stages/authenticator_validate: add ability to limit webauthn device types (#9180)

* stages/authenticator_validate: add ability to limit webauthn device types Signed-off-by: Jens Langhammer <jens@goauthentik.io> * reword Signed-off-by: Jens Langhammer <jens@goauthentik.io> * require enterprise attestation when a device restriction is configured as we need the aaguid Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * improve error message Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-04-11 13:10:05 +02:00
parent 35448f6017
commit fd44bc2bec
14 changed files with 398 additions and 83 deletions
--- a/website/docs/flow/stages/authenticator_validate/index.md
+++ b/website/docs/flow/stages/authenticator_validate/index.md
@ -72,3 +72,15 @@ Logins which used Passwordless authentication have the _auth_method_ context var
    }
 }
 ```
+
+### `WebAuthn Device type restrictions`
+
+:::info
+Requires authentik 2024.4
+:::
+
+Optionally restrict which WebAuthn device types can be used to authenticate.
+
+When no restriction is set, all WebAuthn devices a user has registered are allowed.
+
+These restrictions only apply to WebAuthn devices created with authentik 2024.4 or later.