With the webauthn.io demo site no longer being backed by this library, it may be time to move the project to another organization (perhaps https://github.com/go-webauthn) and establish a new demo site. Thoughts?

This change allows FinishLogin to process appid requests if the appid key in the extensions map has a value. The extensions map is expected as a root member of the JSON object sent to the endpoint.

Closes #106

Co-authored-by: Clément Michaud [email protected]

So I'm experimenting with this library. Currently the issue is with the appid extension enabled it's claiming the device registered via u2f is not familiar. Newly registered keys work with my config, but the old FIDO ones do not. This issue occurs when navigator.credentials.get is called in either Chrome or Firefox. Code snips:

Creating the handler:

	if webauthnHandler, err = webauthn.New(&webauthn.Config{
		RPID:                  "webauthn.example.com",
		RPDisplayName:         "Webauthn",
		RPOrigin:              "https://webauthn.example.com",
		AttestationPreference: protocol.PreferIndirectAttestation,
	}); err != nil {
		panic(err)
	}

Credential added the users credentials:

	keyID, _ := base64.StdEncoding.DecodeString(encodedKeyHandleIDHere)
	pubkey, _ := base64.StdEncoding.DecodeString(encodedPubKeyHere)

	credential := webauthn.Credential{
		ID:              keyID,
		PublicKey:       pubkey,
		AttestationType: "fido-u2f", // Also tried with this commented.
		Authenticator: webauthn.Authenticator{
			SignCount: 0,
			AAGUID:    []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
		},
	}

Creating the assertion:

	assertion, data, err := webauthnHandler.BeginLogin(user,
		webauthn.WithUserVerification(body.UserVerification),
		webauthn.WithAssertionExtensions(map[string]interface{}{"appid": "https://webauthn.example.com"}),
	)

A long chain of dependencies is introduced via revoke's CT support. This currently leads to a broken module dependency for GRPC:

        github.com/duo-labs/webauthn/protocol imports
        github.com/duo-labs/webauthn/metadata imports
        github.com/cloudflare/cfssl/revoke imports
        github.com/cloudflare/cfssl/helpers imports
        github.com/google/certificate-transparency-go imports
        go.etcd.io/etcd imports
        github.com/coreos/etcd/etcdmain imports
        github.com/coreos/etcd/proxy/grpcproxy imports
        google.golang.org/grpc/naming: module google.golang.org/grpc@latest found (v1.30.0), but does not contain package google.golang.org/grpc/naming

Edit: It looks like revoke's validation is needed here. Any suggestions for fixing this dependency issue?

I'm using this library to add webauthn to a pet project. On my test domain, it was working just fine. I can register both my macbook pro (2017) and my phone (galaxy s9+), when I deploy it to my "production" environment, I can register my macbook, but I cannot register my phone.

When I try to register my phone I get the following error:

Error finding cert issued to correct hostname: x509: certificate signed by unknown authority.

Test domain is similar to: tst.tmp.example.nl, production domain is similar to: prod.example.xyz.

Is there any reason why a different end point would not be allowed?

https://github.com/sweetalert2/sweetalert2/wiki/Migration-from-SweetAlert-to-SweetAlert2

Seems that this library had a major breaking change which has broken WebAuthn.io demo site. I believe this will fix it, worked for me.

When running Dependency Scan we see Critical severities related to CVE-2020-26892.

Turns out this stems from the "github.com/cloudflare/cfssl" library. There seems to be only a single use of the library via github.com/cloudflare/cfssl/revoke (in the github.com/duo-labs/webauthn/metadata package) and that API does not use the function that raises the CVE.

Given that its the lone use, implementing that fairly small code (in relation to the library) directly into webauthn and removing "github.com/cloudflare/cfssl" would get rid of the Critical severity (and some "High" severities as well) seems like a good option (the other option would be to fix the library which might be more involved).

Is that a PR you'd consider ?

dgrijalva/jwt-go is no longer maintained: https://github.com/dgrijalva/jwt-go/issues/462 this PR exchanges dgrijalva/jwt-go (3.2.0) with github.com/golang-jwt/jwt (3.2.2)

This PR introduces two changes:

1. Updates the go directive in go.mod file by running go mod tidy -go=1.17 to enable module graph pruning and lazy module loading.
2. Update GitHub Actions go.yml to Go 1.17

Note 1: This PR does not prevent users with earlier Go versions from successfully building packages from this module.

Note 2: The additional require directive is used to record indirect dependencies for Go 1.17 or higher, see https://go.dev/ref/mod#go-mod-file-go.

I am using a YubiKey 5c with the webauth.io demo app, I am requesting direct attestation, however the AAGUID field is always zero'd out. The expected value is ee882879-721c-4913-9775-3dfcce97072a per https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs

I'm not sure if this is a bug or if I am going something incorrectly.

I like to use webauthn.io as reference implementation, but its quiet specific in some cases, especially the frontend is not really minimal (using jquery etc.)

It would be nice to have a minimal working example to compare the own implementation against.

Due to the fact that the standard is not very old the error handling in chrome is not very nice, and I only get a DomException whenever I try to navigator.credentials.create(). With a minimal example I could at least compare my options and the the options from the reference implementation.