Closed 8ma10s closed 1 year ago
UPDATE
Never mind me! I forgot that the authenticatior_selection
contains theauthenticator_attachment
attribute. See this test
Let me check. (sorry for the late reply)
@santiagorodriguez96 sorry for late response.
I just played around with the demo rails server, and it seems like the problem is as follows:
credentials.get
uses https://github.com/ericelliott/credential , which is updated almost 2 years agoget()
to NOT return the new field authenticatorAttachment
So basically, it's not the rails gem's problem, but the frontend code's problem.
I confirmed that switching the frontend implementation from using https://github.com/ericelliott/credential to https://github.com/github/webauthn-json successfully returns authenticatorAttachment
to your backend demo code.
Here's what I got for the backend after the modification:
webauthn_credential = WebAuthn::Credential.from_get(params)
Rails.logger.info(webauthn_credential)
produces
{"type"=>"public-key", "id"=>"TecfTRasmz5e6BkT6T8Yz4cZYDUW_NLXInHrjMojI3A", "rawId"=>"TecfTRasmz5e6BkT6T8Yz4cZYDUW_NLXInHrjMojI3A", "authenticatorAttachment"=>"platform", "response"=>{
...
It feels to me that it could be a good idea to add this argument to the initialization of PublicKeyCredential in both spec/webauthn/public_key_credential_with_attestation_spec.rb and spec/webauthn/public_key_credential_with_assertion_spec.rb
added 👍 3e17fcd
I also found this thing called fake_client
that's used in some of the specs, so I modified that code too.
This ensures that "even if frontend code (and thus backend server using this gem) starts passing in authenticatorAttachment
, the existing behavior will not get affected.
Why
https://w3c.github.io/webauthn/#iface-pkcredential
Level 3 draft of WebAuthn adds an optional parameter
authenticatorAttachment
onPublicKeyCredential
(andAuthenticatorAttestationResponse
andAuthenticatorAssertionResponse
which inherits it, of course).This field allows RP developers to detect whether the authentication was done using platform authenticator that always exists on that particular device, or cross-platform authenticator that only exists on that device temporarily.
In the latter case of using cross-platform authenticator, RP can prompt the user to register a platform authenticator so that the user won't lose the ability to sign in on that device.
Since some vendors (I confirmed with Mac chrome) are already passing this optional parameter
authenticatorAttachment
, I want this gem to be able to support reading values from that field.What
Allow initializing
PublicKeyCredential
class with an optional argumentauthenticator_attachment
Misc
I obtained the authenticator response returned from the client on sign-in (using dev-console), and ran
WebAuthn::Credential.from_get
on that response. As you can see, I can now obtain the value ofauthenticator_attachment