WebAuthN as second factor logic?

[StephenOTT]

I am looking through https://quarkus.io/guides/security-webauthn, and it uses webauthn as the primary login.

Is there any examples of config needed to make it a form of second factor auth?

[FroMage]

We don't have any examples of that, no. Just to be clear, you want to use WebAuthn as a second required authentication method, on top on a primary one? Like, both must match?

Or as an alternate login method, where you could login with either password or OIDC or WebAuhtn?

This last case should be easy, it's mostly just having the UI to allow both types of logins, and the UI required to add password or WebAuthn auth when you're already logged in, to configure the alternate authentication options.

[StephenOTT]

@FroMage thanks for the quick followup. It would be the first example; something like user has logged in with JWT, and we are also requesting WebAuthn. Generally someone would use ODIC, but in this case i am looking at if the webauthn could be added as an additional auth layer requirement (on top of the jwt). So if JWT if valid then it would request WebAuthN.

In a related set of code to this topic, is there a working version of https://quarkus.io/guides/security-webauthn#handling-login-and-registration-endpoints-yourself ? I cannot seem to get the login endpoint to generate the challenge. The webauthn is submitting application/json, but it seems to example of looking for a multi-part Form ?

[StephenOTT]

My initial guess is having to roll my own logic to additionally ensure the JWT and the TrustedAuthenticationRequest identityProviders are active? https://quarkus.io/guides/security-authentication-mechanisms#combining-authentication-mechanisms is there more docs or explanation on the implications of "combining" ?

[StephenOTT]

In a related set of code to this topic, is there a working version of https://quarkus.io/guides/security-webauthn#handling-login-and-registration-endpoints-yourself ? I cannot seem to get the login endpoint to generate the challenge. The webauthn is submitting application/json, but it seems to example of looking for a multi-part Form ?

Looking at the quarkus webauthn default endpoints:

https://github.com/quarkusio/quarkus/blob/main/extensions/security-webauthn/runtime/src/main/java/io/quarkus/security/webauthn/WebAuthnController.java#L150-L189

It seems like the example code in the guide is doing more of the callback endpoint, but is being shown in the docs as doing the /login endpoint.

[FroMage]

I have never combined two authentication mechanisms on top of one another, and I don't know how to require it or check it, or even if we can have more than one active at the same time, especially since both set the user identity, possibly with different mechanisms.

Perhaps @sberyozkin can help?

[StephenOTT]

@FroMage for some more use case context: I am looking at scenarios where specific endpoints require the additional webauthn validation. So normal logic may require typical oidc. But specific endpoints would require the webauthn / security key in addition to the jwt.

[sberyozkin]

Or as an alternate login method, where you could login with either password or OIDC or WebAuhtn?

WebAuthn as a second factor logic is definitely where OIDC is good. For example, Keycloak docs tals about it. Using WebAuthn at the OIDC level will also give the regular OIDC tokens.

[StephenOTT]

agreed

[StephenOTT]

@FroMage @sberyozkin I have reviewed the code being implemented in:

https://github.com/quarkusio/quarkus/blob/main/extensions/security-webauthn/runtime/src/main/java/io/quarkus/security/webauthn/WebAuthnController.java

and compared against:

https://quarkus.io/guides/security-webauthn#handling-login-and-registration-endpoints-yourself

and the guide seems to be wrong. The guide provides a /login endpoint example for handling logic yourself, but when comparing the code against the WebAuthnController.java file, it looks like the guide example ~recreated a version of callback instead of login?

I re-create some quick impl of the 3 endpoints provided by default but re-created so users can modify inputs, etc.

   @Inject
    WebAuthnSecurity webAuthnSecurity;

    @Path("/webauthn/login")
    @POST
    @Transactional
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    public Uni<RestResponse<Map<String, Object>>> login(JsonObject body,
                                                        RoutingContext ctx,
                                                        @Context WebAuthnAuthenticationMechanism authMech) {
        var username = body.getString("name");

        return Uni.createFrom().completionStage(webAuthnSecurity.getWebAuthn().getCredentialsOptions(username).toCompletionStage())
                .onFailure().transform(t -> new AuthenticationFailedException(t.getMessage(), t))
                .map(getAssertion -> {
                    authMech.getLoginManager().save(getAssertion.getString("challenge"), ctx, CHALLENGE_COOKIE, null, ctx.request().isSSL());
                    authMech.getLoginManager().save(username, ctx, USERNAME_COOKIE, null, ctx.request().isSSL());
                    // Need to encode and reparse to get rid of the nested JsonObject classes causing unexpected serialization behaviour
                    // based on https://github.com/eclipse-vertx/vert.x/issues/1637#issuecomment-248998151
                    return new JsonObject(getAssertion.encode());
                }).map(json -> RestResponse.ok(json.getMap()))
                .onFailure(AuthenticationFailedException.class)
                .recoverWithItem(t -> RestResponse.status(RestResponse.Status.BAD_REQUEST, Map.of("error", t.getMessage())));
    }

    @Path("/webauthn/register")
    @POST
    @Transactional
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    public Uni<RestResponse<Map<String, Object>>> register(JsonObject body,
                                  RoutingContext ctx,
                                  @Context WebAuthnAuthenticationMechanism authMech) {

        return Uni.createFrom().completionStage(webAuthnSecurity.getWebAuthn().createCredentialsOptions(body).toCompletionStage()).map(credentialsOptions -> {

