Currently in beta. Good for demos and prototypes, but not production ready.
git clone --recursive https://github.com/apowers313/fido2-server-demo cd fido2-server-demo npm install npm start
Note: this project uses
await and requires node.js 7.6+. If you are running OpenSSH >1.1.0 (e.g. - Debian Buster), it requires node.js 10+.
There is also a Docker image available, which makes it much less likely that you will have configuration problems. Here are the instructions for using the Docker image.
- Install Docker for Windows or Docker for Mac or use one of the several other install options.
- run the command:
docker run -d -p 8888:8888 -p 8443:8443 apowers313/fido2-server:prod-canary
- open https://localhost:8443
scm-config.json to change ports, domains, and certificate paths.
This a simple-component-manager configuration file where each component is replaceable with one of a similar type (logger, user data store, cert manager, etc.). More components and documentation will be forthcoming. For now, hopefully things like changing ports and certificate paths are fairly obvious.
The following components are used for this server:
- component-fido2 (Also note that the core FIDO2 functionality is implemented in fido2-lib)
Bugs / Help / Contributing
If you find bugs or need help, open a GitHub issue. If you are so inspired, feel free to submit a pull request. Also feel free to just send a note saying that you're using the server and what you think of it -- it's nice to know when a project is being used.
You can also find me on Twitter at @apowers313.
This server does a number of things that shouldn't be done in a real server. These are for demonstration purposes and will be phased out over the next couple months:
- Attestation is not currently required to be verified. If an authenticator doesn't have attestation, the registration will still be successful and a warning message will be logged.
- This allows both User Presence (UP) and User Verification (UV) to be used for first-factor authentication. Typically only UV should be used for first-factor authentication, but given that U2F tokens are going to be the most commonly available authenticator in the short term, this server still allows UP-only authenticators to behave in a password-less fashion.
- User accounts are wide open -- the session is not currently checked for previous authentication, so anyone can add any authenticator to any username. This is great for demos (and inspired by demo.yubico.com/u2f) but not how things would work in the real world. This will change in the near future.
Note that while I used to be Technical Director for FIDO Alliance (and I am currently the Technical Advisor for FIDO Alliance), THIS PROJECT IS NOT ENDORSED OR SPONSORED BY FIDO ALLIANCE.
Work for this project is supported by my consulting company: WebAuthn Consulting.
Other FIDO2 / WebAuthn Projects
There are a number of other great FIDO2 and WebAuthn projects out there. I love all things FIDO2 and WebAuthn, so here's a list of other projects (Note: I'm not affiliated with any of these projects):
Open Source Servers
- Google / Java
- MasterCard / Java (Spring)
- cedarcode / Ruby
- abergs / .NET
Open Source Clients
Open Source CTAP2
Open Access Servers
- apowers313: webauthn.org
- Duo: webauthn.io
- Mozilla: webauthn.bin.coffee
- Yubico: demo.yubico.com/webauthn
- watahani: webauthn-tutorial-haniyama.now.sh
If your project isn't listed here and you would like it to be, drop me a note and I would be happy to add it.