Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebAuthn: Add userId property to Authenticator and WebAuthnCredentials #581

Open
mnylen opened this issue Jul 28, 2022 · 0 comments
Open

Comments

@mnylen
Copy link

mnylen commented Jul 28, 2022

Describe the feature

Depends on fixing #580 first.

1. Add userId property to relevant classes

  • Add userId property to both Authenticator and WebAuthnCredentials.
  • After successful WebAuthn authentication or credential registration, the userId property from Authenticator should be included in the principal of returned User.

2. Populating the user id

After the property is added to relevant classes, the Authenticator instances passed to authenticatorFetcher and authenticatorUpdater should include the user ID (once #580 is fixed) property:

  • When fetching authenticators with a query:
    • In WebAuthn#createCredentialOptions(): copy the value from the user object passed in as parameter.
    • In WebAuthn#authenticate(): use the user id defined in WebAuthnCredentials passed in as parameter
  • When inserting or updating authenticators:
    • In WebAuthn#authenticate() for webauthn.get: use the user id defined in WebAuthnCredentials
    • In WebAuthn#authenticate() for webauthn.create: use the user id from the authenticator found by credential id lookup

3. Extra check in authentication

Additionally, the verification process should ensure that the userHandle returned in the AuthenticationAssertionResponse matches the userId property on the Authenticator found with credential id lookup.

The spec:

If the user was not identified before the authentication ceremony was initiated,
verify that response.userHandle is present, and that the user identified by this value is the owner of credentialSource.

Use cases

This would allow Relying Party to index authenticators in persistent storage based on a stable user ID (read: a primary key for user table). User names (emails, nicknames, etc.) often change during user's lifecycle, but IDs don't.

Currently it's not possible to do this without doing an extra lookup to find user ID based on username (as authenticatorUpdater).

Contribution

Already have a PR in the works at https://github.com/mnylen/vertx-auth/pull/1/files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant