[FEATURE] WebAuthn authentication #659
Assignees
Labels
enhancement
New feature or request
Comments
18 tasks
18 tasks
shurwit
added a commit
to rokmetro/core-building-block-fork
that referenced
this issue
May 11, 2023
* initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog
shurwit
added a commit
to rokmetro/core-building-block-fork
that referenced
this issue
Jun 9, 2023
* initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies
roberlander2
added a commit
to rokmetro/core-building-block-fork
that referenced
this issue
Jun 14, 2023
[rokwire#659] WebAuthn authentication
shurwit
added a commit
that referenced
this issue
Oct 6, 2023
* add app-env.json and update port * Update app-env.json * Update app-env.json * update detect-secrets, update secrets baseline * update secrets baseline * update makefile versioning * Update Makefile Fix typo * print version * upgrade go to v1.20 * fix secrets * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * [#659] WebAuthn authentication (#7) * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies * [#659] webauthn authentication (#8) * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies * add webauthn to account check types * add configs for authenticator selection to supported auth type params (#10) * upgrade dependencies * [#665] Decouple authentication and verification mechanisms (#13) * add configs for authenticator selection to supported auth type params * start adding verification types (contains errors) [#665] * continue splitting auth and verification types [#665] * finish implementing password auth type, start code verification type, add phone verifier interface [#665] * finish refactoring identifier, auth types, start updating apis [#665] * finish fixing errors [#665] * fix passkey errors [#665] * bug fixes, email with passkey not working because no params in email auth type * update identifier impl and auth impl getters to better handle backwards compatibility (has errors) * bug fixes, email and passkey not completing registration * add json omitempty tags to credential structs * better identifier type parsing * passkeys using email and username identifiers working * start fixing phone, passkey auth * bug fixes for phone and passkey, better error messages * simplify phone verifier interface * phone auth type link working, add authCommunicationChannel interface to handle verification functions * add ability to link webauthn credentials to accounts * only set username if empty * Change messages handling for verification * remove commented blocks * cleanup * return verified auth types when cannot find account with username but not identifier * bug fixes * fix phone auth type docs --------- Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: akshadpai <[email protected]> * add missing verify email env var to app-env.json * Auth-verify split fixes (#16) * bug fixes * update secrets baseline * fix issues introduced by nullable device IDs * fix username format * update secrets baseline * fix sign up bug * disable request docs validation * fix startup error for caching auth type * fix pkce generation * fix random string interface * set user agent for oidc requests * revert auth type changes * revert core models, go mod, auth interface impl, remove phone verifier interface * revert web package webauthn additions, update API docs * fix storage files * revert auth.go --------- Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: akshadpai <[email protected]>
shurwit
added a commit
to rokmetro/core-building-block-fork
that referenced
this issue
Oct 6, 2023
* add app-env.json and update port * Update app-env.json * Update app-env.json * update detect-secrets, update secrets baseline * update secrets baseline * update makefile versioning * Update Makefile Fix typo * print version * upgrade go to v1.20 * fix secrets * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * [rokwire#659] WebAuthn authentication (#7) * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies * [rokwire#659] webauthn authentication (#8) * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies * add webauthn to account check types * add configs for authenticator selection to supported auth type params * add configs for authenticator selection to supported auth type params (#10) * start adding verification types (contains errors) [rokwire#665] * continue splitting auth and verification types [rokwire#665] * finish implementing password auth type, start code verification type, add phone verifier interface [rokwire#665] * finish refactoring identifier, auth types, start updating apis [rokwire#665] * upgrade dependencies * finish fixing errors [rokwire#665] * fix passkey errors [rokwire#665] * bug fixes, email with passkey not working because no params in email auth type * update identifier impl and auth impl getters to better handle backwards compatibility (has errors) * bug fixes, email and passkey not completing registration * add json omitempty tags to credential structs * better identifier type parsing * passkeys using email and username identifiers working * start fixing phone, passkey auth * bug fixes for phone and passkey, better error messages * simplify phone verifier interface * phone auth type link working, add authCommunicationChannel interface to handle verification functions * add ability to link webauthn credentials to accounts * only set username if empty * Change messages handling for verification * remove commented blocks * cleanup * return verified auth types when cannot find account with username but not identifier * bug fixes * fix phone auth type docs * make sure usernames are lowercase, do not fail if phone verifier fails to init * start refactoring account auth types