Support authenticatorAttachment in PublicKeyCredential

Author: luisgoncalves

webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java

@@ -29,6 +29,7 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yubico.webauthn.data.AuthenticatorAssertionExtensionOutputs;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
+import com.yubico.webauthn.data.AuthenticatorAttachment;
 import com.yubico.webauthn.data.AuthenticatorData;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
@@ -195,6 +196,19 @@ public boolean isBackedUp() {
     return credentialResponse.getResponse().getParsedAuthenticatorData().getFlags().BS;
   }
 
+  /**
+   * The <a href="https://w3c.github.io/webauthn/#authenticator-attachment-modality">authenticator
+   * attachment modality</a> in effect at the time the asserted credential was used.
+   *
+   * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
+   *     the standard matures.
+   */
+  @Deprecated
+  @JsonIgnore
+  public Optional<AuthenticatorAttachment> getAuthenticatorAttachment() {
+    return credentialResponse.getAuthenticatorAttachment();
+  }
+
   /**
    * The new <a href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#signcount">signature
    * count</a> of the credential used for the assertion.

webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java

@@ -31,6 +31,7 @@
 import com.yubico.webauthn.RelyingParty.RelyingPartyBuilder;
 import com.yubico.webauthn.attestation.AttestationTrustSource;
 import com.yubico.webauthn.data.AttestationType;
+import com.yubico.webauthn.data.AuthenticatorAttachment;
 import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
 import com.yubico.webauthn.data.AuthenticatorRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.ByteArray;
@@ -175,6 +176,19 @@ public boolean isBackedUp() {
     return credential.getResponse().getParsedAuthenticatorData().getFlags().BS;
   }
 
+  /**
+   * The <a href="https://w3c.github.io/webauthn/#authenticator-attachment-modality">authenticator
+   * attachment modality</a> in effect at the time the credential was created.
+   *
+   * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
+   *     the standard matures.
+   */
+  @Deprecated
+  @JsonIgnore
+  public Optional<AuthenticatorAttachment> getAuthenticatorAttachment() {
+    return credential.getAuthenticatorAttachment();
+  }
+
   /**
    * The signature count returned with the created credential.
    *

webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredential.java

@@ -25,11 +25,11 @@
 package com.yubico.webauthn.data;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.yubico.internal.util.JacksonCodecs;
 import java.io.IOException;
+import java.util.Optional;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.NonNull;
@@ -46,7 +46,6 @@
  */
 @Value
 @Builder(toBuilder = true)
-@JsonIgnoreProperties({"authenticatorAttachment"})
 public class PublicKeyCredential<
     A extends AuthenticatorResponse, B extends ClientExtensionOutputs> {
 
@@ -68,6 +67,8 @@ public class PublicKeyCredential<
    */
   @NonNull private final A response;
 
+  private final AuthenticatorAttachment authenticatorAttachment;
+
   /**
    * A map containing extension identifier → client extension output entries produced by the
    * extension’s client extension processing.
@@ -83,6 +84,7 @@ private PublicKeyCredential(
       @JsonProperty("id") ByteArray id,
       @JsonProperty("rawId") ByteArray rawId,
       @NonNull @JsonProperty("response") A response,
+      @JsonProperty("authenticatorAttachment") AuthenticatorAttachment authenticatorAttachment,
       @NonNull @JsonProperty("clientExtensionResults") B clientExtensionResults,
       @NonNull @JsonProperty("type") PublicKeyCredentialType type) {
     if (id == null && rawId == null) {
@@ -95,16 +97,30 @@ private PublicKeyCredential(
 
     this.id = id == null ? rawId : id;
     this.response = response;
+    this.authenticatorAttachment = authenticatorAttachment;
     this.clientExtensionResults = clientExtensionResults;
     this.type = type;
   }
 
