Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebAuthn: Add userId property to Authenticator and WebAuthnCredentials #581

Open
mnylen opened this issue Jul 28, 2022 · 0 comments
Open

WebAuthn: Add userId property to Authenticator and WebAuthnCredentials #581

mnylen opened this issue Jul 28, 2022 · 0 comments
Labels
enhancement

Comments

@mnylen
Copy link

mnylen commented Jul 28, 2022

Describe the feature

Depends on fixing #580 first.

1. Add userId property to relevant classes

  • Add userId property to both Authenticator and WebAuthnCredentials.
  • After successful WebAuthn authentication or credential registration, the userId property from Authenticator should be included in the principal of returned User.

2. Populating the user id

After the property is added to relevant classes, the Authenticator instances passed to authenticatorFetcher and authenticatorUpdater should include the user ID (once #580 is fixed) property:

  • When fetching authenticators with a query:
    • In WebAuthn#createCredentialOptions(): copy the value from the user object passed in as parameter.
    • In WebAuthn#authenticate(): use the user id defined in WebAuthnCredentials passed in as parameter
  • When inserting or updating authenticators:
    • In WebAuthn#authenticate() for webauthn.get: use the user id defined in WebAuthnCredentials
    • In WebAuthn#authenticate() for webauthn.create: use the user id from the authenticator found by credential id lookup

3. Extra check in authentication

Additionally, the verification process should ensure that the userHandle returned in the AuthenticationAssertionResponse matches the userId property on the Authenticator found with credential id lookup.

The spec:

If the user was not identified before the authentication ceremony was initiated,
verify that response.userHandle is present, and that the user identified by this value is the owner of credentialSource.

Use cases

This would allow Relying Party to index authenticators in persistent storage based on a stable user ID (read: a primary key for user table). User names (emails, nicknames, etc.) often change during user's lifecycle, but IDs don't.

Currently it's not possible to do this without doing an extra lookup to find user ID based on username (as authenticatorUpdater).

Contribution

Already have a PR in the works at https://github.com/mnylen/vertx-auth/pull/1/files
mnylen added a commit to mnylen/vertx-auth that referenced this issue Aug 6, 2022
@mnylen
WebAuthn: Add user id to PublicKeyCredentialsCreateOptions, Authentic…
7a8a277 
…ator and WebAuthnCredentials (eclipse-vertx#580, eclipse-vertx#581)
@mnylen mnylen mentioned this issue Aug 6, 2022
Open
mnylen added a commit to mnylen/vertx-auth that referenced this issue Aug 6, 2022
@mnylen
WebAuthn: Add user id to PublicKeyCredentialsCreateOptions, Authentic…
acae48b 
…ator and WebAuthnCredentials (eclipse-vertx#580, eclipse-vertx#581)
mnylen added a commit to mnylen/vertx-auth that referenced this issue Aug 6, 2022
@mnylen
WebAuthn: Add user id to PublicKeyCredentialsCreateOptions, Authentic…
b96e8dd 
…ator and WebAuthnCredentials (eclipse-vertx#580, eclipse-vertx#581)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mnylen