Is there any FIDO certified open source webauthn server available yet ?

[Manish Kumar]

I am trying to build one but there is no well written documentation from FIDO Alliance for endpoints and responses. Their self testing tool just throws error without proper explanation.

[Dawid Nowak]

Hey, 

The code is not certified yet but it passed majority of/all tests.

https://github.com/Mastercard/fido2-rp-spring

Best regards

On Tue, 1 Jan 2019, 11:06 Manish Kumar <writet...@gmail.com wrote:

I am trying to build one but there is no well written documentation from FIDO Alliance for endpoints and responses. Their self testing tool just throws error without proper explanation.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7ea1ca20-232b-4343-97b5-2b709c18b0b5%40fidoalliance.org.

[Alex Seigler]

Here's another example: https://github.com/abergs/fido2-net-lib.

Also not certified but passes the conformance tests.

Get Outlook for Android

---

From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Dawid Nowak <now...@gmail.com>
Sent: Tuesday, January 1, 2019 6:10:16 AM
To: Manish Kumar
Cc: FIDO Dev (fido-dev)
Subject: Re: [FIDO-DEV] Is there any FIDO certified open source webauthn server available yet ?

 

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CA%2B5H8AF6Xj_gK%2BqzN33k0sM50iA6eUM-q8VVZ7Kvu%3DOheQ%3DeEw%40mail.gmail.com.

[Kalyan Tirunagari]

Hi Dawid,

The link https://github.com/Mastercard/fido2-rp-spring throws a 404 error, is this project taken out or being moved to someplace else?

Regards,
Kalyan

[Alex Seigler]

As far as I know the only certified open source server is the StongKey server: https://github.com/StrongKey/fido2

Here’s another list you may find helpful: https://github.com/herrjemand/awesome-webauthn#server-libs

 

-aseigler

 

From: fido...@fidoalliance.org <fido...@fidoalliance.org> On Behalf Of Kalyan Tirunagari
Sent: Monday, November 09, 2020 6:10 AM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Cc: Dawid Nowak <now...@gmail.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>; Manish Kumar <writet...@gmail.com>
Subject: Re: [FIDO-DEV] Is there any FIDO certified open source webauthn server available yet ?

 

Hi Dawid,

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/df3661c4-c818-41a5-8b32-99d58835ca07n%40fidoalliance.org.

[Kalyan Tirunagari]

Thanks a Lot Dawid!!

On Mon, Nov 9, 2020 at 5:04 PM Dawid Nowak <now...@gmail.com> wrote:

Yeah, we were politely asked to remove it since it hasn't seen much love for a while. It has been forked to https://github.com/dawid-nowak/fido2-rp-spring .

Best regards

--

Regards
Kalyan

[Kalyan Tirunagari]

Thanks a lot Alex.

--

Regards
Kalyan

[Ackermann Yuriy]

Here is a small curated list of WebAuthn/FIDO2 resources https://github.com/herrjemand/awesome-webauthn. I has a lot of open source servers https://github.com/herrjemand/awesome-webauthn#server-libs *)

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAA0qeUgSSg3rmwrfEVk8Dwm3aSDe-pvsLbGOoRvVk7sbNnOGoQ%40mail.gmail.com.

[David Chadwick]

Does anyone know of a client library that works with platform
authenticators for Windows and Macs, rather than with USB or NFC based ones?

Kind regards

David

On 09/11/2020 22:39, Ackermann Yuriy wrote:
> Here is a small curated list of WebAuthn/FIDO2 resources
> https://github.com/herrjemand/awesome-webauthn

> <https://github.com/herrjemand/awesome-webauthn>. I has a lot of open

> source servers
> https://github.com/herrjemand/awesome-webauthn#server-libs
> <https://github.com/herrjemand/awesome-webauthn#server-libs> *)
> Yuriy Ackermann
> FIDO, Identity, Standards
> skype: ackermann.yuriy

> github: @herrjemand <https://github.com/herrjemand>
> twitter: @herrjemand <https://twitter.com/herrjemand>
> medium: @herrjemand <https://medium.com/@herrjemand>

