WebAuthn | A simple PHP WebAuthn | Authentication library
kandi X-RAY | WebAuthn Summary
kandi X-RAY | WebAuthn Summary
A simple PHP WebAuthn (FIDO2) server library
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Process a GET request .
- Process a client creation .
- Queries Fido MetaData service .
- Get create args .
- Parse float from buffer .
- Parse extra length .
- Parse item data .
- Get a floating point value
- Read a 64 - bit integer from the buffer .
- Parse a map .
WebAuthn Key Features
WebAuthn Examples and Code Snippets
Community Discussions
Trending Discussions on WebAuthn
QUESTION
Summary: WSO2 IS 5.11 has been installed and configured with FIDO as a local authenticator for a service provider. As a user on an Apple device attempting to log into a service provider using the FIDO local authenticator, the user is immediately redirected to a failed login attempt page.
According to Safari Web Inspector attached to the user's device, the fido2-auth.jsp [1] generates the following error message:
...ANSWER
Answered 2022-Feb-18 at 06:33This issue is caused by Safari requiring user actions to initiate the webauthn flow. Since other browsers don't mandate the same, we don't face this issue in any other browsers.
So, to address this issue, WSO2 Identity Server has added a proceed button to the authentication page for Safari users. So, Safari users can now click on this button to initiate the webauthn flow.
QUESTION
I'm trying to log in to https://support.sentinelone.com/
through selenium. Somehow I'm unable to enter my credentials. Here is my code.
ANSWER
Answered 2022-Jan-27 at 07:04Your locators are correct, but the Creds input boxes are in an iframe.
So first switch to an iframe with the below XPath:
QUESTION
Getting the error while logging into an iframe through webauthn.
The 'publickey-credentials-get' feature is not enabled in this document. Permissions Policy may be used to delegate Web Authentication capabilities to cross-origin child frames.
Here is the link to the example https://jsfiddle.net/14kj25nr/. I have registered a user "test_account" directly through webauthn.io and then tried to login into it through jsfiddle. It says to use publickey-credentials-get
, but I couldn't find a way to use it to get it to work. Any help would be appreciated.
Update 1:
I have added the allow attribute for the iframe allow="publickey-credentials-get"
. It still gives me the same error. The example in the fiddle is updated.
Update 2:
From IAmKale's suggestion. I made the following changes but still got the same error.
Updated the allow attribute of iframe allow="publickey-credentials-get *"
.
I use the Requestly
chrome extension to add the Permissions-Policy
header in the RP's response. It can be seen in the below screenshot that I was able to successfully add the header in the response. But still getting the same error. Could it be some jsfiddle
specific issue? Or is there anything I am doing wrong? I am using Chrome Version 96.0.4664.110.
Update 3:
When I use the iframe in localhost instead of jsfiddle, I am getting webauthn chrom pop-up. But the log-in is still unsuccessful, the server returns POST https://webauthn.io/assertion 400
.
ANSWER
Answered 2022-Jan-23 at 00:10The Web Authentication API is disabled by default in cross-origin iframes. To override this default policy and indicate that a cross-origin iframe is allowed to invoke the Web Authentication API's [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) method, specify the allow attribute on the iframe element and include the publickey-credentials-get feature-identifier token in the allow attribute’s value.
QUESTION
I'm currently able to create publicKeyCredentials using:
...ANSWER
Answered 2022-Jan-19 at 17:12This flow works on all of my apple devices, however, on Android the 'fmt' of the credentials is 'android-saftynet' which doesn't seem to support userHandles.
Just to clarify, the format of the attestation statement has no bearing on an authenticator's ability to return a userHandle
from navigator.credentials.get()
. According to the spec it's basically up to the authenticator whether it wants to return userHandle
or not.
Are there any formats I can force on Android that I can save userHandles with?
WebAuthn doesn't offer any way for an RP (Relying Party, i.e. your server) to require a specific attestation station format, so you either have to support them all (for which I'd highly encourage you use an existing library) or pick and choose and reject registration of credentials with statements you don't want to support.
Or another way to store information with the publicKeyCredential to allow me to support the usernameless webauthn flow?
