Comment 6 for bug 1968790

NetworkManager-openconnect issues would be at https://gitlab.gnome.org/GNOME/NetworkManager-openconnect but most of the hard thinking ends up on the openconnect side.

So what is the best solution here? The external browser mode is useful because we get the fully features of Chrome/Firefox and then the resulting SSO token is encrypted and passed back to the VPN client. But that HPKE encryption and the connection back over http://localhost:29786/ is kind of awful.

The embedded browser mode avoids that because we are in control, and we can see the token directly as we're running the browser within our own NM-openconnect authentication GUI process. But obviously doesn't work for the openconnect CLI, as the external-browser mode does.

Should we (can we) implement a Firefox/Chrome plugin to exfiltrate cookies, which might give us a way to do this "embedded mode" with a *real* browser? Or should we just go and implement webauthn/CTAP2 support in WebKit?