>
>
> On Mon, 9 Nov 2020 at 17:14, Kalyan Tirunagari <kco...@gmail.com
> <mailto:kco...@gmail.com>> wrote:
>
> Thanks a lot Alex.
>
> On Mon, Nov 9, 2020 at 7:25 PM Alex Seigler

> <alexs...@hotmail.com <mailto:alexs...@hotmail.com>> wrote:
>
> As far as I know the only /certified/ open source server is

> the StongKey server: https://github.com/StrongKey/fido2
> <https://github.com/StrongKey/fido2>
>
> Here’s another list you may find helpful:
> https://github.com/herrjemand/awesome-webauthn#server-libs

> <https://github.com/herrjemand/awesome-webauthn#server-libs>
>
> -aseigler
>
> *From:* fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org> <fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>> *On Behalf Of *Kalyan
> Tirunagari
> *Sent:* Monday, November 09, 2020 6:10 AM
> *To:* FIDO Dev (fido-dev) <fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>>
> *Cc:* Dawid Nowak <now...@gmail.com
> <mailto:now...@gmail.com>>; FIDO Dev (fido-dev)
> <fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>>; Manish Kumar
> <writet...@gmail.com <mailto:writet...@gmail.com>>
> *Subject:* Re: [FIDO-DEV] Is there any FIDO certified open

> source webauthn server available yet ?
>
> Hi Dawid,
>
> The link https://github.com/Mastercard/fido2-rp-spring

> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMastercard%2Ffido2-rp-spring&data=04%7C01%7C%7Ce428fb6865ae4d562ffb08d8849ffb7a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637405169933031091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=d3WS8lZdDRwbtolbJnE7TAyvtkThfqPG48QfZAFUncs%3D&reserved=0> throws

> a 404 error, is this project taken out or being moved to
> someplace else?
>
> Regards,
> Kalyan
>
> On Tuesday, 1 January 2019 at 16:40:33 UTC+5:30 Dawid Nowak wrote:
>
> Hey,
>
> The code is not certified yet but it passed majority
> of/all tests.
>
> https://github.com/Mastercard/fido2-rp-spring

> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMastercard%2Ffido2-rp-spring&data=04%7C01%7C%7Ce428fb6865ae4d562ffb08d8849ffb7a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637405169933041083%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ctFHgETY99qBD%2F7NhP6D4GylCCY4ffqskTocjZ3JuyA%3D&reserved=0>

>
> Best regards
>
> On Tue, 1 Jan 2019, 11:06 Manish Kumar
> <writet...@gmail.com <mailto:writet...@gmail.com> wrote:
>
> I am trying to build one but there is no well written
> documentation from FIDO Alliance for endpoints and
> responses. Their self testing tool just throws error
> without proper explanation.
>
> --
> You received this message because you are subscribed
> to the Google Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> fido-dev+u...@fidoalliance.org

> <mailto:fido-dev%2Bu...@fidoalliance.org>.

> To post to this group, send email to
> fido...@fidoalliance.org

> <mailto:fido...@fidoalliance.org>.

> Visit this group at
> https://groups.google.com/a/fidoalliance.org/group/fido-dev/

> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fgroup%2Ffido-dev%2F&data=04%7C01%7C%7Ce428fb6865ae4d562ffb08d8849ffb7a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637405169933051071%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yULonCyTqXI1r%2Bj6JviyOpr6RPK6yByJgz1K%2BaTGaWI%3D&reserved=0>.

> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7ea1ca20-232b-4343-97b5-2b709c18b0b5%40fidoalliance.org

> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fd%2Fmsgid%2Ffido-dev%2F7ea1ca20-232b-4343-97b5-2b709c18b0b5%2540fidoalliance.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7C%7Ce428fb6865ae4d562ffb08d8849ffb7a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637405169933061064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PBymz6iwDdP95r9Z3eXheVL84%2FZ7T77CgaGf8poDju0%3D&reserved=0>.

>
> --
> You received this message because you are subscribed to the
> Google Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to fido-dev+u...@fidoalliance.org

> <mailto:fido-dev+u...@fidoalliance.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/df3661c4-c818-41a5-8b32-99d58835ca07n%40fidoalliance.org
> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fd%2Fmsgid%2Ffido-dev%2Fdf3661c4-c818-41a5-8b32-99d58835ca07n%2540fidoalliance.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7C%7Ce428fb6865ae4d562ffb08d8849ffb7a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637405169933071058%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GZG4Qthd27YC8UjdWaeduVych%2FguWtJ00J9pejTHFo0%3D&reserved=0>.

>
>
>
> --
> Regards
> Kalyan
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org

> <mailto:fido-dev+u...@fidoalliance.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAA0qeUgSSg3rmwrfEVk8Dwm3aSDe-pvsLbGOoRvVk7sbNnOGoQ%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAA0qeUgSSg3rmwrfEVk8Dwm3aSDe-pvsLbGOoRvVk7sbNnOGoQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org

> <mailto:fido-dev+u...@fidoalliance.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALRyZMrK0AqqU2UEvLBUc_SeYZG-joGKHgNuEP6oHKk7WkphfA%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALRyZMrK0AqqU2UEvLBUc_SeYZG-joGKHgNuEP6oHKk7WkphfA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

[John Bradley]

On windows you would use the WebAuthn.dll API from a native app to
access the platform and/or roaming authenticators.

On OSX there is no native API yet.  Anative applications on OSX and iOS
are expected to invoke an ASWebAuthenticationSession
https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession

That may or may not work for your use case. 

Other than that I don't think there is any way to acess the platform
authenticators.

Regards

John B.

[David Chadwick]

Thanks John

On 11/11/2020 21:22, John Bradley wrote:
> On windows you would use the WebAuthn.dll API from a native app to
> access the platform and/or roaming authenticators.

that's what we want to do.

>
> On OSX there is no native API yet.  Anative applications on OSX and iOS
> are expected to invoke an ASWebAuthenticationSession
> https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
>
> That may or may not work for your use case.
>
> Other than that I don't think there is any way to acess the platform
> authenticators.

Hopefully things will change when Macs switch their hardware and can run
iOS apps natively.

Kind regards

David

[John Bradley]

Apple dosen't have a direct WebAuthn API on iOS yet either.   When they
develop one I would expect it to be availabe on both platforms.

They currently think ASWebAuthenticationSession is sufficient. 

Someone needs to make an argument why an app needs direct access to the
API to get the work prioritized by them.

John B.

[David Chadwick]

Hi John

we are currently using an open source alternative to Apple's iOS library
for our app, and it works nicely.

But of course it would be better to use an API provided by Apple. Any
idea who we should lobby for this, as we are working with the UK NHS, so
there is a big demand for it

Kind regards

David

[Eldan Ben Haim]

I think when lobbying for this, the argument should also be towards sharing FIDO2 credentials between the app and the browser, which a 3rd party library currently cannot provide.

Some arguments against the use of ASWebAuthenticationSession being sufficient include:

1. A cumbersome way API  do auth from the native app

2. When ASWebAuthenticationSession is invoked a privacy alert is presented to the user (AFAIK. there's no way to e.g link the application to a domain to avoid this).

3. The way FIDO2 Local Authentication (biometrics) is implemented in Safari, it requires a user gesture to be invoked (didn't check if that's the case for the authentication session but I think it's a fair assumption that's the case). So -- the user experience to offer FIDO2 authentication through ASWebAuthenticationSession i. -- app starts, app invokes ASWebAuthetnicationSession (assuming no "login" button needs to be tapped first), user needs to tap on "Approve" for the privacy message, then user needs to do some user gesture on the web page (another tap), and then go through the Touch ID alerts on mobile Safari... Not an apple-ish UX.

Note that from what I can tell from a glance over the WebKit source code, however, offering an API that will share FIDO2 credentials between Safari and native apps will require a significant change to the current implementation.

I have no direct contact to anyone from Apple, but if anyone in this list does - and wants to bring the above to their attention -- by all means, do.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d233d78c-5705-d9c3-2dd9-6a00bb24d019%40kent.ac.uk.