Opened 6 weeks ago

Last modified 3 weeks ago

#1396 accepted task

Implement an login extension for WebAuthn

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: WebAuthn extension v1.0
Component: net.sf.basedb.webauthn Keywords:
Cc:

Description

WebAuthn is an authentication protocol that is standardized by W3C. It is supported by later models of YubiKey and also by several other manufacturers. Support for this protocol exists all the major browsers.

It can be compared to the existing YubiKey implementation that uses a proprietary OTP (one-time-password) protocol. This protocol is also dependent on the YubiCload servers for validation.

https://en.wikipedia.org/wiki/WebAuthn

Yubico has a nice server-side implementation:

Documentation for the browser-side API:

Some other nice links:

Change History (26)

comment:1 Changed 6 weeks ago by Nicklas Nordborg

Component: not classifiednet.sf.basedb.webauthn
Milestone: WebAuthn extension v1.0
Owner: changed from Jari Häkkinen to Nicklas Nordborg
Status: newaccepted

comment:2 Changed 6 weeks ago by Nicklas Nordborg

In 6740:

References #1396: Implement an login extension for WebAuthn?

Created main repository folder.

comment:3 Changed 6 weeks ago by Nicklas Nordborg

In 6741:

References #1396: Implement an login extension for WebAuthn?

Created trunk.

comment:4 Changed 6 weeks ago by Nicklas Nordborg

In 6742:

References #1396: Implement an login extension for WebAuthn?

Initial checkin of basic build and information files.

Adds a WebAuthn tab in the "Edit user" dialog, but there is no functionality.

comment:5 Changed 6 weeks ago by Nicklas Nordborg

In 6743:

References #1396: Implement an login extension for WebAuthn?

Started to implement the "Edit user" dialog that should be used to register a new security key (or remove an existing one) The idea is to use a similar flow as in the YubiKey extension. It is still not clear exactly what we need to save in the database and there is no actual functionality implemented yet.

comment:6 Changed 6 weeks ago by Nicklas Nordborg

In 6744:

References #1396: Implement an login extension for WebAuthn?

Stared to implement the WebAuthn? registration procedure. A registration request is created on the server side and sent to the browser.

comment:7 Changed 6 weeks ago by Nicklas Nordborg

In 6745:

References #1396: Implement an login extension for WebAuthn?

Implemented the browser-side part of the registration process. The response from the security key is sent to the server, but is not yet validated there.

comment:8 Changed 6 weeks ago by Nicklas Nordborg

In 6746:

References #1396: Implement an login extension for WebAuthn?

Implemented the server-side validation of the registration request. The result is not stored anywhere so it can't be used for logging in.

comment:9 Changed 5 weeks ago by Nicklas Nordborg

In 6747:

References #1396: Implement an login extension for WebAuthn?

Added database columns for storing registration information.

comment:10 Changed 5 weeks ago by Nicklas Nordborg

In 6748:

References #1396: Implement an login extension for WebAuthn?

User handles are checked for uniqueness when starting a new registration.

comment:11 Changed 5 weeks ago by Nicklas Nordborg

In 6749:

References #1396: Implement an login extension for WebAuthn?

Swtich to BASE 3.19.3 since we need new features implemented in https://base.thep.lu.se/ticket/2278

comment:12 Changed 4 weeks ago by Nicklas Nordborg

In 6750:

References #1396: Implement an login extension for WebAuthn?

Started to implement a login form extension for WebAuthn. A handler is added to the before-login event. The handler aborts the regular form submission and instead submits a pre-login request. The response is currently a fake "random" response but the browser should ask for a security key (but it will not validate).

comment:13 Changed 4 weeks ago by Nicklas Nordborg

In 6751:

References #1396: Implement an login extension for WebAuthn?

Implemented the first step of WebAuthn authentication. A user is looked up and credentials are returned to the browser if the account has been configured with a security key.

comment:14 Changed 4 weeks ago by Nicklas Nordborg

In 6752:

References #1396: Implement an login extension for WebAuthn?

Implemented the final authentication step. The code need lots of cleanup and error handling but it should be working.

comment:15 Changed 4 weeks ago by Nicklas Nordborg

In 6753:

References #1396: Implement an login extension for WebAuthn?

Added webauthn.properties for configuration settings. It is possible to specify client application that are required/not required to use WebAuthn and to specify other allowed login method for users that have a security key configured.

comment:16 Changed 4 weeks ago by Nicklas Nordborg

In 6754:

References #1396: Implement an login extension for WebAuthn?

Cleaned up the login process by moving most of the code to the LoginProcessHandler. An instance of this object is created in the first step by the PreLoginAuthenticationManager and is used to generate a challenge for the browser. The response from the browser is then processed by the same instance in the second step by the WebAuthnAuthenticationManager.

comment:17 Changed 4 weeks ago by Nicklas Nordborg

In 6755:

References #1396: Implement an login extension for WebAuthn?

Cleaned up the CredentialRepository implementation in the LoginProcessHandler. It should now check that parameters, such as the username, matches the user in the current login process.

comment:18 Changed 4 weeks ago by Nicklas Nordborg

In 6756:

References #1396: Implement an login extension for WebAuthn?

Re-factored the code handling the registration process. It should now be more similar to how the login process works.

comment:19 Changed 4 weeks ago by Nicklas Nordborg

In 6757:

References #1396: Implement an login extension for WebAuthn?

Changed the signature counter to long instead of int since that is what the WebAuthn API uses (AssertionResult.getSignatureCount()).

comment:20 Changed 4 weeks ago by Nicklas Nordborg

In 6758:

References #1396: Implement an login extension for WebAuthn?

The call to ExtensionsControl.getHomeUrl() could not be used safely in the constructor. After a server restart the constructor of factories is called very early in the startup process and before registration of metadata such as the URL (and a lot of other stuff). So the call returned null and it was impossible to login due an incorrect URL to the WebAuthn.servlet.

comment:21 Changed 4 weeks ago by Nicklas Nordborg

In 6759:

References #1396: Implement an login extension for WebAuthn?

Testing if the browser support WebAuthn before trying to use it.

comment:22 Changed 4 weeks ago by Nicklas Nordborg

In 6760:

References #1396: Implement an login extension for WebAuthn?

Added help text to the login form.

comment:23 Changed 4 weeks ago by Nicklas Nordborg

In 6761:

References #1396: Implement an login extension for WebAuthn?

Changes that are needed for the "Switch user" to work.

comment:24 Changed 3 weeks ago by Nicklas Nordborg

In 6768:

References #1396: Implement an login extension for WebAuthn?

The password is now verified before the security key.

comment:25 Changed 3 weeks ago by Nicklas Nordborg

In 6769:

References #1396: Implement an login extension for WebAuthn?

Using POST request instead of GET when starting the login to avoid that the password is part of the URL that may be cached or logged.

comment:26 Changed 3 weeks ago by Nicklas Nordborg

In 6770:

References #1396: Implement an login extension for WebAuthn?

Added 'use strict' to javascript file.

Note: See TracTickets for help on using tickets.