Opened 2 years ago

Last modified 21 months ago

#1396 accepted task

Implement an login extension for WebAuthn

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: WebAuthn extension v1.0
Component: net.sf.basedb.webauthn Keywords:
Cc:

Description

WebAuthn is an authentication protocol that is standardized by W3C. It is supported by later models of YubiKey and also by several other manufacturers. Support for this protocol exists all the major browsers.

It can be compared to the existing YubiKey implementation that uses a proprietary OTP (one-time-password) protocol. This protocol is also dependent on the YubiCload servers for validation.

https://en.wikipedia.org/wiki/WebAuthn

Yubico has a nice server-side implementation:

Documentation for the browser-side API:

Some other nice links:

Change History (32)

comment:1 by Nicklas Nordborg, 2 years ago

Component: not classifiednet.sf.basedb.webauthn
Milestone: WebAuthn extension v1.0
Owner: changed from Jari Häkkinen to Nicklas Nordborg
Status: newaccepted

comment:2 by Nicklas Nordborg, 2 years ago

In 6740:

References #1396: Implement an login extension for WebAuthn

Created main repository folder.

comment:3 by Nicklas Nordborg, 2 years ago

In 6741:

References #1396: Implement an login extension for WebAuthn

Created trunk.

comment:4 by Nicklas Nordborg, 2 years ago

In 6742:

References #1396: Implement an login extension for WebAuthn

Initial checkin of basic build and information files.

Adds a WebAuthn tab in the "Edit user" dialog, but there is no functionality.

comment:5 by Nicklas Nordborg, 2 years ago

In 6743:

References #1396: Implement an login extension for WebAuthn

Started to implement the "Edit user" dialog that should be used to register a new security key (or remove an existing one) The idea is to use a similar flow as in the YubiKey extension. It is still not clear exactly what we need to save in the database and there is no actual functionality implemented yet.

comment:6 by Nicklas Nordborg, 2 years ago

In 6744:

References #1396: Implement an login extension for WebAuthn

Stared to implement the WebAuthn registration procedure. A registration request is created on the server side and sent to the browser.

comment:7 by Nicklas Nordborg, 2 years ago

In 6745:

References #1396: Implement an login extension for WebAuthn

Implemented the browser-side part of the registration process. The response from the security key is sent to the server, but is not yet validated there.

comment:8 by Nicklas Nordborg, 2 years ago

In 6746:

References #1396: Implement an login extension for WebAuthn

Implemented the server-side validation of the registration request. The result is not stored anywhere so it can't be used for logging in.

comment:9 by Nicklas Nordborg, 2 years ago

In 6747:

References #1396: Implement an login extension for WebAuthn

Added database columns for storing registration information.

comment:10 by Nicklas Nordborg, 2 years ago

In 6748:

References #1396: Implement an login extension for WebAuthn

User handles are checked for uniqueness when starting a new registration.

comment:11 by Nicklas Nordborg, 2 years ago

In 6749:

References #1396: Implement an login extension for WebAuthn

Swtich to BASE 3.19.3 since we need new features implemented in https://base.thep.lu.se/ticket/2278

comment:12 by Nicklas Nordborg, 2 years ago

In 6750:

References #1396: Implement an login extension for WebAuthn

Started to implement a login form extension for WebAuthn. A handler is added to the before-login event. The handler aborts the regular form submission and instead submits a pre-login request. The response is currently a fake "random" response but the browser should ask for a security key (but it will not validate).

comment:13 by Nicklas Nordborg, 2 years ago

In 6751:

References #1396: Implement an login extension for WebAuthn

Implemented the first step of WebAuthn authentication. A user is looked up and credentials are returned to the browser if the account has been configured with a security key.

comment:14 by Nicklas Nordborg, 2 years ago

In 6752:

References #1396: Implement an login extension for WebAuthn

Implemented the final authentication step. The code need lots of cleanup and error handling but it should be working.

comment:15 by Nicklas Nordborg, 2 years ago

In 6753:

References #1396: Implement an login extension for WebAuthn

Added webauthn.properties for configuration settings. It is possible to specify client application that are required/not required to use WebAuthn and to specify other allowed login method for users that have a security key configured.

