Add support for WebAuthn behind feature flag

Merged Jan Beckmann requested to merge kingjan1999/gitlab-ee:22506-webauthn-step-1 into master

What does this MR do?

This is the first follow-up MR for !20257 (closed). It introduces support for FIDO2 / WebAuthn standard, which supersedes the old U2F (FIDO 1) standard GitLab is currently supporting for multi-factor authentication. WebAuthn works for more browser and with more devices.

As discussed in the old MR and in the corresponding issue (#22506 (closed)), the process of introducing support for WebAuthn and removing support for U2F is split up into multiple steps.

This is step 1 in the iteration plan, introducing the support behind a feature flag while keeping all old U2F code and data.


(All screenshots taken with feature flag enabled / copied from the old MR)



Updated error screen

WebAuthn returns DOMException instead of error codes as U2F did, so I've opted to display the names of these exceptions.

Login error screen

Does this MR meet the acceptance criteria?


Availability and Testing


If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Jan Beckmann