I'll correct this if I'm wrong but I don't think you need userHandle
to accomplish usernameless. You should be able to take the credential ID you get back from navigator.credentials.get()
and match it first to your list of registered credentials, and then pull the corresponding user ID from your own internal record of which credentials belong to which user.
All that to say that FIDO2 support on Android is a little spotty. Last I checked discoverable credentials are basically unsupported on the platform which means usernameless support on Android devices is pretty much out of the question for now.
QUESTION
I have a client server application that communicates using REST calls.
To prevent that I accedently use the wrong types I defined all RestCalls in a common file (excerpt):
...ANSWER
Answered 2022-Jan-10 at 13:28No. Typescript types will be emitted during the compilation phase.
Your options are:
- Use JSON-Schema (Ajv) to validat the input of incoming http json requests: https://github.com/ajv-validator/ajv
- Use Swagger (Almost the same as (1)).
- Use a validator which works with your framework.
- I found this project which tries to create runtime asserts from typescript types: https://github.com/skunkteam/types. But I never used it my self.
- https://github.com/nanoporetech/ts-runtime-typecheck - Same as (4) but never used it as well.
QUESTION
I'm trying to register a fido2 device in Mailcow using Firefox 95.0.2. When trying to do so, the Registration Status field announces:
...ANSWER
Answered 2021-Dec-26 at 16:26After doing some more testing with Edge (and discovering the "thisisunsafe" trick), I've discovered that WebAuthn isn't a big fan of ports.
So, it didn't like: "id":"subdomain.domain.tld:port"
.
Replacing $_SERVER['SERVER_NAME']
where $_SERVER['HTTP_HOST']
when initializing the $WebAuthn
Variable fixed the issue.
Basically navigator.credentials.create() doesn't accept ids with ports.
QUESTION
The case where a person registers a new account (via credentials.create
) and subsequently logs in using the same browser (via credentials.get
) is straightforward, because at the time credentials.create
is called, the user must grant their browser permission to use Touch ID for a given domain. For example, see the image below, which is a modal prompting the user to allow Touch ID on the given domain, triggered by credentials.create
:
If you select "OK" in the modal shown above, you can complete registration with Touch ID. When you subsequently login to your account using the same browser, you see the modal depicted below, which offers a choice between authenticating with a security key and the previously-registered Touch ID. This modal is triggered by credentials.get
:
Here's the rub: If a user creates an account (credentials.create
) with Touch ID via another browser, for example Chrome, and then attempts to authenticate (credentials.get
) on Safari, Safari thinks they only have access to a security key, and does not provide Touch ID as an option. See below for reference:
Is this a known limitation of WebAuthn itself? It is common that people would use different browsers to access the same website, with the expectation that they can login on any browser, regardless of the one they used to create an account. Given that, it is troubling if WebAuthn does not support this behavior.
Most importantly - how are devs getting around this issue? Are you informing users that they are tied not only to the internal device that they originally registered to their account but also the browser they used? Are you calling credentials.create
immediately before credentials.get
? This seems like a hack but I am interested in any solutions.
Thanks very much in advance.
...ANSWER
Answered 2021-Dec-03 at 17:19Is this a known limitation of WebAuthn itself?
This has nothing to do with WebAuthn the API and everything to do with macOS. To date macOS is the one platform that requires WebAuthn credential management to take into account which browser the credential was registered in.
...how are devs getting around this issue?
One way to address this is to store the user's OS and browser at registration (via traditional user agent, the newer navigator.userAgentData, etc...) with the new credential. Then, at auth, grab the user's current OS and browser info and use it to filter credentials to include in allowCredentials
that you'll pass to navigator.credentials.get()
. If a credential was registered on macOS then filter by browser too; on other platforms you can simply filter by OS.
If allowCredentials
is empty on macOS after filtering the user's credentials (i.e. because the user has a single credential that was registered in Safari but the user is currently using Chrome) you need to handle that and prompt the user to log in some other way before prompting them to register Touch ID in Chrome.
