Make externally-provisionned yubikeys easier to configure
Our documentation mentions that it's possible to provision Yubikeys externally (in my use case a custom attribute in an AD server) by crafting
_2fDevices with a macro.
This works, but it becomes extremely complicated to do if we also want to support self-registered TOTP. Because now we have to merge existing
_2fDevices with the new one.
Again, it's possible, with some arcane Perl syntax, but I think none of our users can manage to do it and keep their sanity.
It would be so, so much easier to have a manager field that lets the user specify a session key in which the Yubikey ID is stored, and make the Yubikey code look directly into it
Seems easy to implement:
- Add an optional "Lookup Yubikey ID in session attribute" option
- If this attribute is set use it, maybe fallback to registered 2F devices
- If this attribute is not set, use registered 2F devices as we currently do