            // save challenge to the session
            authMech.getLoginManager().save(credentialsOptions.getString("challenge"), ctx, CHALLENGE_COOKIE, null,
                    ctx.request().isSSL());
            authMech.getLoginManager().save(body.getString("name"), ctx, USERNAME_COOKIE, null,
                    ctx.request().isSSL());

            return new JsonObject(credentialsOptions.encode());

        }).map(json -> RestResponse.ok(json.getMap()));
    }

    @Path("/webauthn/callback")
    @POST
    @Transactional
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    public Uni<RestResponse<Void>> register(JsonObject webauthnResp,
                                            RoutingContext ctx,
                                            @Context WebAuthnAuthenticationMechanism authMech,
                                            @Context WebAuthnRunTimeConfig config,
                                            @Context IdentityProviderManager identityProviderManager) {


        PersistentLoginManager.RestoreResult challenge = authMech.getLoginManager().restore(ctx, CHALLENGE_COOKIE);
        PersistentLoginManager.RestoreResult username = authMech.getLoginManager().restore(ctx, USERNAME_COOKIE);

        if (challenge == null || challenge.getPrincipal() == null || challenge.getPrincipal().isEmpty()
                || username == null || username.getPrincipal() == null || username.getPrincipal().isEmpty()) {
            throw new IllegalArgumentException("Missing challenge or username");
        }

        var origin = config.origin.orElse(null);
        String domain = null;
        if (origin != null) {
            Origin o = Origin.parse(origin);
            domain = o.host();
        }

        WebAuthnCredentials credentials = new WebAuthnCredentials()
                .setOrigin(origin)
                .setDomain(domain)
                .setChallenge(challenge.getPrincipal())
                .setUsername(username.getPrincipal())
                .setWebauthn(webauthnResp);


        SecurityIdentity identity = identityProviderManager.authenticateBlocking(HttpSecurityUtils.setRoutingContextAttribute(new WebAuthnAuthenticationRequest(credentials), ctx));

        // WebAuthnSecurity.removeCookie(ctx, WebAuthnController.CHALLENGE_COOKIE); // removeCookie Not a public method
        Cookie challengeCookie = ctx.request().getCookie(WebAuthnController.CHALLENGE_COOKIE);
        if (challengeCookie != null) {
            challengeCookie.setPath("/");
        }
        ctx.response().removeCookie(WebAuthnController.CHALLENGE_COOKIE);

        // WebAuthnSecurity.removeCookie(ctx, WebAuthnController.USERNAME_COOKIE); // removeCookie Not a public method
        Cookie usernameCookie = ctx.request().getCookie(WebAuthnController.CHALLENGE_COOKIE);
        if (usernameCookie != null) {
            usernameCookie.setPath("/");
        }
        ctx.response().removeCookie(WebAuthnController.CHALLENGE_COOKIE);

        authMech.getLoginManager().save(identity, ctx, null, ctx.request().isSSL());

        return Uni.createFrom().item(RestResponse.ok());
    }

Can you clarify the usage from the guide, or is the guide old/out of date/incorrect?

Thanks!

[FroMage]

Actually, what we show in the guide are examples where you want to override /callback to make it do something different on registration or login, so we're not overriding the challenges.

I suppose we can improve the guide to make this clearer.

[StephenOTT]

Oh! okay, ya that seems to read completely differently then in the docs. Also the example given in the doc is for the /login endpoint. So if /callback was supposed to be used then at min there are error(s) in that section of the doc.

[FroMage]

I suppose the shown /login endpoint is different from the non-touched /q/webauthn/login endpoint issuing a challenge. But I can understand how that confuses things, thanks.

[StephenOTT]

I think the first section of the docs showing:

where all this confusion comes from: It reads as "oh ya this is how i override the /login and /register endpoint" as in the webauthn/login and webauthn/register endpoints.

:)

[FroMage]

I need to fix this. Thanks.

[FroMage]

I'm more and more convinced we should have exposed the following endpoints instead:

• login-challenge
• login
• register-challenge
• register

Because there's a lot of confusion as to which endpoint does what, callback is just too generic a name, and login and register imply more than getting a challenge to most people.

[FroMage]

Would these diagrams help?

[FroMage]

I've added doc improvements to #38373 if you want to review them

[StephenOTT]

@FroMage is the Registration-login and the login-login flow handled the same? I found it unclear if there was different things happening on the client side and the server side for the login aspect during registration vs just login for an already registered user.

[FroMage]

I'm not sure what you mean by registration-login and login-login. In both login and register flows, every step is different. The fact that there's a single /callback endpoint for both triggers is just confusing, but that callback does two very different things.

[StephenOTT]

I'm not sure what you mean by registration-login and login-login.

just a way to say: During Registration flow there is the registration activity + a login activity as shown in your diagram. and in the login flow there is the login activity.

The fact that there's a single /callback endpoint for both triggers is just confusing .... that callback does two very different things.

Based on this comment, i would concur that it creates confusion. Don't think it is clear what the difference is between registration and login data and actions differences for the callback endpoint.