Integration / collaboration opportunities - Kanidm's Webauthn library

[micolous]

Hi,

I've been working on Kanidm's Webauthn Authenticator library, which has a lot of overlap with the work you're doing with libwebauthn; some of which is probably interesting to you.

Kanidm's library has a low level interface (for passing CTAP messages) and high level interface (for platform level stuff). The high level interface (which has a lot of overlap with your "future plans") currently has a SoftToken, and bindings for Mozilla's authenticator-rs (which I'm planning to replace) and Windows' WebAuthn API. There's someone currently writing bindings for macOS' Passkey API; and a future xdg-credential-platform would be an ideal target for that.

On the low-level side (which is where most of the libwebauthn overlap is), I'm currently building up a more complete implementation to allow us to replace Mozilla's authenticator-rs library. At the moment that targets FIDO 2.0/2.1 via NFC (via PC/SC) and USB HID (via hidapi) transports, with a view to eventually supporting BLE (and probably caBLE) in a similar (cross-platform) way.

Kanidm's WebAuthn (not just authenticators) library also has a bunch of compatibility tests, because it seems many things are broken in fun and exciting ways (authenticators, browsers, clients, platforms...) or just not implemented at all; and the specifications often leave a lot to be desired (or are plain wrong).

The goal with all that is to be able to provide a portable WebAuthn implementation that can be used anywhere, not just in browsers or on websites.

We normally lurk on https://gitter.im/kanidm/community if you want to say hi. 😄

[AlfioEmanueleFresta]

Thanks for reaching out @micolous!

I didn't know about your project and it looks great! I'd love to spend some looking into kanidm and thinking about how it compares to libwebauthn, but I already really like what the kanidm team has done in terms of compliance/compat testing.

I'll reach out on gitter to discuss this further :)