Client or Server

[htgoebel]

The Readme does not state whether this implements client-side (e.g. webbrowser, custom application) or a server-side of the API — or even both.

Please extend the Readme to state this. Thanks

[MasterKale]

Hello @htgoebel, the README currently attempts to address your question with the following:

The examples also include demonstrations of how to pass JSON-ified responses, using base64url encoding for ArrayBuffer values, into RegistrationCredential.parse_raw() and AuthenticationCredential.parse_raw() to be automatically parsed by the methods in this library. An RP can pair this with corresponding custom front end logic, or one of several frontend-specific libraries (like @simplewebauthn/browser, for example) to handle encoding and decoding such values to and from JSON.

And given that this is a Python library I assumed it would be clear that this is a backend-only library, since Python in the browser is only a novelty at this point (in my opinion anyway.)

Do you still believe the README needs to be clarified?

[Whizfactor]

Hello @MasterKale using it with Django is possible but using it as an API for an Angular app, would this work? How do you suggest i go about that? How i pass data from the typescript( or ) evuivalent of this package? Would love to use biometrics in an Angular app and pass the data to a django backend.

I am still a young dev so forgive me.

[jraynes]

@Whizfactor Hi, to better answer your question webauthn requires both a server and a client that conform to the spec. This library handles generation of a JSON block on the server side that is passed to the client's browser via javascript to prompt the user to present their credential. Once the user has done so the javascript will return a key/signature object that you pass back to your server via POST call. Once it reaches your server you would call one of the verification functions from this project to validate.

https://webauthn.guide/ better explains the client side of things. And https://webauthn.io/ is a great working example to play with if you have a yubikey/android smart lock/windows hello enabled device.

[htgoebel]

Do you still believe the README needs to be clarified?

Yes, the Readme still needs improvement.

For understanding the section you quoted, one requires understanding details of the Webauthn protocol — otherwise all these terms are just Greek for the reader. Also given that this is Python does not imply it's server-side: One could easily image a client-application offering Webauthn (or even a browser implemented in Python), which would heavily benefit from a Webauthn client library.

From the last answer I understood this is implements the server-side, so I created #155

[Whizfactor]

Thanks a lot for your reply. Would check your guides to see if I can present only one means of authentication (e.g biometric (fingerprint)) as that's what I need.

[Öñ [[[Šûñ one], [Ĵûñ one] 11, 2023], [17:16]] jraynes < @.***> ŵŕöţé: one two]

@Whizfactor https://github.com/Whizfactor Hi, to better answer your question webauthn requires both a server and a client that conform to the spec. This library handles generation of a JSON block on the server side that is passed to the client's browser via javascript to prompt the user to present their credential. Once the user has done so the javascript will return a key/signature object that you pass back to your server via POST call. Once it reaches your server you would call one of the verification functions from this project to validate.

https://webauthn.guide/ better explains the client side of things. And https://webauthn.io/ is a great working example to play with if you have a yubikey/android smart lock/windows hello enabled device.

— Reply to this email directly, view it on GitHub https://github.com/duo-labs/py_webauthn/issues/153#issuecomment-1586235298, or unsubscribe https://github.com/notifications/unsubscribe-auth/APRXSUVADW2TKRACMSBJYZTXKXVN5ANCNFSM6AAAAAAYZ2XCI4 . You are receiving this because you were mentioned.Message ID: @.***>

[jraynes]

I agree that the README for this project could be improved. Just trying to install this via pip I naturally assumed that pip3 install py_webauthn would do the trick but that's a completely different project. The right command is pip3 install webauthn. That should be included in the documentation here on github.

Also it appears that the JSON output returned from generate_registration_options() and generate_authentication_options() cannot be passed straight into a navigator.credentials call on the client side, even after doing a JSON.parse() on it. A simple explanation on how to cast this object properly would be helpful.

[MasterKale]

The right command is pip3 install webauthn. That should be included in the documentation here on github.

The correct pip install command is located at the top of the README:

Also it appears that the JSON output returned from generate_registration_options() and generate_authentication_options() cannot be passed straight into a navigator.credentials call on the client side, even after doing a JSON.parse() on it. A simple explanation on how to cast this object properly would be helpful.

The Usage section details many of the considerations a user of py_WebAuthn must be aware of. This includes an overview of the need to transform the options you get out of py_webauthn client-side before feeding them into the WebAuthn API. I also included a link to a drop-in library suggestion for those who don't want to think about it, and that project is documented as well.

These details may be missed on a quick skim of this project's README, but that doesn't feel like a problem that is in scope for this library to solve.

[jraynes]

The correct pip install command is located at the top of the README:

My bad, didn't see that. Would be nice if the github project and the pip package shared the same name though.

These details may be missed on a quick skim of this project's README, but that doesn't feel like a problem that is in scope for this library to solve.

Respectfully, I hope you will consider how this thinking may frustrate a developer interested in webauthn and hold the standard back from further adoption. A few lines of example code showing how I can use simplewebauthn with an JSON object generated from this library isn't much to ask IMO.

[MasterKale]

A few lines of example code showing how I can use simplewebauthn with an JSON object generated from this library isn't much to ask IMO.

With all due respect I call out the examples I include in this project under both Registration and Authentication...

• https://github.com/duo-labs/py_webauthn#registration
• https://github.com/duo-labs/py_webauthn#authentication

...which point to these files in this project:

• https://github.com/duo-labs/py_webauthn/tree/master/examples

This has been my attempt to communicate the simple and more complex ways to call the key methods in this library for the back end's responsibilities in the whole WebAuthn song and dance.

For the front end piece I didn't want to appear to "pick a winner" with any particular front end library. I wrote @simplewebauthn/browser to work with @simplewebauthn/server, but I admit to pairing @simplewebauthn/browser with py_webauthn so they'd work together because it wasn't in scope to include a front-end library for this project.

However there are other great front-end-centric WebAuthn libraries too that will work perfectly fine with this library. I've wanted to leave it as an exercise to developers to choose their combination of libraries. I'm not sure how I can do that without picking one of the other open-source WebAuthn libraries I personally wrote (I maintain this library professionally, as a member of Duo Security at Cisco) and making it appear like you can only use py_webauthn with one of my other libraries.

...I hope you will consider how this thinking may frustrate a developer interested in webauthn and hold the standard back from further adoption.

I agree with you on this point. The README on this project was never intended to be an educational resource for those who are just starting out with WebAuthn. There are other great resources available for developers to get their feet wet with the API, like this Google codelab (https://developers.google.com/codelabs/webauthn-reauth#0), and I maintain my own example project here with a fully functioning example project you can run locally and experiment (https://simplewebauthn.dev/docs/advanced/example-project). Plus there's also webauthn.io.

Tell you what, in the next week or two I'll take a look at the README through the eyes of someone earlier in their WebAuthn journey. At the very least I can consider adding a new "just starting out" section that simply points out some of these other resources I listed above, chooses the front end library to pair with py_webauthn for sake of "just get something going", and suggests other places to turn to to learn more. 🤔

[htgoebel]

@Whizfactor @jraynes Please stop misusing this issue. This issue is about an small deficit in the Readme ("Client or Server"), while you demand the Reame to become a tutorial and basically asking for support. Conquering other people's issues is quite unfriendly as it distracts from the original topic. In this very case it may lead to the small improvement not being made since you burry it under your discussion.

[MasterKale]

The README has been updated to clarify that this library is for the server-side part of WebAuthn.