into account auth types and account identifiers, do not store identifiers in credentials (contains errors) * more progress, identifier type and auth type simplifications * read email verification settings from config, refactor verify credential APIs to verify identifier * build error fixes, add account identifier storage operations * start preparing for multiple credentials of same type (e.g., passkeys) * some progress implementing passkey with identifier flow * rewrite passkey flows * build error cleanup, start moving account external IDs into identifiers, refactor shared profile stuff * start fixing shared profiles * comment shared profile functionality * update API docs for linking auth types and identifiers, more error fixes * more API doc tweaks, more error fixes, remove all uses of claims.UID * more link and unlink request body tweaks * do not store account auth type ID in login session, instead use identifier to get account * start working on link account auth type implementation updates * more link auth type updates * finish implementing link identifier, some code auth type bug fixes * match LinkAccountIdentifier interface definition * fix remaining build errors, begin implementing DB migration * add support for login using external identifiers, update more request body definitions * identifiers bug fixes, fix build errors * update db indexes * start implementing db migration * do not allow generic oidc auth type code - no specified identity provider * implement app org and auth type migrations * credentials migration working, use json convert utils func * login session migration done * accounts migration done, a few bug fixes related to external IDs * move migration functions into separate file * more bug fixes, accountAuthTypesToDef not working * email and phone login fixes, finish implementing identifier-less login * bug fixes * linking, unlinking bug fixes * more linking, unlinking bug fixes and identifier verification email bug fixes * username login, webauthn backwards compatible login bug fixes * fix identifier-less webauthn login, update canLink * fix passkey sign up * return account on webauthn signup * make OIDC ID tokens optional * add sign-in-options API, update login API to accept account identifier ID * finish implementing sign in options and login with identifier ID * mask email and phone identifiers for sign in options, add regexp to validate emails * clean up linking, unlinking * fix unlink examples, sign in options fix, handle nil identifier when linking * upgrade dependencies, set username in token claims * use error statuses for auth type and identifier linking * allow webauthn credentials to be created after account already exists * update changelog * updates and fixes for conde_oidc, started refactoring email and phone from profile, username from account into identifiers * fix build errors * start handling external email identifiers * implement profile email and phone and account username migrations * set sensitive flags for email and phone migrations * finish implementing identifier sensitive field, return profile email, phone and username for BC * disallow updating account username to empty string * add sensitive field to account identifier api model * bug fixes * mark email as external if it matches external email field * usernames verified by default, identifiers used to sign up with webauthn unverified by default * auth type unlink bug fixes * simplify link auth type transaction, add app type identifier to webauthn aat params * fix link docs example * return identifiers on auth type link and unlink * improve external identifier migration, add IsEmailVerified flag * do not change email sensitivity on update external identifiers * remove API docs comment * fix go mod --------- Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: akshadpai <[email protected]>
shurwit
added a commit
to rokmetro/core-building-block-fork
that referenced
this issue
Oct 6, 2023
* add app-env.json and update port * Update app-env.json * Update app-env.json * update detect-secrets, update secrets baseline * update secrets baseline * update makefile versioning * Update Makefile Fix typo * print version * upgrade go to v1.20 * fix secrets * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * [rokwire#659] WebAuthn authentication (#7) * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies * [rokwire#659] webauthn authentication (#8) * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies * add webauthn to account check types * add configs for authenticator selection to supported auth type params * add configs for authenticator selection to supported auth type params (#10) * start adding verification types (contains errors) [rokwire#665] * continue splitting auth and verification types [rokwire#665] * finish implementing password auth type, start code verification type, add phone verifier interface [rokwire#665] * finish refactoring identifier, auth types, start updating apis [rokwire#665] * upgrade dependencies * finish fixing errors [rokwire#665] * fix passkey errors [rokwire#665] * bug fixes, email with passkey not working because no params in email auth type * update identifier impl and auth impl getters to better handle backwards compatibility (has errors) * bug fixes, email and passkey not completing registration * add json omitempty tags to credential structs * better identifier type parsing * passkeys using email and username identifiers working * start fixing phone, passkey auth * bug fixes for phone and passkey, better error messages * simplify phone verifier interface * phone auth type link working, add authCommunicationChannel interface to handle verification functions * add ability to link