Common access card (CAC) X509 certificate dialog issues with desktop app
We’re using another form of authentication (X509 certificates on a physical card, aka common access card or CAC) with our authentication service, keycloak. We’re noticing inconsistent behavior with the Mattermost desktop app. The expected flow is when a user clicks the “Platform One SSO” button (OAuth2 or “GitLab” button), keycloak will first check if a CAC exists. If it does, the user should be prompted to select a certificate. If they cancel the prompt, they will instead be asked for the normal username/password login flow. This works as expected in the web app but with the desktop app, the behavior is inconsistent or incorrect:
- Some users are not receiving the CAC prompt at all.
- The Windows desktop app doesn’t seem to work at all with the CAC prompt.
- Some users are receiving the CAC prompt even if no CAC is inserted into the reader.