comment:16 by Nicklas Nordborg, 2 years ago

In 6754:

References #1396: Implement an login extension for WebAuthn

Cleaned up the login process by moving most of the code to the LoginProcessHandler. An instance of this object is created in the first step by the PreLoginAuthenticationManager and is used to generate a challenge for the browser. The response from the browser is then processed by the same instance in the second step by the WebAuthnAuthenticationManager.

comment:17 by Nicklas Nordborg, 2 years ago

In 6755:

References #1396: Implement an login extension for WebAuthn

Cleaned up the CredentialRepository implementation in the LoginProcessHandler. It should now check that parameters, such as the username, matches the user in the current login process.

comment:18 by Nicklas Nordborg, 23 months ago

In 6756:

References #1396: Implement an login extension for WebAuthn

Re-factored the code handling the registration process. It should now be more similar to how the login process works.

comment:19 by Nicklas Nordborg, 23 months ago

In 6757:

References #1396: Implement an login extension for WebAuthn

Changed the signature counter to long instead of int since that is what the WebAuthn API uses (AssertionResult.getSignatureCount()).

comment:20 by Nicklas Nordborg, 23 months ago

In 6758:

References #1396: Implement an login extension for WebAuthn

The call to ExtensionsControl.getHomeUrl() could not be used safely in the constructor. After a server restart the constructor of factories is called very early in the startup process and before registration of metadata such as the URL (and a lot of other stuff). So the call returned null and it was impossible to login due an incorrect URL to the WebAuthn.servlet.

comment:21 by Nicklas Nordborg, 23 months ago

In 6759:

References #1396: Implement an login extension for WebAuthn

Testing if the browser support WebAuthn before trying to use it.

comment:22 by Nicklas Nordborg, 23 months ago

In 6760:

References #1396: Implement an login extension for WebAuthn

Added help text to the login form.

comment:23 by Nicklas Nordborg, 23 months ago

In 6761:

References #1396: Implement an login extension for WebAuthn

Changes that are needed for the "Switch user" to work.

comment:24 by Nicklas Nordborg, 23 months ago

In 6768:

References #1396: Implement an login extension for WebAuthn

The password is now verified before the security key.

comment:25 by Nicklas Nordborg, 23 months ago

In 6769:

References #1396: Implement an login extension for WebAuthn

Using POST request instead of GET when starting the login to avoid that the password is part of the URL that may be cached or logged.

comment:26 by Nicklas Nordborg, 23 months ago

In 6770:

References #1396: Implement an login extension for WebAuthn

Added 'use strict' to javascript file.

comment:27 by Nicklas Nordborg, 21 months ago

In 6785:

References #1396: Implement an login extension for WebAuthn

Added an option to create "password-less" keys. This requires that the security key supports the FIDO2 protocal and that it can store information about the registration on the key itself (aka. resident keys). We also require that the key is protected with a PIN (or some other method to verify the user, for example, fingerprint).

The login procedure has not been updated.

comment:28 by Nicklas Nordborg, 21 months ago

In 6786:

References #1396: Implement an login extension for WebAuthn

Added a wa_passwordless property to store information if the key was registered with password-less authentication enabled or not.

comment:29 by Nicklas Nordborg, 21 months ago

In 6787:

References #1396: Implement an login extension for WebAuthn

Added a login form for the password-less login options. The form will hide the input fields and just keep the "Login" button, but there is no actual password-less functionality yet.

The registration dialog has also been updated to display information about if the password-less login form is enabled or disabled.

comment:30 by Nicklas Nordborg, 21 months ago

In 6788:

References #1396: Implement an login extension for WebAuthn

Started to implement the actual password-less login. The pre-login step that generates the challenge seems to work. The browser is asking for a PIN and can find the stored user inforamation and send it for the final login step. The final login step is not yet implemented.

comment:31 by Nicklas Nordborg, 21 months ago

In 6789:

References #1396: Implement an login extension for WebAuthn

The password-less login should now work.

comment:32 by Nicklas Nordborg, 21 months ago

In 6792:

References #1396: Implement an login extension for WebAuthn

Fixes an issue with the regular login that sent an empty userHandle making it impossible to login with non-resident keys.

Note: See TracTickets for help on using tickets.