webauthn credentials to accounts * only set username if empty * Change messages handling for verification * remove commented blocks * cleanup * return verified auth types when cannot find account with username but not identifier * bug fixes * fix phone auth type docs * make sure usernames are lowercase, do not fail if phone verifier fails to init * start refactoring account auth types into account auth types and account identifiers, do not store identifiers in credentials (contains errors) * more progress, identifier type and auth type simplifications * read email verification settings from config, refactor verify credential APIs to verify identifier * build error fixes, add account identifier storage operations * start preparing for multiple credentials of same type (e.g., passkeys) * some progress implementing passkey with identifier flow * rewrite passkey flows * build error cleanup, start moving account external IDs into identifiers, refactor shared profile stuff * start fixing shared profiles * comment shared profile functionality * update API docs for linking auth types and identifiers, more error fixes * more API doc tweaks, more error fixes, remove all uses of claims.UID * more link and unlink request body tweaks * do not store account auth type ID in login session, instead use identifier to get account * start working on link account auth type implementation updates * more link auth type updates * finish implementing link identifier, some code auth type bug fixes * match LinkAccountIdentifier interface definition * fix remaining build errors, begin implementing DB migration * add support for login using external identifiers, update more request body definitions * identifiers bug fixes, fix build errors * update db indexes * start implementing db migration * do not allow generic oidc auth type code - no specified identity provider * implement app org and auth type migrations * credentials migration working, use json convert utils func * login session migration done * accounts migration done, a few bug fixes related to external IDs * move migration functions into separate file * more bug fixes, accountAuthTypesToDef not working * email and phone login fixes, finish implementing identifier-less login * bug fixes * linking, unlinking bug fixes * more linking, unlinking bug fixes and identifier verification email bug fixes * username login, webauthn backwards compatible login bug fixes * fix identifier-less webauthn login, update canLink * fix passkey sign up * return account on webauthn signup * make OIDC ID tokens optional * add sign-in-options API, update login API to accept account identifier ID * finish implementing sign in options and login with identifier ID * mask email and phone identifiers for sign in options, add regexp to validate emails * clean up linking, unlinking * fix unlink examples, sign in options fix, handle nil identifier when linking * upgrade dependencies, set username in token claims * use error statuses for auth type and identifier linking * allow webauthn credentials to be created after account already exists * update changelog * updates and fixes for conde_oidc, started refactoring email and phone from profile, username from account into identifiers * fix build errors * start handling external email identifiers * implement profile email and phone and account username migrations * set sensitive flags for email and phone migrations * finish implementing identifier sensitive field, return profile email, phone and username for BC * disallow updating account username to empty string * add sensitive field to account identifier api model * bug fixes * mark email as external if it matches external email field * usernames verified by default, identifiers used to sign up with webauthn unverified by default * auth type unlink bug fixes * simplify link auth type transaction, add app type identifier to webauthn aat params * fix link docs example * return identifiers on auth type link and unlink * improve external identifier migration, add IsEmailVerified flag * do not change email sensitivity on update external identifiers * remove API docs comment * fix go mod * fix webauthn beginLogin with identifier (missing user.Name) --------- Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: akshadpai <[email protected]>
shurwit
added a commit
to rokmetro/core-building-block-fork
that referenced
this issue
Oct 14, 2023
* add app-env.json and update port * Update app-env.json * Update app-env.json * update detect-secrets, update secrets baseline * update secrets baseline * update makefile versioning * Update Makefile Fix typo * print version * upgrade go to v1.20 * fix secrets * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * [rokwire#659] WebAuthn authentication (#7) * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies * [rokwire#659] webauthn authentication (#8) * initial webauthn implementation (in progress) * refactor webauthn to handle credentials, update docs * avoid creating inaccessible accounts * fix webauthn registration issues, add webauthn test page * fix webauthn login flow * update changelog * fix error handling * fix login issues for mobile * upgrade dependencies * add webauthn to account check types * add configs for authenticator selection to supported auth type params * add configs for authenticator selection to supported auth type params (#10) * start adding verification types (contains errors) [rokwire#665] * continue splitting auth and verification types [rokwire#665] * finish implementing password auth type, start code verification type, add phone verifier interface [rokwire#665] * finish refactoring identifier, auth types, start updating apis [rokwire#665] * upgrade