Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add WebAuthn sign in and sign up flows #881

Merged
merged 4 commits into from Mar 6, 2024
Merged

Add WebAuthn sign in and sign up flows #881

merged 4 commits into from Mar 6, 2024

Conversation

scotttrinh
Copy link
Collaborator

There are a few parts here due to how WebAuthn works:

  • The "relying party" is the application itself, including both the web application server and the client.
  • The "client" is the user's browser.
  • An "authenticator" is a piece of software and/or hardware that is capable to generating and storing compatible credentials.

WebAuthn requires scripts that run on both the relying party server and client and that communicate back and forth with each other. The RP client gets an email to identify the user, and then sends that to the RP server, which responds with an "options" object. The RP client then triggers the authenticator "ceremony" (registration or authentication) it's trying to do, and sends that back to the RP server.

The RP server functionality is broken up into four methods on the Auth class:

  • getWebAuthnSignupOptionsUrl(email: string): string: returns the URL to the EdgeDB server for getting the signup options. Applications use this to redirect the client to the correct URL on the EdgeDB server to get the registration/signup options.
  • async signupWithWebAuthn( email: string, credentials: RegistrationResponseJSON, verifyUrl: string, userHandle: string ): Promise<SignupResponse>: Sends the credentials that the authenticator generated to the EdgeDB server to create the appropriate LocalIdentity and WebAuthnFactor.
  • getWebAuthnSigninOptionsUrl(email: string): returns the URL to the EdgeDB server gor getting the signin options. Applications use this to redirect the client to the correct URL on the EdgeDB server to get the authentication/signin options.
  • async signinWithWebAuthn( email: string, assertion: AuthenticationResponseJSON ): Promise<TokenData>: Sends the assertion that the authenticator generated to the EdgeDB server for validation. When successful, returns the TokenData

On the RP client, we have the @edgedb/auth-core/webauthn script which is used to fetch the options and trigger the signin or signup ceremonies. These functions would be used in client code to be triggered by button clicks or form submission. You'd call these functions with the email from a form, and then if successful redirect the user to the appropriate place or show an error.

@scotttrinh scotttrinh requested a review from jaclarke March 1, 2024 16:52
@scotttrinh scotttrinh merged commit ce834ee into master Mar 6, 2024
8 checks passed
@scotttrinh scotttrinh deleted the 877-webauthn branch March 6, 2024 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaclarke jaclarke Awaiting requested review from jaclarke

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@scotttrinh