WIP: Support device public key and passkeys #356
Conversation
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## master #356 +/- ##
==========================================
- Coverage 76.80% 74.70% -2.11%
==========================================
Files 89 92 +3
Lines 2531 2728 +197
Branches 427 456 +29
==========================================
+ Hits 1944 2038 +94
- Misses 466 577 +111
+ Partials 121 113 -8
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Src/Fido2.Models/Objects/AuthenticationExtensionsDevicePublicKeyInputs.cs
Outdated
Show resolved
Hide resolved
Src/Fido2.Models/Objects/AuthenticationExtensionsDevicePublicKeyOutputs.cs
Outdated
Show resolved
Hide resolved
|
Hi @aseigler -- anything functionality left here? |
Not sure, need to do another pass on the DPK things to make sure I've got all the logic straight. The passkey area I think is good to go. |
|
Still need to make RP configurable BE/BS options and plumb those into registration and login flows before passkey is done. DPK looks like it has object names that have been updated. Reminder to create CredentialRecord object, move existing StoredCredential members there and hand around that credential record instead of parts of it in and out of login flow. Reminder to remove the rest of the references to token binding. |
Demo/Startup.cs
Outdated
| @@ -52,6 +52,8 @@ public void ConfigureServices(IServiceCollection services) | |||
| options.Origins = Configuration.GetSection("fido2:origins").Get<HashSet<string>>(); | |||
| options.TimestampDriftTolerance = Configuration.GetValue<int>("fido2:timestampDriftTolerance"); | |||
| options.MDSCacheDirPath = Configuration["fido2:MDSCacheDirPath"]; | |||
| options.AllowBackupEligibleCredential = Configuration.GetValue<bool>("fido2:allowBackupEligibleCredential"); | |||
There was a problem hiding this comment.
I would argue that these be allowed by default to support a happier upgrade path. Some RPs may not care about these statuses at all, and so their existing configuration would break?
I know this comment is against the Demo project, but the Configuration default would also be false if this wasn't decided / set at startup.
There was a problem hiding this comment.
I would argue that these be allowed by default to support a happier upgrade path. Some RPs may not care about these statuses at all, and so their existing configuration would break?
I know this comment is against the Demo project, but the Configuration default would also be false if this wasn't decided / set at startup.
I hear ya. This is a enterprise vs consumer setting in my eyes, and I personally am enterprise focused. When this PR is in a release it will be part of a major update, and we are expecting that will contain some breaking changes. Regardless of which way it goes by default, there will be notes to help guide implementers.
There was a problem hiding this comment.
I agree, I think my main concern is that this may block typical use cases.
For an example (even thinking enterprise), you may wish for your users to have a passkey that's backed up and set this setting. However, they would then be unable to add a physical key (Yubikey et al). I know this is the whole point of "Passkeys" to not need it, but I feel that it's more of a per-key decision than one that should be set globally for the RP?
There was a problem hiding this comment.
@aseigler I agree that we should default to true. Given that the average developer might not know what this option do (and should be True for them), while I think we can expect enterprise developers have more knowledge and know to turn it off because of their own research/policy for deploying fido2.
There was a problem hiding this comment.
They would actually be able to register a typical security key with this setting true or false, as those do not set BE flag. Currently only certain platform authenticators do. It's undefined how the platform is protecting those BE keys and where they are going to be restored to. That's why in a situation where the RP cares (enterprise), they might wish to restrict BE keys from being registered at all on the platform, or maybe allow some blessed authenticators but not others (would require additional work to support this). I guess there might be a reason an RP would only want to allow BE keys? That's not the result or intent of this implementation, at least currently.
There was a problem hiding this comment.
Understand the Enterprise point of view.
From a more consumer-focused point of view (ie. specifically the well marketed "Passkeys" aspect) we may want to accept only Passkeys at first, to ensure that users are not able to lose access very easily. Whilst it's not perfect and most authenticators don't give on where the keys are from / stored, knowing that they're backed up allows it to be reasonably assumed that the key is durable and isn't going to disappear like in the case of a physical key loss. For example, we explicitly advise the user to register with a backed up authenticator (specifically iCloud backed Passkeys or their Android phone).