dependencies * finish fixing errors [rokwire#665] * fix passkey errors [rokwire#665] * bug fixes, email with passkey not working because no params in email auth type * update identifier impl and auth impl getters to better handle backwards compatibility (has errors) * bug fixes, email and passkey not completing registration * add json omitempty tags to credential structs * better identifier type parsing * passkeys using email and username identifiers working * start fixing phone, passkey auth * bug fixes for phone and passkey, better error messages * simplify phone verifier interface * phone auth type link working, add authCommunicationChannel interface to handle verification functions * add ability to link webauthn credentials to accounts * only set username if empty * Change messages handling for verification * remove commented blocks * cleanup * return verified auth types when cannot find account with username but not identifier * bug fixes * fix phone auth type docs * make sure usernames are lowercase, do not fail if phone verifier fails to init * start refactoring account auth types into account auth types and account identifiers, do not store identifiers in credentials (contains errors) * more progress, identifier type and auth type simplifications * read email verification settings from config, refactor verify credential APIs to verify identifier * build error fixes, add account identifier storage operations * start preparing for multiple credentials of same type (e.g., passkeys) * some progress implementing passkey with identifier flow * rewrite passkey flows * build error cleanup, start moving account external IDs into identifiers, refactor shared profile stuff * start fixing shared profiles * comment shared profile functionality * update API docs for linking auth types and identifiers, more error fixes * more API doc tweaks, more error fixes, remove all uses of claims.UID * more link and unlink request body tweaks * do not store account auth type ID in login session, instead use identifier to get account * start working on link account auth type implementation updates * more link auth type updates * finish implementing link identifier, some code auth type bug fixes * match LinkAccountIdentifier interface definition * fix remaining build errors, begin implementing DB migration * add support for login using external identifiers, update more request body definitions * identifiers bug fixes, fix build errors * update db indexes * start implementing db migration * do not allow generic oidc auth type code - no specified identity provider * implement app org and auth type migrations * credentials migration working, use json convert utils func * login session migration done * accounts migration done, a few bug fixes related to external IDs * move migration functions into separate file * more bug fixes, accountAuthTypesToDef not working * email and phone login fixes, finish implementing identifier-less login * bug fixes * linking, unlinking bug fixes * more linking, unlinking bug fixes and identifier verification email bug fixes * username login, webauthn backwards compatible login bug fixes * fix identifier-less webauthn login, update canLink * fix passkey sign up * return account on webauthn signup * make OIDC ID tokens optional * add sign-in-options API, update login API to accept account identifier ID * finish implementing sign in options and login with identifier ID * mask email and phone identifiers for sign in options, add regexp to validate emails * clean up linking, unlinking * fix unlink examples, sign in options fix, handle nil identifier when linking * upgrade dependencies, set username in token claims * use error statuses for auth type and identifier linking * allow webauthn credentials to be created after account already exists * update changelog * updates and fixes for conde_oidc, started refactoring email and phone from profile, username from account into identifiers * fix build errors * start handling external email identifiers * implement profile email and phone and account username migrations * set sensitive flags for email and phone migrations * finish implementing identifier sensitive field, return profile email, phone and username for BC * disallow updating account username to empty string * add sensitive field to account identifier api model * bug fixes * mark email as external if it matches external email field * usernames verified by default, identifiers used to sign up with webauthn unverified by default * auth type unlink bug fixes * simplify link auth type transaction, add app type identifier to webauthn aat params * fix link docs example * return identifiers on auth type link and unlink * improve external identifier migration, add IsEmailVerified flag * do not change email sensitivity on update external identifiers * remove API docs comment * fix go mod * fix webauthn beginLogin with identifier (missing user.Name) * move phone and email validation to utils, validate profile phone and email on account migration * delete login states once used successfully, fix email and code login * add context to UpdateCredentialValue storage function * merged changes from rokwire-674 --------- Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: Stephen Hurwit <[email protected]> Co-authored-by: akshadpai <[email protected]>
18 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently we do not have support for the latest modern, secure passwordless authentication flows that are becoming more prevalent.
Describe the solution you'd like
We should add support for WebAuthn to enable passwordless authentication with passkeys.
References:
The text was updated successfully, but these errors were encountered: