stages/authenticator_webauthn: add MDS support (#9114)

* web: align style to show current user for webauthn enroll

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ask for aaguid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* initial MDS import

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add restriction

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api, add actual restriction

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* default authenticator name based on aaguid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* connect device with device type

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix typo in webauthn stage name

this typo has been around for 3 years 8708e487ae (diff-bb4aee4a37f4b95c8daa7beb6bf6251d8d2b6deb8c16dce0cd7cb0d6cd71900aR16)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add fido2 dep

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add CI pipeline to automate updating blob

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests, include device type

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* exclude icon for now

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add passkeys aaguid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make special unknown device type work, add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

website/docs/flow/stages/authenticator_webauthn/index.md

@@ -4,4 +4,26 @@ title: WebAuthn authenticator setup stage
 
 This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.
 
-There are no stage-specific settings.
+### `User verification`
+
+Configure if authentik should require, prefer or discourage user verification for the authenticator. For example when using a virtual authenticator like Windows Hello, this setting controls if a PIN is required.
+
+### `Resident key requirement`
+
+Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.md#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication.
+
+### `Authenticator Attachment`
+
+Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
+
+### `Device type restrictions`
+
+:::info
+Requires authentik 2024.4
+:::
+
+Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.
+
+When no restrictions are selected, all device types are allowed.
+
+As authentik does not know of all possible device types, it is possible to select the special option `authentik: Unknown devices` to allow unknown devices.