WebAuthn | A simple PHP WebAuthn | Authentication library

 by   lbuchs PHP Version: v2.0.0-beta License: MIT

kandi X-RAY | WebAuthn Summary

kandi X-RAY | WebAuthn Summary

WebAuthn is a PHP library typically used in Security, Authentication applications. WebAuthn has no vulnerabilities, it has a Permissive License and it has low support. However WebAuthn has 26 bugs. You can download it from GitHub.

A simple PHP WebAuthn (FIDO2) server library
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              WebAuthn has a low active ecosystem.
              It has 255 star(s) with 53 fork(s). There are 28 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 11 open issues and 46 have been closed. On average issues are closed in 164 days. There are no pull requests.
              It has a neutral sentiment in the developer community.
              The latest version of WebAuthn is v2.0.0-beta

            kandi-Quality Quality

              WebAuthn has 26 bugs (0 blocker, 0 critical, 16 major, 10 minor) and 39 code smells.

            kandi-Security Security

              WebAuthn has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              WebAuthn code analysis shows 0 unresolved vulnerabilities.
              There are 2 security hotspots that need review.

            kandi-License License

              WebAuthn is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              WebAuthn releases are available to install and integrate.
              Installation instructions are not available. Examples and code snippets are available.
              WebAuthn saves you 856 person hours of effort in developing the same functionality from scratch.
              It has 2240 lines of code, 124 functions and 16 files.
              It has high code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi has reviewed WebAuthn and discovered the below as its top functions. This is intended to give you an instant insight into WebAuthn implemented functionality, and help decide if they suit your requirements.
            • Process a GET request .
            • Process a client creation .
            • Queries Fido MetaData service .
            • Get create args .
            • Parse float from buffer .
            • Parse extra length .
            • Parse item data .
            • Get a floating point value
            • Read a 64 - bit integer from the buffer .
            • Parse a map .
            Get all kandi verified functions for this library.

            WebAuthn Key Features

            No Key Features are available at this moment for WebAuthn.

            WebAuthn Examples and Code Snippets

            No Code Snippets are available at this moment for WebAuthn.

            Community Discussions

            QUESTION

            WSO2 IS 5.11 - Unable to use FIDO authentication on Apple devices
            Asked 2022-Feb-18 at 06:33

            Summary: WSO2 IS 5.11 has been installed and configured with FIDO as a local authenticator for a service provider. As a user on an Apple device attempting to log into a service provider using the FIDO local authenticator, the user is immediately redirected to a failed login attempt page.

            According to Safari Web Inspector attached to the user's device, the fido2-auth.jsp [1] generates the following error message:

            ...

            ANSWER

            Answered 2022-Feb-18 at 06:33

            This issue is caused by Safari requiring user actions to initiate the webauthn flow. Since other browsers don't mandate the same, we don't face this issue in any other browsers.

            So, to address this issue, WSO2 Identity Server has added a proceed button to the authentication page for Safari users. So, Safari users can now click on this button to initiate the webauthn flow.

            Source https://stackoverflow.com/questions/69482915

            QUESTION

            Unable to sendKeys to a page
            Asked 2022-Jan-27 at 07:04

            I'm trying to log in to https://support.sentinelone.com/ through selenium. Somehow I'm unable to enter my credentials. Here is my code.

            ...

            ANSWER

            Answered 2022-Jan-27 at 07:04

            Your locators are correct, but the Creds input boxes are in an iframe.

            So first switch to an iframe with the below XPath:

            Source https://stackoverflow.com/questions/70874354

            QUESTION

            Using `navigator.credentials.get()` in cross-origin iframe gives error "'publickey-credentials-get' feature is not enabled in this document"
            Asked 2022-Jan-24 at 20:12

            Getting the error while logging into an iframe through webauthn.

            The 'publickey-credentials-get' feature is not enabled in this document. Permissions Policy may be used to delegate Web Authentication capabilities to cross-origin child frames.

            Here is the link to the example https://jsfiddle.net/14kj25nr/. I have registered a user "test_account" directly through webauthn.io and then tried to login into it through jsfiddle. It says to use publickey-credentials-get, but I couldn't find a way to use it to get it to work. Any help would be appreciated.

