-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for optional authenticator_attachment in PublicKeyCredential #370
Add support for optional authenticator_attachment in PublicKeyCredential #370
Conversation
UPDATE Never mind me! I forgot that the Older PostHi! Can we also add this to Because, I noticed that Safari on macOS behaves differently than Safari on iOS, depending on what you specify in If you use Authenticator type: Unspecified, no But if you choose Authenticator type: Platform, then Safari on iOS will provide Maybe we should have a separate PR for the creation options? PS: I didn't know about |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @ssym0614! Thank you so much for opening this!
I'm not being able to get the authenticator_attachment
parameter using the demo app in my Mac with both Chrome and Safari – are you still able to get it?. Code looks good though!
It feels to me that it could be a good idea to add this argument to the initialization of PublicKeyCredential
in both spec/webauthn/public_key_credential_with_attestation_spec.rb
and spec/webauthn/public_key_credential_with_assertion_spec.rb
– more as documentation that anything, really.
Let me check. (sorry for the late reply) |
@santiagorodriguez96 I just played around with the demo rails server, and it seems like the problem is as follows:
So basically, it's not the rails gem's problem, but the frontend code's problem. Here's what I got for the backend after the modification:
produces
added 👍 I also found this thing called |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@santiagorodriguez96 sorry for late response.
I just played around with the demo rails server, and it seems like the problem is as follows:
- the js file for calling
credentials.get
uses https://github.com/ericelliott/credential , which is updated almost 2 years ago- the library above is doing something which is causing
get()
to NOT return the new fieldauthenticatorAttachment
So basically, it's not the rails gem's problem, but the frontend code's problem. I confirmed that switching the frontend implementation from using https://github.com/ericelliott/credential to https://github.com/github/webauthn-json successfully returns
authenticatorAttachment
to your backend demo code.Here's what I got for the backend after the modification:
webauthn_credential = WebAuthn::Credential.from_get(params) Rails.logger.info(webauthn_credential)
produces
{"type"=>"public-key", "id"=>"TecfTRasmz5e6BkT6T8Yz4cZYDUW_NLXInHrjMojI3A", "rawId"=>"TecfTRasmz5e6BkT6T8Yz4cZYDUW_NLXInHrjMojI3A", "authenticatorAttachment"=>"platform", "response"=>{ ...
@8ma10s Good call! The problem actually was that we are using a really old version of WebAuthn-JSON (v.0.4.5
). I can confirm that after upgrading the package to the last version (v2.1.1
) the authenticatorAttachment
parameter is received in the server.
I'll update the package on the demo to use the last version. Thank you for bringing that up!
Really sorry for the delayed response.
Code looks good! Thank you so much! 💯 🤩
Why
https://w3c.github.io/webauthn/#iface-pkcredential
Level 3 draft of WebAuthn adds an optional parameter
authenticatorAttachment
onPublicKeyCredential
(andAuthenticatorAttestationResponse
andAuthenticatorAssertionResponse
which inherits it, of course).This field allows RP developers to detect whether the authentication was done using platform authenticator that always exists on that particular device, or cross-platform authenticator that only exists on that device temporarily.
In the latter case of using cross-platform authenticator, RP can prompt the user to register a platform authenticator so that the user won't lose the ability to sign in on that device.
Since some vendors (I confirmed with Mac chrome) are already passing this optional parameter
authenticatorAttachment
, I want this gem to be able to support reading values from that field.What
Allow initializing
PublicKeyCredential
class with an optional argumentauthenticator_attachment
Misc
I obtained the authenticator response returned from the client on sign-in (using dev-console), and ran
WebAuthn::Credential.from_get
on that response.As you can see, I can now obtain the value of
authenticator_attachment