GitHub - rwinch/spring-security-webauthn

This is a sample application to experiment with passkeys and eventually be merged into Spring Security.

Using in your own project

Clone the repository and then publish to your local file system.

./gradlew publish
tree build/repo
build/repo
└── io
    └── github
        └── rwinch
            └── webauthn
                └── spring-security-webauthn
                    ├── 0.0.1-SNAPSHOT
                    │   ├── maven-metadata.xml
                    │   ├── spring-security-webauthn-0.0.1-20240510.034131-1.jar
                    │   ├── spring-security-webauthn-0.0.1-20240510.034131-1.pom
                    │   ├── ...
                    ├── ...
                    ├── maven-metadata.xml

Then you can add it as a dependency:

pom.xml

<dependencies>
    <dependency>
        <groupId>io.github.rwinch.webauthn</groupId>
        <artifactId>spring-security-webauthn</artifactId>
        <version>0.0.1-SNAPSHOT</version>
    </dependency>
    <!-- ... -->
</dependencies>
<repositories>
    <repository>
      <id>spring-webauthn</id>
      <!-- replace with the path to the build/repo on your file system -->
      <url>file:///home/rwinch/code/rwinch/spring-security-webauthn/main/build/repo/</url>
    </repository>
    <!-- ... -->
  </repositories>

build.gradle

dependencies {
    implementation 'io.github.rwinch.webauthn:spring-security-webauthn:0.0.1-SNAPSHOT'
    // ...
}
repositories {
    maven {
        // replace with the path to the build/repo on your file system
        url = 'file:///home/rwinch/code/rwinch/spring-security-webauthn/main/build/repo/'
    }
    // ...
}

Alternatively, you can publish to your Maven local cache:

./gradlew publishToMavenLocal

https://example.localhost.example:8443

Many Authenticators do will not work unless https is used & some will not work with localhost. This section discusses how to setup your workspace to use https://example.localhost:8443/ with a certificate that is signed by a trusted CA.

Using a Valid Domain

For security reasons, many Authenticators do not allow using localhost as the host for WebAuthn. The WebAuthn specification requires that the RP ID is a valid, effective domain. See w3c/webauthn#1204 for details.

https://datatracker.ietf.org/doc/html/rfc2606#section-2[RFC2606 states] that .localhost is a valid TLD that is typically mapped to `127.0.0.1`.
This means that we can use example.localhost as our host name.

NOTE: If this does not resolve to 127.0.0.1, you can https://docs.rackspace.com/docs/modify-your-hosts-file[edit your hosts file] to map passkeys.localhost to 127.0.0.1.

+

/etc/hosts

127.0.1.1	example.localhost

mkcert

This repository is exploring multifactor authentication with webauthn. To follow along on the discussions see spring-projects/spring-security#6842

Visit http://localhost:8080/
Log in with user / password
If you visit http://localhost:8080/ no additional authentication is required
If you visit http://localhost:8080/secure you will be prompted for webauthn log in. The first time you will be required to register.
Use http://localhost:8080/logout to log out

Name		Name	Last commit message	Last commit date
Latest commit History 124 Commits
.github		.github
.idea		.idea
.mvn/wrapper		.mvn/wrapper
.vscode		.vscode
gradle		gradle
sample		sample
spring-security-webauthn		spring-security-webauthn
.gitignore		.gitignore
.sdkmanrc		.sdkmanrc
HELP.md		HELP.md
README.adoc		README.adoc
gradlew		gradlew
gradlew.bat		gradlew.bat
settings.gradle		settings.gradle
webauthn.iml		webauthn.iml

rwinch/spring-security-webauthn

Folders and files

Latest commit

History

Repository files navigation

Using in your own project

Using a Valid Domain

mkcert

About

Resources

Code of conduct

Security policy

Stars

Watchers

Forks

Languages