-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Multiple Origins #237
Changes from 2 commits
d570df5
5f3d7aa
b689d81
ceb8db2
f998a17
2ab90c6
8ff3e1d
71efd25
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
using System; | ||
using System.Collections.Generic; | ||
using System.Linq; | ||
using System.Text; | ||
using Newtonsoft.Json; | ||
|
@@ -55,7 +56,7 @@ private AuthenticatorResponse() | |
|
||
// todo: add TokenBinding https://www.w3.org/TR/webauthn/#dictdef-tokenbinding | ||
|
||
protected void BaseVerify(string expectedOrigin, byte[] originalChallenge, byte[] requestTokenBindingId) | ||
protected void BaseVerify(List<string> expectedOrigins, byte[] originalChallenge, byte[] requestTokenBindingId) | ||
{ | ||
if (Type != "webauthn.create" && Type != "webauthn.get") | ||
throw new Fido2VerificationException($"Type not equal to 'webauthn.create' or 'webauthn.get'. Was: '{Type}'"); | ||
|
@@ -68,11 +69,11 @@ protected void BaseVerify(string expectedOrigin, byte[] originalChallenge, byte[ | |
throw new Fido2VerificationException("Challenge not equal to original challenge"); | ||
|
||
var fullyQualifiedOrigin = FullyQualifiedOrigin(Origin); | ||
var fullyQualifiedExpectedOrigin = FullyQualifiedOrigin(expectedOrigin); | ||
var fullyQualifiedExpectedOrigins = expectedOrigins.Select(FullyQualifiedOrigin); | ||
|
||
// 5. Verify that the value of C.origin matches the Relying Party's origin. | ||
if (!string.Equals(fullyQualifiedOrigin, fullyQualifiedExpectedOrigin, StringComparison.OrdinalIgnoreCase)) | ||
throw new Fido2VerificationException($"Fully qualified origin {fullyQualifiedOrigin} of {Origin} not equal to fully qualified original origin {fullyQualifiedExpectedOrigin} of {expectedOrigin}"); | ||
if (!fullyQualifiedExpectedOrigins.Any(o => string.Equals(fullyQualifiedOrigin, o, StringComparison.OrdinalIgnoreCase))) | ||
throw new Fido2VerificationException($"Fully qualified origin {fullyQualifiedOrigin} of {Origin} not equal to fully qualified original origin {string.Join(", ", fullyQualifiedExpectedOrigins)} of {string.Join(", ", expectedOrigins)}"); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should probably add a .Take(MAX_ORIGINS_TO_PRINT) to the list before string joining to stop a very long list of origins to generate huge strings in the exceptions There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, any suggestion of what it should be set to? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think 5-10 should be enough. |
||
|
||
// 6. Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection over which the assertion was obtained. | ||
// If Token Binding was used on that TLS connection, also verify that C.tokenBinding.id matches the base64url encoding of the Token Binding ID for the connection. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While not a dealbreaker, I'm wondering if a HashSet would be better than a List?
My gut feeling is that it would be able to do a lookup without iterating (like linq Any does).
It is mostly relevant if the list of origins grow due to large number of unique origins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds reasonable, just need to make sure to normalize the ordinal before comparing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed it to HashSet, however to avoid iterating and converting them to FullyQualifiedOrigins each time, I had to store them in the
Fido2Configuration
object. I'm not completely happy with it, but I don't see any other place to put it.