KeePassXC Passkey Integration

[Rehpotsirhc-z]

Now that KeePassXC 2.7.7 released with Passkey support, it would be nice if the qute-keepassxc userscript could support it.

[toofar]

Hmm, how would this work? I think currently the userscript is invoked by a user to fill in fields on a page, but with passkey (which as I understand it is the same as webauthn in this context? See also the other, closed, qute issues about FIDO2) the auth request is initiated by the browser?

With Qt 6.7 QtWebEngine is supposed to have an event it can send us to let us handle a webauthn auth request (mentioned here), so we would have to handle that and call the userscript somehow? Assuming we want to keep it as a userscript, which ideally the core browser knows nothing about, I guess that would look like adding a new config variable where you can configure an external webauthn (WebAuth?) handler which might just happen to be a userscript. Does that sound right?
And then I guess we would have to add commands to accept or reject an auth request because the userscript would have to write back to the FIFO...

[sudoforge]

i think webauthn support must be directly managed by the browser. in theory, keepassxc should be configured to show up as a webauthn device (i don't use keepassxc;this is just a general comment, as it's how 1Password works, which i've used for work).

[Rehpotsirhc-z]

I don't know how this works at all. KeePassXC has a browser extension that, when Passkey support is enabled, the user gets a popup from KeePassXC. If they decline, it will go back to the system one. I don't know how their extension is stepping in front of the system one.

On something like Windows, qutebrowser could open the normal biometrics popup, with some way to use KeePassXC or any other password manager instead, and fall back to the system one if declined.

Ideally, it should be possible to configure some other program to use instead of the system dialogue, but right now I guess it's some weird extension that can intercept the system one, or something.

Now this is just speculation from an idiot, but if it's an extension, maybe it can be done with a greasemonkey script? It would run on every website.

[toofar]

Okay, so keepass has a browser extension, I see. Oh it looks like it does just intercept JS events! https://github.com/keepassxreboot/keepassxc-browser/blob/0934446d9d375488f166d008188af5bb52af9948/keepassxc-browser/content/passkeys.js#L149
That's interesting, I thought it would require more privileged access. Although maybe it's only able to do that because it's in an extension context, hmm.

Anyhow, since qtwebengine has (or soon will have) an API hook for this it would probably be better for us to use that than trying to bridge js <-> native apps securely. I suppose my comment above does pretty much describe that, so there is a few implementation details to work out.