- Notifications
You must be signed in to change notification settings - Fork2
Demonstration of writing data to a FIDO2 authenticator using WebAuthn and the CTAP 2.1 largeBlob extension. 🖥️
License
All-Your-Locks-Are-Belong-To-Us/webauthn-updater
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This project provides a demonstration of writing data to a FIDO authenticator using WebAuthn and the CTAP 2.1 largeBlob extension. The data is loaded from a Keycloak instance via OIDC.
This project assumes Python 3.9. Make sure to have Pip and Pipenv installed.
The dependencies of the app can be installed usingpipenv install. (Note: thepy_webauthn package needed to be extended to support the largeBlob and credProtect extension. Therefore, the package is installed from thepy_webauthn submodule pointing to our own extension of the project. Also, at the point of writing, there is a small bug breaking thepython-keycloak package for our use case, so we use our own fixed version for that one as well.)
For the app to work properly, some environment variables need to be set:
| Name | Default value | Local value | Deployment Value |
|---|---|---|---|
| WAU_HOST_URL | unset | http://localhost:5000 | https://wau.felixgohla.de |
| WAU_SERVER_PORT | 8002 | 5000 | not required |
| WAU_KEYCLOAK_HOST_NAME | unset | kc.felixgohla.de | kc.felixgohla.de |
| WAU_KEYCLOAK_CLIENT_ID | unset | webauthn-updater | deployed-webauthn-updater |
| WAU_KEYCLOAK_CLIENT_SECRET | unset | retrieve from Keycloak | retrieve from Keycloak |
| WAU_SIGNING_KEY_PATH | unset | not required | path to PEM file of the ECDSA signing key |
Generate the OIDC config file using the environment variables by runningenvsubst < client_secrets.tmpl.json > client_secrets.json
Generate the signing key by runningopenssl ecparam -name prime192v1 -genkey -out sk.pemYou can export the verifying key for the locks by runningopenssl ec -in sk.pem -pubout -out vk.pem
Start the app viapipenv run python app.py
Alternatively, if you want to run the app as a system service, first copywebauthn-updater.service to the/etc/systemd/system directory.
Enable the service by runningsystemctl enable webauthn-updater.service.
As the app requires an environment variable to be set, runsystemctl edit webauthn-updater.service and enter the following to the resulting text input prompt:
[Service]Environment="WAU_HOST_URL=<your url value here>"Environment="WAU_KEYCLOAK_HOST_NAME=<your hostname here>"Environment="WAU_KEYCLOAK_CLIENT_ID=<your client id here>"Environment="WAU_KEYCLOAK_CLIENT_SECRET=<your secret here>"Environment="WAU_SIGNING_KEY_PATH=<your absolute path here>"
Finally, start the service withsystemctl start webauthn-updater.service.
TheWebAuthn Javascript serialization helper is taken fromour miniscule extension of the @github/webauthn-json project. The license of the project can be foundhere.
Additionally, this project makes some small adjustments to thepy-webauthn andpython-keycloak projects. Please find the licenses of those projects in the respective repositories.
About
Demonstration of writing data to a FIDO2 authenticator using WebAuthn and the CTAP 2.1 largeBlob extension. 🖥️
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Releases
Packages0
Uh oh!
There was an error while loading.Please reload this page.
Contributors4
Uh oh!
There was an error while loading.Please reload this page.