Passkey
133 views
Skip to first unread message
klaus z
Aug 4, 2023, 11:43:06 AM8/4/23
to py4web
An interesting issue came up:
Du brauchst nie wieder Passwörter | So funktionieren Passkeys
https://www.youtube.com/watch?v=a4FmLCYKKwI (sorry its in German but there are subtitles).
Can I use this with py4web somehow right now?
Klaus
Massimo
Aug 6, 2023, 11:33:53 AM8/6/23
to py4web
Kevin Keller
Aug 6, 2023, 11:57:29 AM8/6/23
to Massimo, py4web
You woukd have to implement the whole webauthn thing. But at least you can get fido2 etc with it as well.
Definelty a good chunk of work though.
Not that thst is a reason not to do it.
If you need somethjbg yesterday you can just use open id connect with your favourite identity provider that supports passkey such as keycloak (open source).
If you want it py4web quick and dirty you can also just implement your own key pair authentication, meaning you have to create key pairs and store their public key and have them download their personal private key.
Then they have to upload their own private key in the Auth form when authenticating and you just check if that private key belongs to the users public key.
Passkey with Web Auth is definitely a smoother experience though.
I personally would juat go with key cloak.
Spent less work on implementing secure authentication and more work on the actual app as authentication standards also always evolve.
--
You received this message because you are subscribed to the Google Groups "py4web" group.
To unsubscribe from this group and stop receiving emails from it, send an email to py4web+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/e1ce9747-aec4-4a5a-9c62-56fe7846aeadn%40googlegroups.com.
klaus z
Aug 7, 2023, 1:29:03 AM8/7/23
to py4web
Thanks for following it up.
Re suggestions:
1. 'use open id connect with your favourite identity provider that supports passkey' -> Would that mean using authentication eg through a Google or GithubID (maybe Apple seems to be different from the standard).
2. For keycloak (open source)
could there be issues because IBM and RedHat? If not, is this the right start:
'Web Framework Support
We provide prebuilt middlewares for the following frameworks
Flask
Starlette
Django'
https://github.com/keycloak-client/keycloak-clientWe provide prebuilt middlewares for the following frameworks
Flask
Starlette
Django'
3. To implement it fully as Massimo suggested as long term goal should be discussed. As I am rarely here I should not just come and create work for others. That would not be fair.
To go ahead (if welcome and needed):
4. Would it make sense - with the least necessary work but also to attract others for Py4Web - to implement it in the standard either here:
4.1. https://py4web.com/_dashboard (here: https://py4web.com/_dashboard/login I found an error)
or here:
4.2. https://py4web.com/showcase/auth/login
4.2. https://py4web.com/showcase/auth/login
Correct me when there are better solutions.
Klaus
Kevin Keller
Aug 9, 2023, 9:56:38 AM8/9/23
to klaus z, py4web
I wrote a quick and dirty email once about how to use keycloak with openid connect and py4web:
from . import OAuth2
class OAuth2Keycloak(OAuth2):
name = "oauth2keycloak"
login_url = "http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/auth"
token_url = "http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/token"
userinfo_url = "http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/userinfo"
revoke_url = "http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/logout"
default_scope = "openid profile"
maps = {
"username": "email",
"email":"email",
"sso_id": "email",
"first_name": "given_name",
"last_name": "family_name",
}
I dont think IBM will come after keycloak.
So
1. Install keycloak
2. Get passkey authentication in Keycloak to work:
3. For py4web go through the following steps to integrate keycloak with py4web for SSO and afterwards configure it in Keycloak that users that authenticate have to use passkey.
Py4web steps for keycloak:
Create oauth2keycloak.py file in py4web/utils/auth_plugins/ and put in this:
from . import OAuth2
class OAuth2Keycloak(OAuth2):
name = "oauth2keycloak"
login_url = "http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/auth"
token_url = "http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/token"
userinfo_url = "http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/userinfo"
revoke_url = "http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/logout"
default_scope = "openid profile"
maps = {
"username": "email",
"email":"email",
"sso_id": "email",
"first_name": "given_name",
"last_name": "family_name",
}
In your app (probably based on scaffold) go to your static/components/auth.html and add a button for KeyCloak:
<a v-if="plugins.indexOf('oauth2keycloak')>=0"
class="button is-link"
v-bind:href="'../auth/plugin/oauth2keycloak/login?next='+next">Login with KeyCloak</a>
class="button is-link"
v-bind:href="'../auth/plugin/oauth2keycloak/login?next='+next">Login with KeyCloak</a>
Also in your scaffoled app add the plugin to the auth.html file under templates:
<div class="column is-half is-offset-one-quarter" style="border : 1px solid #e1e1e1; border-radius: 10px">
<auth plugins="local,oauth2keycloak"></auth>
<auth plugins="local,oauth2keycloak"></auth>
Finally for single logout add this line to your logout function in py4web/utils/auth.py
526 elif path == "logout":
527 self.session.clear()
528 redirect ('http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/logout?redirect_uri=*ENCODEDREDIRECTURIAFTERLOGOUT*
527 self.session.clear()
528 redirect ('http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/logout?redirect_uri=*ENCODEDREDIRECTURIAFTERLOGOUT*
Of course you need to install keycloak and create 2 openid clients with secrets.
To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/ad2a1c7b-b475-4bc7-a927-435c79ce4702n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages