feat: support passkey as authentication method (#386)

* feat: support for passkey authentication

Passkey is a standard that enables passwordless authentication (aka login) in the browser. It essentially defines a common API for web applications to handle passwordless technologies via FIDO2 which includes things like public key cryptography, security keys (i.e. Yubikey), and biometrics (i.e. Touch ID/Face ID, Windows Hello).

In frontier config, under authentication we can add out Relaying Party details to use passkey.It takes 3 parameters, rpdisplayname, rpid, rporigins.

rpdisplayname: A string representing the name or display name of the Relying Party.
rpid: A string representing the ID of the Relying Party in the form of a web domain.
rporigins: An array of strings specifying the allowed origins (URLs) from which authentication requests are accepted by the Relying Party. This serves as a security measure to ensure that authentication requests originate only from trusted sources.

A concise explanation of the terms used:
Relying Party (RP): The RP is the web application or service that handles passkey issuance and authentication. It operates both a client-side component (website or app) for creating and authenticating passkeys and a server-side component for registering, storing, and verifying passkey credentials.

RP Displayname: This is the name or display name of the relying party, which is presented during the passkey authentication process.

RP ID: The RP ID is the identifier for the relying party, typically in the form of a web domain. It helps ensure that passkey authentication is directed to the correct RP.

RP Origins: These are the allowed origins (URLs) from which authentication requests are accepted by the RP. It's a security measure to ensure that authentication requests come from trusted sources.

User Registration:
In the StartFlow method, the application initially checks whether the user requires registration or login by examining the "passkey_credentials" field in the user's metadata. If present, it indicates that the user is already registered, and a login is required. If absent, user registration is necessary. To complete the registration process, the application generates a webauth credential and stores it in the User metadata under the key "passkey_credentials."

User Login:
In the StartFlow method, if "passkey_credentials" exists in the user's metadata, it signifies that the user is registered and can proceed with the login process. The application sets passkey user credentials and initiates the Begin Login process, which provides options and challenges for the user. Additionally, the application stores "sessionInBytes" (representing the session) and "passkey_type" (indicating login in this case) in the flow metadata. To complete the login process, the application utilizes webAuth.ValidateLogin to verify the current credentials against the stored credentials.

* chore: update makefile proton commit

---------

Signed-off-by: Vivek Joshi <[email protected]>

Author: VimVek

Makefile

@@ -4,7 +4,7 @@ TAG := $(shell git rev-list --tags --max-count=1)
 VERSION := $(shell git describe --tags ${TAG})
 .PHONY: build check fmt lint test test-race vet test-cover-html help install proto ui
 .DEFAULT_GOAL := build
-PROTON_COMMIT := "8c16ee56d3189c77eb7e677f554a1f28e8c6f53a"
+PROTON_COMMIT := "eb488a5599d61d8e4312ec0eb12c5065e42e3002"
 
 ui:
 	@echo " > generating ui build"

cmd/serve.go

@@ -40,6 +40,7 @@ import (
 	"github.com/raystack/frontier/core/authenticate/session"
 	"github.com/raystack/frontier/core/metaschema"
 
+	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/raystack/frontier/config"
 	"github.com/raystack/frontier/core/group"
 	"github.com/raystack/frontier/core/namespace"
@@ -229,8 +230,22 @@ func buildAPIDependencies(
 		)
 		logger.Info("mailer enabled", "host", cfg.App.Mailer.SMTPHost, "port", cfg.App.Mailer.SMTPPort)
 	}
+
+	wconfig := &webauthn.Config{
+		RPDisplayName: cfg.App.Authentication.PassKey.RPDisplayName,
+		RPID:          cfg.App.Authentication.PassKey.RPID,
+		RPOrigins:     cfg.App.Authentication.PassKey.RPOrigins,
+	}
+	webAuthConfig, err := webauthn.New(wconfig)
+	if err != nil {
+		if wconfig.RPDisplayName == "" && wconfig.RPID == "" && wconfig.RPOrigins == nil {
+			webAuthConfig = nil
+		} else {
+			return api.Deps{}, fmt.Errorf("failed to parse passkey config: %w", err)
+		}
+	}
 	authnService := authenticate.NewService(logger, cfg.App.Authentication,
-		postgres.NewFlowRepository(logger, dbc), mailDialer, tokenService, sessionService, userService, serviceUserService)
+		postgres.NewFlowRepository(logger, dbc), mailDialer, tokenService, sessionService, userService, serviceUserService, webAuthConfig)
 
 	groupRepository := postgres.NewGroupRepository(dbc)
 	groupService := group.NewService(groupRepository, relationService, authnService, policyService)

core/authenticate/authenticate.go

@@ -18,6 +18,7 @@ type AuthMethod string
 const (
 	MailOTPAuthMethod  = AuthMethod(strategy.MailOTPAuthMethod)
 	MailLinkAuthMethod = AuthMethod(strategy.MailLinkAuthMethod)
+	PassKeyAuthMethod  = AuthMethod(strategy.PasskeyAuthMethod)
 )
 
 func (m AuthMethod) String() string {
@@ -95,13 +96,15 @@ type RegistrationFinishRequest struct {
 	Method string
 
 	// used for OIDC & mail otp auth strategy
-	Code  string
-	State string
+	Code        string
+	State       string
+	StateConfig map[string]any
 }
 
 type RegistrationStartResponse struct {
-	Flow  *Flow
-	State string
+	Flow        *Flow
+	State       string
+	StateConfig map[string]any
 }
 
 type RegistrationFinishResponse struct {

core/authenticate/config.go

@@ -14,6 +14,7 @@ type Config struct {
 	Token      TokenConfig           `yaml:"token" mapstructure:"token"`
 	MailOTP    MailOTPConfig         `yaml:"mail_otp" mapstructure:"mail_otp"`
 	MailLink   MailLinkConfig        `yaml:"mail_link" mapstructure:"mail_link"`
+	PassKey    PassKeyConfig         `yaml:"passkey" mapstructure:"passkey"`
 }
 
 type TokenConfig struct {
@@ -61,3 +62,9 @@ type MailLinkConfig struct {
 	Body     string        `yaml:"body" mapstructure:"body" default:"Click on the following link or copy/paste the url in browser to login.<h3><a href='{{.Link}}' target='_blank'>Login</a></h3>Address: {{.Link}} <br>This link will expire in 10 minutes."`
 	Validity time.Duration `yaml:"validity" mapstructure:"validity" default:"10m"`
 }
+
+type PassKeyConfig struct {
+	RPDisplayName string   `yaml:"rpdisplayname"`
+	RPID          string   `yaml:"rpid"`
+	RPOrigins     []string `yaml:"rporigins"`
+}