Security WebAuthn thoughts

[sixcorners]

about the html example in the guide:
<ul> tag should be closed
I wish it used form tags and addEventListener with the submit event instead of setting onclick.

I wish the guide explained what's up with displayName or how to use it. I don't see it in the Authenticator. The UserProvider has lookup methods that return lists of Authenticators but the javadocs refer to singular credentials. (Can the credential id lookup really ever return multiple things?)

The login button has 500 internal server errors being returned if the username isn't found. That should probably be a 400 level error. Also it seems like returning any error here makes the form an oracle that could be used to check if any username exists. (not sure if this is able to be fixed)

The webauthn.js file does this "WebAuthn.constructor = WebAuthn;" but WebAuthn is a function and not an instance of WebAuthn. If you use the new syntax like class A {} which sets everything up for you then A.constructor will be Function not A. I don't think this should be set.

I wish the UserProvider supported RunOnVirtualThread in addition to Blocking. WebAuthnAuthenticatorStorage.isBlocking() checks super classes but the annotations say that they are not inherited. Is the super class being checked because of proxies?

I wish the guide described how to use this with no username. I kind of think it might not be possible to do this with the current code. If I just set the username to be the same for everyone won't the username lookup method get called on the provider and expect every credential in the returned list?

[sberyozkin]

@FroMage, FYI

[sixcorners]

Here is a section of the w3c doc that describes the username oracle thing and a way to fix it:
https://www.w3.org/TR/webauthn-2/#sctn-username-enumeration

Also I haven't exactly ruled out that I haven't done something wrong on my end wrt anything. I don't know much about webauthn atm. Kind of wish the https://github.com/Yubico/java-webauthn-server could be used just because it would be nice if some of the implementation was shared but it seems like they also return an error if the username doesn't exist.

[sixcorners]

Nevermind about the generating keys to hide when a username doesn't exist. I guess it's not a very well settled issue: Yubico/java-webauthn-server#345

[FroMage]

about the html example in the guide: <ul> tag should be closed

Ah yes, that's a bug.

I wish it used form tags and addEventListener with the submit event instead of setting onclick.

You mean instead of:

loginButton.onclick = () => { ... };

I suppose this would be better, yes, according to https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener:

The addEventListener() method is the recommended way to register an event listener.

So, yeah.

I wish the guide explained what's up with displayName or how to use it. I don't see it in the Authenticator.

Good question. I'm not entirely sure myself why it's used.

The UserProvider has lookup methods that return lists of Authenticators but the javadocs refer to singular credentials. (Can the credential id lookup really ever return multiple things?)

Yes, you can have multiple credentials per user. This should work.

The login button has 500 internal server errors being returned if the username isn't found. That should probably be a 400 level error. Also it seems like returning any error here makes the form an oracle that could be used to check if any username exists. (not sure if this is able to be fixed)

Do you have a stack trace for the 500?

The webauthn.js file does this "WebAuthn.constructor = WebAuthn;" but WebAuthn is a function and not an instance of WebAuthn. If you use the new syntax like class A {} which sets everything up for you then A.constructor will be Function not A. I don't think this should be set.

This is a JavaScript question. I'll defer to @ia3andy or @phillip-kruger for advice.

I wish the UserProvider supported RunOnVirtualThread in addition to Blocking.

@cescoffier what do I need to do to support @RunOnVirtualThread in https://github.com/quarkusio/quarkus/blob/main/extensions/security-webauthn/runtime/src/main/java/io/quarkus/security/webauthn/WebAuthnAuthenticatorStorage.java#L42 ?

WebAuthnAuthenticatorStorage.isBlocking() checks super classes but the annotations say that they are not inherited. Is the super class being checked because of proxies?

I'm not sure, TBH. Best not rely on inheritance.

I wish the guide described how to use this with no username. I kind of think it might not be possible to do this with the current code. If I just set the username to be the same for everyone won't the username lookup method get called on the provider and expect every credential in the returned list?

For registration you need a username. For login, you can avoid it if you the requireResidentKey option is set, in which case you'll need the credentialID.

[FroMage]

@tsegismont do you have any opinion as to whether https://github.com/vert-x3/vertx-web/blob/master/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/WebAuthnHandlerImpl.java#L253 should throw a 500 when the user is not found, or some other status?
I couldn't find this sort of info in the spec.

[cescoffier]

@cescoffier what do I need to do to support @RunOnVirtualThread in https://github.com/quarkusio/quarkus/blob/main/extensions/security-webauthn/runtime/src/main/java/io/quarkus/security/webauthn/WebAuthnAuthenticatorStorage.java#L42 ?

It's relatively simple, you can use the VirtualThreadScheduler. You access it using io.quarkus.virtual.threads.VirtualThreadsRecorder#getCurrent. It does not require Java 21. It falls back on the regular worker pool.

[FroMage]

Thanks @cescoffier.

I've asked some of the other questions at vert-x3/vertx-web#2559

[FroMage]

It's relatively simple, you can use the VirtualThreadScheduler. You access it using io.quarkus.virtual.threads.VirtualThreadsRecorder#getCurrent. It does not require Java 21. It falls back on the regular worker pool.

That's all? I don't need to also register this method as being a valid target for the annotation? Do we have tests for all this, or should I just add support and pray?

[cescoffier]

Basically, when you are seen a method annotated with @RunOnVirtualThread, instead of submitting the invocation on the worker thread pool, you submit it on the executor from io.quarkus.virtual.threads.VirtualThreadsRecorder#getCurrent. That's it.

We do have tests, verifying it works with the various supported frameworks (reactive messaging, resteasy reactive, the scheduler...). They are located in the virtual-threads directory under integration-tests.