Web Authn Extension #9316
Comments
sberyozkin
added
good first issue
|
Note: there is no plan to integrate it into |
|
sir how can i fix the issue? |
|
@sberyozkin What is the scope? 2nd-Factor, passwordless, support for biometric authentication / username-less (resident-keys /client-side discoverable credentials)? My goal is to support all of them. |
|
@sberyozkin @pmlopes I had a look at https://github.com/vert-x3/vertx-auth/tree/master/vertx-auth-webauthn it is based on Vertx 4.0.0 while Quarkus is using Vertx 3.9.5. I don't know if it makes sense to backport Vertx WebAuthn to Verx 3.9.5 or if it is possible to upgrade Quarkus to Vertx 4.0.0. WebAuthn webAuthN = WebAuthn.create(
class file for io.vertx.ext.auth.authentication.AuthenticationProvider not foundElse an alternative would be https://github.com/webauthn4j/webauthn4j which is also used by Keycloak. However that is not a reactive implementation. |
|
FYI Vert.x 4 has webauthn support. |
|
@renegrob Hi, yes the priority is for it to be reactive - can you please investigate the idea of having a Vert.x 4.x based WebAuthn extension in Quarkus 2.0.x ? It would be a very valuable addition to Quarkus Sec. |
I guess we need to start from the most mainstream case which can be used as a recommended alternative to BasicAuth/FormAuth for cases where OpenId Connect providers such as Keycloak can not be used (if they can be used then they'll take care of
|
|
@sberyozkin I'm trying to create a vertx howto on webauthn the next week. The most common use case is authentication of interactive applications. It is not intended to be used on APIs (machine to machine) so it shall replace Form login screens, and it can replace OAuth2/OIDC if the only use of the IdP is to authenticate, not to perform any kind of RBAC as webauthn is not designed for such use cases. |
|
Yes unless for https://fidoalliance.org/specifications/download-iot-specifications/ you need user presence / verification to login. It can't be used on a request base like BasicAuth or OAuth2. But it could for instance be used to issue a JWT token.
Also FIDO is often still used as 2nd factor and not (yet) passwordless. Passwordless authentication requires user verification if you want to end up with a strong authentication. User verification is only supported with on newer generations of tokens and by a few browsers. Not being passworldless means having a first factor authentication e.g. BasicAuth / FormAuth. |
|
@renegrob Agreed it should be the building blocks only for now. I'll reread the texts for me to contribute better to this discussion, thanks |
|
@renegrob the vert.x module already covers the 4 items:
By webauthn I'm referring to FIDO2 spec, not the U2F. The FIDO2 spec allows you to perform strong authentication. The reason why most services use it as 2nd factor is because by design you can't really "recover" a lost token, if you lose the token, there is no way to recover the private keys. If that was possible it would defeat the whole security model of the token. Nothing really forbids you to work the reverse way, FIDO2 first and fallback to "magic links": https://www.okta.com/blog/2020/09/magic-links/ which are also not that hard to implement. |
|
FYI: https://how-to.vertx.io/fido2-webauthn-howto/ the basic how-to is here |
|
I currently don't have enough spare time to start this. |
|
@renegrob Sure, np at all, I'll still have to catch up. I'm sure we'll have another good discussion and some progress soon enough. |
|
+1 ! |
|
I'm working on this one ATM, I already have it working in Renarde, but would like an extension. |
|
I have a ton of questions related to this extension, actually. Because I'm trying to make it fit in the Quarkus Security model, which decouples those two aspects:
The Vert.x extension does both. I could decouple it, but fact of the matter is that JPA can only authenticate username/password credentials, not WebAuthn ones. Or I'd have to extend that extension. The bigger question is how we remember that the user is logged in, because:
Any opinion @sberyozkin @stuartwdouglas ? I've also noticed a disconnect between what I am trying to do in Renarde, which is that I handle my own login and registration endpoints, and there's no API in Quarkus Security that lets me tell the system that I've created a user, or logged one in, and that I don't care how that user is remembered, because I'd like it to be Quarkus' job: session cookie or JWT, whatever. |
|
We can move the JWT can also work here, the In terms of how you map the request to the SecurityIdentity that is really up to the user, they can use a SecurityIdentityAugmentor to create whatever SecurityIdentity they require based on the provided information. |
Well, I don't think there's any other way to keep people logged in a website. Not for REST, but for a website. OIDC relies on cookies, so does JWT. I can't imagine any other way to do it, frankly. JPA does indeed handle I'm not sure what you're trying to tell me with This is something I need to do when I create the user account, and after login. Because I can't use the Quarkus login endpoints due to interactive validation. |
|
I think the issue is that Quarkus does not have a concept of a 2nd-factor/step-up authentication. Unless you use the passwordless option, you need first to authenticate with a first factor and that should - at least in my point of view - be any factor that the user configured. The first factor login should be handled independently whether its BasicAuth, JWT or OAuth2. |
It is for backend to backend service authentication, but it isn't for browser to backend authentication. The times when the browser directly authenticated against the backend are over (except for some internal tools). Usually the browser accesses the services through a gateway which uses cookies to track the session and delegates the authentication and authorization to a service (such as KeyCloack). That's were also WebAuthN comes into play. WebAuthN always needs to communicate with the browser - at least indirectly, that's why there has to be a concept of a session. Often the gateway offers a way to use cookies that are not returned to the end user but held by the gateway. However, different systems have slightly different concepts. Therefore it would be good to not depend on a single way of associating a session but e.g. use a |
TrustedAuthenticationRequest just has a principal, after the initial authentication the password does not come into it.
I am not 100% sure what you are asking for here, it sounds like you want to be able to use io.quarkus.vertx.http.runtime.security.PersistentLoginManager outside of form based auth? |
Yes, and that's what I've done, actually. But with a separate key, config and cookie name. Not sure if we should keep them separate or regroup under a non-form config. |
Describe the extension
Have been planning to open the issue for a while:
https://en.wikipedia.org/wiki/WebAuthn
I've noticed recently Vertx Auth ships the extension (cc @pmlopes) so we can have an extension which builds on top of it. And then may be recommend it as the main option when no SSO is involved
Interested in this extension, please +1 via the emoji/reaction feature of GitHub (top right).
CC @stuartwdouglas @pedroigor
The text was updated successfully, but these errors were encountered: