Opened 7 months ago

Last modified 4 months ago

#1396 accepted task

Implement an login extension for WebAuthn

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: WebAuthn extension v1.0
Component: net.sf.basedb.webauthn Keywords:
Cc:

Description

WebAuthn is an authentication protocol that is standardized by W3C. It is supported by later models of YubiKey and also by several other manufacturers. Support for this protocol exists all the major browsers.

It can be compared to the existing YubiKey implementation that uses a proprietary OTP (one-time-password) protocol. This protocol is also dependent on the YubiCload servers for validation.

https://en.wikipedia.org/wiki/WebAuthn

Yubico has a nice server-side implementation:

Documentation for the browser-side API:

Some other nice links:

Change History (32)

comment:1 Changed 7 months ago by Nicklas Nordborg

Component: not classifiednet.sf.basedb.webauthn
Milestone: WebAuthn extension v1.0
Owner: changed from Jari Häkkinen to Nicklas Nordborg
Status: newaccepted

comment:2 Changed 7 months ago by Nicklas Nordborg

In 6740:

References #1396: Implement an login extension for WebAuthn?

Created main repository folder.

comment:3 Changed 7 months ago by Nicklas Nordborg

In 6741:

References #1396: Implement an login extension for WebAuthn?

Created trunk.

comment:4 Changed 7 months ago by Nicklas Nordborg

In 6742:

References #1396: Implement an login extension for WebAuthn?

Initial checkin of basic build and information files.

Adds a WebAuthn tab in the "Edit user" dialog, but there is no functionality.

comment:5 Changed 7 months ago by Nicklas Nordborg

In 6743:

References #1396: Implement an login extension for WebAuthn?

Started to implement the "Edit user" dialog that should be used to register a new security key (or remove an existing one) The idea is to use a similar flow as in the YubiKey extension. It is still not clear exactly what we need to save in the database and there is no actual functionality implemented yet.

comment:6 Changed 6 months ago by Nicklas Nordborg

In 6744:

References #1396: Implement an login extension for WebAuthn?

Stared to implement the WebAuthn? registration procedure. A registration request is created on the server side and sent to the browser.

comment:7 Changed 6 months ago by Nicklas Nordborg

In 6745:

References #1396: Implement an login extension for WebAuthn?

Implemented the browser-side part of the registration process. The response from the security key is sent to the server, but is not yet validated there.

comment:8 Changed 6 months ago by Nicklas Nordborg

In 6746:

References #1396: Implement an login extension for WebAuthn?

Implemented the server-side validation of the registration request. The result is not stored anywhere so it can't be used for logging in.

comment:9 Changed 6 months ago by Nicklas Nordborg

In 6747:

References #1396: Implement an login extension for WebAuthn?

Added database columns for storing registration information.

comment:10 Changed 6 months ago by Nicklas Nordborg

In 6748:

References #1396: Implement an login extension for WebAuthn?

User handles are checked for uniqueness when starting a new registration.

comment:11 Changed 6 months ago by Nicklas Nordborg

In 6749:

References #1396: Implement an login extension for WebAuthn?

Swtich to BASE 3.19.3 since we need new features implemented in https://base.thep.lu.se/ticket/2278

comment:12 Changed 6 months ago by Nicklas Nordborg

In 6750:

References #1396: Implement an login extension for WebAuthn?

Started to implement a login form extension for WebAuthn. A handler is added to the before-login event. The handler aborts the regular form submission and instead submits a pre-login request. The response is currently a fake "random" response but the browser should ask for a security key (but it will not validate).

comment:13 Changed 6 months ago by Nicklas Nordborg

In 6751:

References #1396: Implement an login extension for WebAuthn?

Implemented the first step of WebAuthn authentication. A user is looked up and credentials are returned to the browser if the account has been configured with a security key.

comment:14 Changed 6 months ago by Nicklas Nordborg

In 6752:

References #1396: Implement an login extension for WebAuthn?

Implemented the final authentication step. The code need lots of cleanup and error handling but it should be working.

comment:15 Changed 6 months ago by Nicklas Nordborg

In 6753:

References #1396: Implement an login extension for WebAuthn?

Added webauthn.properties for configuration settings. It is possible to specify client application that are required/not required to use WebAuthn and to specify other allowed login method for users that have a security key configured.

comment:16 Changed 6 months ago by Nicklas Nordborg

In 6754:

References #1396: Implement an login extension for WebAuthn?

Cleaned up the login process by moving most of the code to the LoginProcessHandler. An instance of this object is created in the first step by the PreLoginAuthenticationManager and is used to generate a challenge for the browser. The response from the browser is then processed by the same instance in the second step by the WebAuthnAuthenticationManager.

comment:17 Changed 6 months ago by Nicklas Nordborg

In 6755:

References #1396: Implement an login extension for WebAuthn?

Cleaned up the CredentialRepository implementation in the LoginProcessHandler. It should now check that parameters, such as the username, matches the user in the current login process.

comment:18 Changed 6 months ago by Nicklas Nordborg

In 6756:

References #1396: Implement an login extension for WebAuthn?

Re-factored the code handling the registration process. It should now be more similar to how the login process works.

comment:19 Changed 6 months ago by Nicklas Nordborg

In 6757:

References #1396: Implement an login extension for WebAuthn?

Changed the signature counter to long instead of int since that is what the WebAuthn API uses (AssertionResult.getSignatureCount()).

comment:20 Changed 6 months ago by Nicklas Nordborg

In 6758:

References #1396: Implement an login extension for WebAuthn?

The call to ExtensionsControl.getHomeUrl() could not be used safely in the constructor. After a server restart the constructor of factories is called very early in the startup process and before registration of metadata such as the URL (and a lot of other stuff). So the call returned null and it was impossible to login due an incorrect URL to the WebAuthn.servlet.

comment:21 Changed 6 months ago by Nicklas Nordborg

In 6759:

References #1396: Implement an login extension for WebAuthn?

Testing if the browser support WebAuthn before trying to use it.

comment:22 Changed 6 months ago by Nicklas Nordborg

In 6760:

References #1396: Implement an login extension for WebAuthn?

Added help text to the login form.

comment:23 Changed 6 months ago by Nicklas Nordborg

In 6761:

References #1396: Implement an login extension for WebAuthn?

Changes that are needed for the "Switch user" to work.

comment:24 Changed 6 months ago by Nicklas Nordborg

In 6768:

References #1396: Implement an login extension for WebAuthn?

The password is now verified before the security key.

comment:25 Changed 6 months ago by Nicklas Nordborg

In 6769:

References #1396: Implement an login extension for WebAuthn?

Using POST request instead of GET when starting the login to avoid that the password is part of the URL that may be cached or logged.

comment:26 Changed 6 months ago by Nicklas Nordborg

In 6770:

References #1396: Implement an login extension for WebAuthn?

Added 'use strict' to javascript file.

comment:27 Changed 4 months ago by Nicklas Nordborg

In 6785:

References #1396: Implement an login extension for WebAuthn?

Added an option to create "password-less" keys. This requires that the security key supports the FIDO2 protocal and that it can store information about the registration on the key itself (aka. resident keys). We also require that the key is protected with a PIN (or some other method to verify the user, for example, fingerprint).

The login procedure has not been updated.

comment:28 Changed 4 months ago by Nicklas Nordborg

In 6786:

References #1396: Implement an login extension for WebAuthn?

Added a wa_passwordless property to store information if the key was registered with password-less authentication enabled or not.

comment:29 Changed 4 months ago by Nicklas Nordborg

In 6787:

References #1396: Implement an login extension for WebAuthn?

Added a login form for the password-less login options. The form will hide the input fields and just keep the "Login" button, but there is no actual password-less functionality yet.

The registration dialog has also been updated to display information about if the password-less login form is enabled or disabled.

comment:30 Changed 4 months ago by Nicklas Nordborg

In 6788:

References #1396: Implement an login extension for WebAuthn?

Started to implement the actual password-less login. The pre-login step that generates the challenge seems to work. The browser is asking for a PIN and can find the stored user inforamation and send it for the final login step. The final login step is not yet implemented.

comment:31 Changed 4 months ago by Nicklas Nordborg

In 6789:

References #1396: Implement an login extension for WebAuthn?

The password-less login should now work.

comment:32 Changed 4 months ago by Nicklas Nordborg

In 6792:

References #1396: Implement an login extension for WebAuthn?

Fixes an issue with the regular login that sent an empty userHandle making it impossible to login with non-resident keys.

Note: See TracTickets for help on using tickets.