Implement token binding support in WebAuthn4JRelyingPartyOperations #17941
Description
Expected Behavior
The Webauthn4JRelyingPartyOperations class should properly extract and validate token binding information from the WebAuthn client data according to the WebAuthn specification and RFC 8471.
According to the WebAuthn specification, the tokenBinding field in CollectedClientData should be:
- Parsed from the client data JSON
- Validated according to RFC 8471 Token Binding Protocol
- Passed to the WebAuthn4J library for verification
Current Behavior
Currently, the token binding ID is hardcoded to null with a FIXME comment:
File: webauthn/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java:251
byte[] tokenBindingId = null /* set tokenBindingId */; // FIXME:
// https://www.w3.org/TR/webauthn-1/#dom-collectedclientdata-tokenbinding
ServerProperty serverProperty = new ServerProperty(origins, rpId, challenge, tokenBindingId);
This means:
- Token binding validation is completely skipped
- Security benefits of token binding are not utilized
- The implementation is incomplete according to WebAuthn specification
Context
How has this issue affected you?
As a developer implementing WebAuthn authentication, the missing token binding support means that applications cannot take advantage of the additional security layer that token binding provides against certain types of
attacks.
What are you trying to accomplish?
I want to implement a complete WebAuthn solution that follows the full specification, including token binding support for enhanced security.
What other alternatives have you considered?
1. Implementing token binding parsing manually in application code (not ideal)
2. Using a different WebAuthn library (defeats the purpose of using Spring Security)
3. Accepting the security limitation (not acceptable for production)
Are you aware of any workarounds?
Currently, there are no practical workarounds since the token binding extraction needs to happen at the framework level before validation.
Additional Information
- Module: WebAuthn (spring-security-webauthn)
- Specification: https://www.w3.org/TR/webauthn-1/#dom-collectedclientdata-tokenbinding
- Related RFC: https://tools.ietf.org/html/rfc8471
- Impact: Security enhancement
- Complexity: Medium (requires JSON parsing and RFC 8471 validation)
Proposed Implementation Plan
If assigned to this issue, I would:
1. Phase 1: Add token binding extraction from clientDataJSON
2. Phase 2: Implement RFC 8471 validation logic
3. Phase 3: Integrate with existing WebAuthn4J ServerProperty
4. Phase 4: Add comprehensive tests covering:
- Present token binding scenarios
- Absent token binding scenarios
- Malformed token binding data
- RFC 8471 compliance tests
I would like to work on this issue and contribute this enhancement to Spring Security.