            Update 1:

            I have added the allow attribute for the iframe allow="publickey-credentials-get". It still gives me the same error. The example in the fiddle is updated.

            Update 2:

            From IAmKale's suggestion. I made the following changes but still got the same error. Updated the allow attribute of iframe allow="publickey-credentials-get *".

            I use the Requestly chrome extension to add the Permissions-Policy header in the RP's response. It can be seen in the below screenshot that I was able to successfully add the header in the response. But still getting the same error. Could it be some jsfiddle specific issue? Or is there anything I am doing wrong? I am using Chrome Version 96.0.4664.110.

            Update 3:

            When I use the iframe in localhost instead of jsfiddle, I am getting webauthn chrom pop-up. But the log-in is still unsuccessful, the server returns POST https://webauthn.io/assertion 400.

            ...

            ANSWER

            Answered 2022-Jan-23 at 00:10

            The Web Authentication API is disabled by default in cross-origin iframes. To override this default policy and indicate that a cross-origin iframe is allowed to invoke the Web Authentication API's [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) method, specify the allow attribute on the iframe element and include the publickey-credentials-get feature-identifier token in the allow attribute’s value.

            https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance

            Source https://stackoverflow.com/questions/70817061

            QUESTION

            PublicKeyCredentials Webauthn "internal" authentication missing userHandle on Android (Android Saftynet)
            Asked 2022-Jan-19 at 19:39

            I'm currently able to create publicKeyCredentials using:

            ...

            ANSWER

            Answered 2022-Jan-19 at 17:12

            This flow works on all of my apple devices, however, on Android the 'fmt' of the credentials is 'android-saftynet' which doesn't seem to support userHandles.

            Just to clarify, the format of the attestation statement has no bearing on an authenticator's ability to return a userHandle from navigator.credentials.get(). According to the spec it's basically up to the authenticator whether it wants to return userHandle or not.

            Are there any formats I can force on Android that I can save userHandles with?

            WebAuthn doesn't offer any way for an RP (Relying Party, i.e. your server) to require a specific attestation station format, so you either have to support them all (for which I'd highly encourage you use an existing library) or pick and choose and reject registration of credentials with statements you don't want to support.

            Or another way to store information with the publicKeyCredential to allow me to support the usernameless webauthn flow?

            I'll correct this if I'm wrong but I don't think you need userHandle to accomplish usernameless. You should be able to take the credential ID you get back from navigator.credentials.get() and match it first to your list of registered credentials, and then pull the corresponding user ID from your own internal record of which credentials belong to which user.

            All that to say that FIDO2 support on Android is a little spotty. Last I checked discoverable credentials are basically unsupported on the platform which means usernameless support on Android devices is pretty much out of the question for now.

            Source https://stackoverflow.com/questions/70773179

            QUESTION

            Compile TypeScript Types for runtime use
            Asked 2022-Jan-11 at 11:53

            I have a client server application that communicates using REST calls.

            To prevent that I accedently use the wrong types I defined all RestCalls in a common file (excerpt):

            ...

            ANSWER

            Answered 2022-Jan-10 at 13:28

            No. Typescript types will be emitted during the compilation phase.

            Your options are:

            1. Use JSON-Schema (Ajv) to validat the input of incoming http json requests: https://github.com/ajv-validator/ajv
            2. Use Swagger (Almost the same as (1)).
            3. Use a validator which works with your framework.
            4. I found this project which tries to create runtime asserts from typescript types: https://github.com/skunkteam/types. But I never used it my self.
            5. https://github.com/nanoporetech/ts-runtime-typecheck - Same as (4) but never used it as well.

            Source https://stackoverflow.com/questions/70653116

            QUESTION

            "The operation is insecure." On navigator.credentials.create() on firefox using Mailcow
            Asked 2021-Dec-26 at 16:26

            I'm trying to register a fido2 device in Mailcow using Firefox 95.0.2. When trying to do so, the Registration Status field announces:

            ...

