omits th presentation PIN request. On user verification failure, it fallbacks to PIN request.
What is missing:

1. Display of the remaining PIN retries.
2. Translation of the UI messages according the language.
   What I do not like in my implementation (but I do not know how to fix):
3. Usage of file indicators as communication means between different sss-client process.
4. Performance of the User Interface.
5. The fact that the "connect your passkey device" message is still displayed during the finalisation of the login (after valid user verification).

The best
Philippe

[phsmadja]

Please find attached a document .ods describing the use cases that have been implemented. Of course, the use cases shall be properly described using professional tool used by the community. Hoping this document is explicit enough.
Passkeyuv - use cases.ods

Cheers
Philippe

[ikerexxe]

Hi @phsmadja,

Thanks for this PR! I really like the changes and the UX improvement it brings.

However, this work collides a bit with what we're currently doing in #7983. That PR is setting up the basic infrastructure to communicate preflight options from the passkey child to the SSSD process. Once it's merged, it should be quite straightforward to integrate the user-verification data and implement this improved UX workflow.

Would you be open to holding off on merging this until #7983 is in? We can then build on top of that foundational work.

[phsmadja]

Hi Ike. Thanks for you for liking it. My work is more or less a prove of concept and i'm pretty sure it can be implemented in a nicer way.
You can get my work and fusion it with #7953. Sure we will have a very good result according the UI and fonctionnalities '(adding number of retries, lock user interface). I do not have more bandwidth to propose a merging to the community, hoping you can do the work.
The best. Philippe