WebAuthn FIDO/FIDO2 Support

[mahnunchik]

Preflight Checklist

• I have read the Contributing Guidelines for this project.
• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Issue Details

• Electron Version:
  • 8.4.0, 9, 10, (added 07.04.2021) 11, 12
• Operating System:
  • macOS 10.15.5
• Last Known Working Electron version:
  • -

It is not clear how to make WebAuthn works in Electron app if page is local not from webserver.

Expected Behavior

WebAuthn works if page loaded from standard and secure scheme: https://www.electronjs.org/docs/api/protocol#protocolregisterschemesasprivilegedcustomschemes

Actual Behavior

I've faced with the following error:

Uncaught (in promise) DOMException: Public-key credentials are only available to HTTPS origin or HTTP origins that fall under 'localhost'. See https://crbug.com/824383

To Reproduce

https://gist.github.com/mahnunchik/165a117564ebc632a3723d2666f5024c

Additional Information

Related issues:

• WebAuthn Support #15404
• protocol.intercept{Any}Protocol handler ability to call original handler #15434

[mahnunchik]

@jkleinsc I think it is related to any version of electron because even versions 9 and 10 are affected.

[mahnunchik]

I was able to make WebAuthn works by the following protocol interception:

protocol.interceptFileProtocol('http', (request, callback) => {
    const { host, pathname } = url.parse(request.url);

    if (host === 'localhost') {
        callback({ path: path.normalize(`${__dirname}/${pathname}`) });
    } else {
        // all requests to http except localhost will be lost...
        callback();
    }
}, (error) => {
    if (error) console.error('Failed to register protocol')
})

mainWindow.loadURL('http://localhost/index.html')

This allows to bypass Public-key credentials security police but brakes any other requests to any http:// addresses.

So the idea preposed here #15434 should solve the WebAuthn issue.

[mahnunchik]

One more note:

isSecureContext reports true after protocol.registerSchemesAsPrivileged as secure protocol but WebAuthn still reports the error: Public-key credentials are only available to HTTPS origin or HTTP

window.isSecureContext
// true

[mahnunchik]

As the root of the issue may be in the Chromium itself I've reported issue in Chromium bug tracker: https://bugs.chromium.org/p/chromium/issues/detail?id=1106365

[mahnunchik]

According to the reply from Chromium issue: https://bugs.chromium.org/p/chromium/issues/detail?id=1106365#c7

I believe the issue is that WebAuthn isn't just restricted to secure contexts, it also is restricted to HTTPS. This is a constraint imposed by the spec on valid relying party identifiers (RP IDs). See https://www.w3.org/TR/webauthn/#rp-id.

To make WebAuthn works in Electron from file:// or another secure custom protocol it is required to patch Chromium to remove restriction to use https:// only origin.

[mahnunchik]

Hi @jkleinsc

I would like to draw attention to this issue because at the moment electron supports biometric scanner only on macOS.

WebAuthn implementation allows desktop apps to support in device FIDO authenticators:

• macOS via Touch ID
• Windows via Windows Hello

In addition to removable hardware security keys.

[Levminer]

Any update on this?

Intercepting the protocol works, but thats not a very elegant solution.