            ANSWER

            Answered 2021-Dec-26 at 16:26

            After doing some more testing with Edge (and discovering the "thisisunsafe" trick), I've discovered that WebAuthn isn't a big fan of ports. So, it didn't like: "id":"subdomain.domain.tld:port".

            Replacing $_SERVER['SERVER_NAME'] where $_SERVER['HTTP_HOST'] when initializing the $WebAuthn Variable fixed the issue.

            Basically navigator.credentials.create() doesn't accept ids with ports.

            Source https://stackoverflow.com/questions/70487688

            QUESTION

            WebAuthn authentication and registration using TouchID on two different browsers?
            Asked 2021-Dec-03 at 17:19

            The case where a person registers a new account (via credentials.create) and subsequently logs in using the same browser (via credentials.get) is straightforward, because at the time credentials.create is called, the user must grant their browser permission to use Touch ID for a given domain. For example, see the image below, which is a modal prompting the user to allow Touch ID on the given domain, triggered by credentials.create:

            If you select "OK" in the modal shown above, you can complete registration with Touch ID. When you subsequently login to your account using the same browser, you see the modal depicted below, which offers a choice between authenticating with a security key and the previously-registered Touch ID. This modal is triggered by credentials.get:

            Here's the rub: If a user creates an account (credentials.create) with Touch ID via another browser, for example Chrome, and then attempts to authenticate (credentials.get) on Safari, Safari thinks they only have access to a security key, and does not provide Touch ID as an option. See below for reference:

            Is this a known limitation of WebAuthn itself? It is common that people would use different browsers to access the same website, with the expectation that they can login on any browser, regardless of the one they used to create an account. Given that, it is troubling if WebAuthn does not support this behavior.

            Most importantly - how are devs getting around this issue? Are you informing users that they are tied not only to the internal device that they originally registered to their account but also the browser they used? Are you calling credentials.create immediately before credentials.get? This seems like a hack but I am interested in any solutions.

            Thanks very much in advance.

            ...

            ANSWER

            Answered 2021-Dec-03 at 17:19

            Is this a known limitation of WebAuthn itself?

            This has nothing to do with WebAuthn the API and everything to do with macOS. To date macOS is the one platform that requires WebAuthn credential management to take into account which browser the credential was registered in.

            ...how are devs getting around this issue?

            One way to address this is to store the user's OS and browser at registration (via traditional user agent, the newer navigator.userAgentData, etc...) with the new credential. Then, at auth, grab the user's current OS and browser info and use it to filter credentials to include in allowCredentials that you'll pass to navigator.credentials.get(). If a credential was registered on macOS then filter by browser too; on other platforms you can simply filter by OS.

            If allowCredentials is empty on macOS after filtering the user's credentials (i.e. because the user has a single credential that was registered in Safari but the user is currently using Chrome) you need to handle that and prompt the user to log in some other way before prompting them to register Touch ID in Chrome.

            This is incredibly annoying to deal with, but it's the reality of WebAuthn on macOS. Fingers crossed Apple's passkeys (now in Tech Preview on Monterey) will offer a similar experience to iOS' OS-level credential store once it rolls out more widely...

            Source https://stackoverflow.com/questions/70217770

            QUESTION

            WebauthN and Yubikey to generate keys for symmetric encryption in a browser. Is this hack secure?
            Asked 2021-Dec-02 at 16:42

            I understand that WebauthN is designed to perform authentication, but I'd like to use my Yubikey to create symmetric encryption keys to encrypt content on my web browser without relying on a backend server.

            Here's my approach:

            • During the assertion challange ( navigator.credentials.get({ publicKey }) ) the Yubikey signs a challenge string that the client sends to the authenticator.
            • I extract the signed challenge, hash it with SHA256 and use it as my new symmetric encryption key for AES256 encryption.
            • As long as the same challenge string is sent to the Yubikey, the encryption key will always be the same.

            In order to be able to decrypt the content on the web browser. I would have to be in possession of the Yubikey and the challenge string for 2 factor authentication.

            Is there anything wrong with this approach?