This is incredibly annoying to deal with, but it's the reality of WebAuthn on macOS. Fingers crossed Apple's passkeys (now in Tech Preview on Monterey) will offer a similar experience to iOS' OS-level credential store once it rolls out more widely...
QUESTION
I understand that WebauthN is designed to perform authentication, but I'd like to use my Yubikey to create symmetric encryption keys to encrypt content on my web browser without relying on a backend server.
Here's my approach:
- During the assertion challange (
navigator.credentials.get({ publicKey })
) the Yubikey signs a challenge string that the client sends to the authenticator. - I extract the signed challenge, hash it with SHA256 and use it as my new symmetric encryption key for AES256 encryption.
- As long as the same challenge string is sent to the Yubikey, the encryption key will always be the same.
In order to be able to decrypt the content on the web browser. I would have to be in possession of the Yubikey and the challenge string for 2 factor authentication.
Is there anything wrong with this approach?
...ANSWER
Answered 2021-Nov-27 at 09:51Why don't you use the Web Crypto API?
This API is designed for cypher operations on client side and is suitable for your use case (client side encryption). It is supported by all recent browsers.
Note that the main concern you may have is that this API does not supports hardware devices (smartcards, security tokens...).
However, your Yubikey is certainly capable of generating a secured static password you can use as a master key you will derive to encrypt/decrypt your data.
QUESTION
With the eminent demise of the u2f api, I'm trying to move to WebAuthn APIs using the AppId extension to support security keys previously registered with U2F. As best I can tell from reading the docs I think I am doing it correctly, however, when attempting to authenticate I am prompted by my browser to tap my key, and my key is blinking, but upon tapping it I get the error "You're using a security key that's not registered with this website". In comparing the existing u2f authentication request I'm using the same appid and key handle.
Example U2F sign request:
...ANSWER
Answered 2021-Nov-16 at 17:53Everything about the options you pass to navigator.credentials.get()
looks correct, including how you're specifying the "appid"
extension. I believe the issue is that you're double-encoding your U2F credential's credential ID. Try passing the original "keyHandle"
in the options instead (you can use it as-is because it's already compatible with base64url encoding):
QUESTION
Is it possible to detect (in client-side javascript running in a browser) if the user is authenticated via webauthn? not interested in if the browser supports webauthn or what the credentials are, but only interested if the authentication has occurred. i've looked thru the api at https://www.w3.org/TR/webauthn-2/ and experimented w/ the demo at https://webauthn.io/ but dont see if this is allowed.
i would need to detect this w/in a 3rd party script running on a website. So i dont have access to the code that would be implementing the webauthn. It would be easier for me to detect if the website is implementing MFA via webauthn, but i assume that is not possible; so as a fallback i am hoping i can detect if mfa authentication has occurred.
...ANSWER
Answered 2021-Nov-12 at 11:48So lets think about authentication in general. Authentication is a feature of a specific service, that is implemented in a specific way by the service. The user experience may be similar between Google and Facebook, but the flows, API, password hashing are unique to each provider.
To figure out if you can login to a website with a password, you need to go to a website, and see if it has login form for example.
Same way with WebAuthn. This is not some in-browser magic. If you want to see if you can use WebAuthn with a website, you need to try to login to a website and see if it is utilising WebAuthn API during the login.
WebAuthn API simply provides ability to generate credential, and get assertion(proof) for the credential. You may use this information to authentication user. How you do it exactly, and the process of performing validation is different for each service.
So in conclusion:
WebAuthn API does not have functionality to figure out if user is logged it, because this is not what WebAuthn API is for.
If you are interested in learning more about WebAuthn:
We have a cool guide: https://webauthn.guide/
A collection of useful resources: https://github.com/herrjemand/awesome-webauthn
And a deep dive into WebAuthn API: https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install WebAuthn
PHP requires the Visual C runtime (CRT). The Microsoft Visual C++ Redistributable for Visual Studio 2019 is suitable for all these PHP versions, see visualstudio.microsoft.com. You MUST download the x86 CRT for PHP x86 builds and the x64 CRT for PHP x64 builds. The CRT installer supports the /quiet and /norestart command-line switches, so you can also script it.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page