pip install git+https://github.com/Qup42/django-aletheia#egg=django-aletheia
Add aletheia
to installed apps:
INSTALLED_APPS = [
# other apps
'aletheia',
]
Configure the WebAuthN Relying Party
WEBAUTHN_RELYING_PARTY_ID = "localhost"
WEBAUTHN_RELYING_PARTY_NAME = "Test Instance"
WEBAUTHN_EXPECTED_ORIGIN = "http://localhost:8000"
urlpatterns = [
path(r'admin/', admin.site.urls),
path(r'accounts/', include('allauth.urls')),
path(r'aletheia/', include('aletheia.urls')),
path(r'', include('janus.urls')),
]
Migrate your database with ./manage.py migrate
Most of the handling as to be done is JS. This module only provides the necessary endpoints and a somewhat general example implementation.
- Django Authenticated Users can retrieve the Config for
navigator.credentials.create
ataletheia:register_config
.
Note: the fieldsuser.id
andchallenge
in the returned json are base64 encoded. - A Key is registered with
navigator.credentials.create
using JavaScript. The resulting Credential (PublicKeyCredential) instance must be sent toaletheia:register
as JSON.
Note:ArrayBuffer
fields such asrawId
,response.attestationObject
andresponse.clientDataJSON
must be base64 encoded for sending
The used key is now registered with the logged in user.
- Unauthenticated Users can retrieve the Config for
navigator.credentials.get
ataletheia:login_config
.
Note: the fieldschallenge
andallowCredentials[i].id
in the returned json are base64 encoded. - User
navigator.credentials.get
. The resulting Credential (PublicKeyCredential) instance must be sent toaletheia:login
as JSON.
Note:ArrayBuffer
fields such asrawId
,response.attestationObject
,response.clientDataJSON
,response.signature
andresponse.userHandle
must be base64 encoded for sending
The user is now logged in. Django Messages are set for errors/failures that happen in the login process on the django side.
WebAuthNLoginForm
is a form that only contains the fields require for WebAuthN Login: Username and a Rember Me field.
aletheia:login
renders the template webauthn/login.html
with the WebAuthNLoginForm
on get.
The template webauthn/scripts.html
can be included into templates. It provides two asynchronous functions. The do all the steps required for login/registration that are described above and can be provided with a functions that receives the status ("start", "success", "fail") and an optional message. They are register(register_status_callback = (status, msg) => {})
and login_webauthn(username, login_status_callback = (status, msg) => {})
.
Firefox on Linux and MacOS doesn't support the APIs needed for client-side discoverable keys. See Bug 1530370 and Bug 1294514.