   private PublicKeyCredential(
       ByteArray id,
       @NonNull A response,
+      AuthenticatorAttachment authenticatorAttachment,
       @NonNull B clientExtensionResults,
       @NonNull PublicKeyCredentialType type) {
-    this(id, null, response, clientExtensionResults, type);
+    this(id, null, response, authenticatorAttachment, clientExtensionResults, type);
+  }
+
+  /**
+   * The <a href="https://w3c.github.io/webauthn/#authenticator-attachment-modality">authenticator
+   * attachment modality</a> in effect at the time the credential was used.
+   *
+   * @deprecated EXPERIMENTAL: This feature is from a not yet mature standard; it could change as
+   *     the standard matures.
+   */
+  @Deprecated
+  public Optional<AuthenticatorAttachment> getAuthenticatorAttachment() {
+    return Optional.ofNullable(authenticatorAttachment);
   }
 
   public static <A extends AuthenticatorResponse, B extends ClientExtensionOutputs>

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala

@@ -31,6 +31,7 @@ import com.upokecenter.cbor.CBORObject
 import com.yubico.internal.util.JacksonCodecs
 import com.yubico.webauthn.data.AssertionExtensionInputs
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse
+import com.yubico.webauthn.data.AuthenticatorAttachment
 import com.yubico.webauthn.data.AuthenticatorDataFlags
 import com.yubico.webauthn.data.AuthenticatorTransport
 import com.yubico.webauthn.data.ByteArray
@@ -2592,6 +2593,36 @@ class RelyingPartyAssertionSpec
             resultWithBeOnly.isBackedUp should be(false)
             resultWithBackup.isBackedUp should be(true)
           }
+
+          it(
+            "exposes getAuthenticatorAttachment() with the authenticatorAttachment value from the PublicKeyCredential."
+          ) {
+            val pkcTemplate =
+              TestAuthenticator.createAssertion(
+                challenge =
+                  request.getPublicKeyCredentialRequestOptions.getChallenge,
+                credentialKey = credentialKeypair,
+                credentialId = credential.getId,
+              )
+
+            forAll { authenticatorAttachment: Option[AuthenticatorAttachment] =>
+              val pkc = pkcTemplate.toBuilder
+                .authenticatorAttachment(authenticatorAttachment.orNull)
+                .build()
+
+              val result = rp.finishAssertion(
+                FinishAssertionOptions
+                  .builder()
+                  .request(request)
+                  .response(pkc)
+                  .build()
+              )
+
+              result.getAuthenticatorAttachment should equal(
+                pkc.getAuthenticatorAttachment
+              )
+            }
+          }
         }
       }
     }

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -42,6 +42,7 @@ import com.yubico.webauthn.attestation.AttestationTrustSource
 import com.yubico.webauthn.attestation.AttestationTrustSource.TrustRootsResult
 import com.yubico.webauthn.data.AttestationObject
 import com.yubico.webauthn.data.AttestationType
+import com.yubico.webauthn.data.AuthenticatorAttachment
 import com.yubico.webauthn.data.AuthenticatorAttestationResponse
 import com.yubico.webauthn.data.AuthenticatorData
 import com.yubico.webauthn.data.AuthenticatorDataFlags
@@ -4619,6 +4620,33 @@ class RelyingPartyRegistrationSpec
           resultWithBeOnly.isBackedUp should be(false)
           resultWithBackup.isBackedUp should be(true)
         }
+
+        it(
+          "exposes getAuthenticatorAttachment() with the authenticatorAttachment value from the PublicKeyCredential."
+        ) {
+          val (pkcTemplate, _, _) =
+            TestAuthenticator.createUnattestedCredential(challenge =
+              request.getChallenge
+            )
+
+          forAll { authenticatorAttachment: Option[AuthenticatorAttachment] =>
+            val pkc = pkcTemplate.toBuilder
+              .authenticatorAttachment(authenticatorAttachment.orNull)
+              .build()
+
+            val result = rp.finishRegistration(
+              FinishRegistrationOptions
+                .builder()
+                .request(request)
+                .response(pkc)
+                .build()
+            )
+
+            result.getAuthenticatorAttachment should equal(
+              pkc.getAuthenticatorAttachment
+            )
+          }
+        }
       }
     }