I might be wrong in assuming that this is where this library is going to see most of its use in the short-mid term, but that's my 2c on why this default would be the wrong one.
There was a problem hiding this comment.
From a more consumer-focused point of view (ie. specifically the well marketed "Passkeys" aspect) we may want to accept only Passkeys at first
First thing: https://shouldicapitalizepasskey.com
Sounds crazy to me, but if that's what people want to do with this it's easy enough to switch the logic for BE and BS so instead of true/false the policy can be allow/disallow/require for both registration and authentication flows with the defaults being the most "normal" allow but giving the RP admin the ability to ability for more strict control.
|
@aseigler Anything else left here before we merge? |
I think the only thing that hasn't been gotten to in the list was moving StoredCredential to CredentialRecord but that can be done separately, no need to hold this up for that. |
Update BE/BS policy logic Add more assertion tests, move more error strings to error messages Get metadata into assertion flow for DPK
|
Hey! Any news on this? |
| _demoStorage.UpdateCounter(res.CredentialId, res.Counter); | ||
|
|
||
| if (res.DevicePublicKey is not null) | ||
| creds.DevicePublicKeys.Add(res.DevicePublicKey); |
There was a problem hiding this comment.
I don't understand what we are doing here?
There was a problem hiding this comment.
Basically if a new device public key was discovered in the assertion flow, add it to the list of device public keys associated with this credential.
There was a problem hiding this comment.
Hmm... I think I understand @aseigler. Am I right to think that before saving the DPK the RP would perhaps check some policy or trigger a risk based ceremony before trusting that DPK and then saving/updating the storage with res.DevicePublicKey but in our demo we just add it directly to our in memory storage?
There was a problem hiding this comment.
Yeah, basically same as registering a new credential against an existing user, but way more complicated.
There was a problem hiding this comment.
Alright makes sense, I was just confused about how we used it in our demo. When I get the time I'll add a // TODO: Check policy if we allow new devices, if-so, store it to db
| Id = authData.AttestedCredentialData.CredentialID, | ||
| PublicKey = authData.AttestedCredentialData.CredentialPublicKey.GetBytes(), | ||
| SignCount = authData.SignCount, | ||
| //Transports = result of response.getTransports(); |
There was a problem hiding this comment.
Why do we not return Transports anymore?
There was a problem hiding this comment.
We didn't return transports before, in fact we didn't even collect it in the JavaScript at all, I added in this but it looks like it needs to be added to all of the other registration JavaScript files, and collect transports in AuthenticatorAttestationRawResponse.ResponseData, and then populate transports in the controller from the raw response. There are a few reasons to collect transports, to help with user facing dialogs, but also to compare what transports are being used against a policy, or comparing what transports should be available according to the authenticator metadata. Basically this is incomplete at the moment.
| public byte[] UserId { get; set; } | ||
|
|
||
| public PublicKeyCredentialDescriptor Descriptor { get; set; } |
There was a problem hiding this comment.
Should we deprecate the descriptor or do we still have a use for it? (Now that we've added Id, PublicKey, Type to the class itself)
There was a problem hiding this comment.
Yeah, I don't see a reason to store both Id and Descriptor.
| /// <summary> | ||
| /// The Credential ID of the public key credential source. | ||
| /// </summary> | ||
| public byte[] Id { get; set; } |
There was a problem hiding this comment.
Do we want to use the same JsonConverter as we do on PublicKey?
There was a problem hiding this comment.
Already done in AuthenticatorAttestationRawResponse, no?
| /// The value of the attestationObject attribute when the public key credential source was registered. | ||
| /// Storing this enables the Relying Party to reference the credential's attestation statement at a later time. | ||
| /// </summary> | ||
| public byte[] AttestationObject { get; set; } |
There was a problem hiding this comment.
Do we want to use JsonConverter on this and AttestationClientDataJSON?
There was a problem hiding this comment.
Already done in AuthenticatorAttestationRawResponse, no?
Resolves #334 (and #350).