Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebAuthn questions #2559

Open
FroMage opened this issue Jan 23, 2024 · 2 comments
Open

WebAuthn questions #2559

FroMage opened this issue Jan 23, 2024 · 2 comments
Labels
bug

Comments

@FroMage
Copy link
Contributor

FroMage commented Jan 23, 2024

No username on login

Well, I'm not sure if this is a bug or not, but I've a question related to b6c97e2 which allows not having a username for login requests, which I think is only valid if requireResidentKey is true. This appears to be for PassKeys support. On registration, a username is still required, so it's probably still saved somewhere in the DB.

But if we authenticate using no username, this appears to rely on credID to find the credentials, and they Vert.x produces a User and I wonder how it saves this user into the session, if not by username? I don't see anywhere in the code where we extract the username back from the credentials to put it into the User, or the session. Or, perhaps, Vert.x doesn't store the username in the session, but the entire User object?

Also, does this mean that in order to support PassKeys, we must set that option?

Missing authenticator option

On my Linux laptop, using Google Chrome, when I hit a register endpoint, it asks me if I want to authenticate using my security key (yubikey) or my Android phone. When I use yubikey, the rest works. But when I use my Android Phone, I can register, but when I logout and try to login again, my browser only proposes the security key, and not the Android phone anymore.

I suspect that is info that is stored in the credentials, perhaps, that is missing from the login challenge that would otherwise enable the proper authentication method?

Where should I start looking?

Upon login, 500 on missing user

If I try to get a login challenge with a username that has no credentials, Vert.x will return a 500 status (https://github.com/vert-x3/vertx-web/blob/master/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/WebAuthnHandlerImpl.java#L253), is it by design, or should it be a 4xx status?
@FroMage FroMage added the bug label Jan 23, 2024
@FroMage
Copy link
Contributor Author

FroMage commented Jan 26, 2024

Missing authenticator option

I believe this one is due to the vert.x webauthn transports not supporting the hybrid transport. I see another one is missing: smart-card.

Why this passes registration, I'm not sure, but it means I can't log back in because this transport is not enabled.

@FroMage FroMage mentioned this issue Jan 29, 2024
Merged
@FroMage
Copy link
Contributor Author

FroMage commented Jan 29, 2024

Related to eclipse-vertx/vertx-auth#670

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
1 participant
@FroMage