            ...

            ANSWER

            Answered 2021-Nov-27 at 09:51

            Why don't you use the Web Crypto API?

            This API is designed for cypher operations on client side and is suitable for your use case (client side encryption). It is supported by all recent browsers.

            Note that the main concern you may have is that this API does not supports hardware devices (smartcards, security tokens...).

            However, your Yubikey is certainly capable of generating a secured static password you can use as a master key you will derive to encrypt/decrypt your data.

            Source https://stackoverflow.com/questions/70131030

            QUESTION

            Unable to use AppId extension with WebAuthn for previously registered U2F keys
            Asked 2021-Nov-19 at 14:22

            With the eminent demise of the u2f api, I'm trying to move to WebAuthn APIs using the AppId extension to support security keys previously registered with U2F. As best I can tell from reading the docs I think I am doing it correctly, however, when attempting to authenticate I am prompted by my browser to tap my key, and my key is blinking, but upon tapping it I get the error "You're using a security key that's not registered with this website". In comparing the existing u2f authentication request I'm using the same appid and key handle.

            Example U2F sign request:

            ...

            ANSWER

            Answered 2021-Nov-16 at 17:53

            Everything about the options you pass to navigator.credentials.get() looks correct, including how you're specifying the "appid" extension. I believe the issue is that you're double-encoding your U2F credential's credential ID. Try passing the original "keyHandle" in the options instead (you can use it as-is because it's already compatible with base64url encoding):

            Source https://stackoverflow.com/questions/69993268

            QUESTION

            Detect if user authenticated with webauthn
            Asked 2021-Nov-12 at 11:48

            Is it possible to detect (in client-side javascript running in a browser) if the user is authenticated via webauthn? not interested in if the browser supports webauthn or what the credentials are, but only interested if the authentication has occurred. i've looked thru the api at https://www.w3.org/TR/webauthn-2/ and experimented w/ the demo at https://webauthn.io/ but dont see if this is allowed.

            i would need to detect this w/in a 3rd party script running on a website. So i dont have access to the code that would be implementing the webauthn. It would be easier for me to detect if the website is implementing MFA via webauthn, but i assume that is not possible; so as a fallback i am hoping i can detect if mfa authentication has occurred.

            ...

            ANSWER

            Answered 2021-Nov-12 at 11:48

            So lets think about authentication in general. Authentication is a feature of a specific service, that is implemented in a specific way by the service. The user experience may be similar between Google and Facebook, but the flows, API, password hashing are unique to each provider.

            To figure out if you can login to a website with a password, you need to go to a website, and see if it has login form for example.

            Same way with WebAuthn. This is not some in-browser magic. If you want to see if you can use WebAuthn with a website, you need to try to login to a website and see if it is utilising WebAuthn API during the login.

            WebAuthn API simply provides ability to generate credential, and get assertion(proof) for the credential. You may use this information to authentication user. How you do it exactly, and the process of performing validation is different for each service.

            So in conclusion:

            WebAuthn API does not have functionality to figure out if user is logged it, because this is not what WebAuthn API is for.

            If you are interested in learning more about WebAuthn:

            We have a cool guide: https://webauthn.guide/

            A collection of useful resources: https://github.com/herrjemand/awesome-webauthn

            And a deep dive into WebAuthn API: https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285

            Source https://stackoverflow.com/questions/69929858

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install WebAuthn

            You can download it from GitHub.
            PHP requires the Visual C runtime (CRT). The Microsoft Visual C++ Redistributable for Visual Studio 2019 is suitable for all these PHP versions, see visualstudio.microsoft.com. You MUST download the x86 CRT for PHP x86 builds and the x64 CRT for PHP x64 builds. The CRT installer supports the /quiet and /norestart command-line switches, so you can also script it.

            Support

            This library supports authenticators which are signed with a X.509 certificate or which are self attested. ECDAA is not supported.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/lbuchs/WebAuthn.git

          • CLI

            gh repo clone lbuchs/WebAuthn

          • sshUrl

            git@github.com:lbuchs/WebAuthn.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link