Closed wolendranh closed 3 years ago
Hi!
We've had some organizational changes recently, and I'm afraid this project did fall through the cracks. I'll work on a plan to provide at least maintenance if not active development.
Thanks for calling this out. If there are urgent PRs, I'd appreciate if you could drop a mention to them here, and I'll prioritize them.
Most especially android-safynet attestation format
as well as apple attestation format
.
Hi @kylelady
This PR has been open for about a year ( https://github.com/duo-labs/py_webauthn/pull/78). It seems to have been approved but never merged. It'd be great to include this as yubikeys support these keys and we use these. Thanks.
Hi @kylelady! Is there any progress on prioritisation of issues mentioned above?
Would you consider a more radical option? I maintain Flask-Security over at: https://github.com/Flask-Middleware
In my queue is to integrate with webauthn - and this library seems like the perfect fit (https://github.com/Yubico/python-fido2 seems too low-level and too broad)
My offer/proposal - move this repo over to Flask-Middleware - I would do the administrative stuff - triage issues, update to standard style, etc. manage releases, change lists etc. To start, though I have a background in security - I am not up to speed on webauthn - and would need expert eyes on reviewing major changes. Whomever from the current project that still wants admin/write access would of course keep that.
Lots of details - an alternative if duolabs/cisco isn't interested in maintaining/improving this package...
Speaking as a heavy Flask user, I would be delighted to see this move over to Flask-Middleware. Suspect many others would feel the same. Would probably speed up adoption.
On Thu, Jun 10, 2021 at 3:25 PM Chris Wagner @.***> wrote:
Would you consider a more radical option? I maintain Flask-Security over at: https://github.com/Flask-Middleware
In my queue is to integrate with webauthn - and this library seems like the perfect fit (https://github.com/Yubico/python-fido2 seems too low-level and too broad)
My offer/proposal - move this repo over to Flask-Middleware - I would do the administrative stuff - triage issues, update to standard style, etc. manage releases, change lists etc. To start, though I have a background in security - I am not up to speed on webauthn - and would need expert eyes on reviewing major changes. Whomever from the current project that still wants admin/write access would of course keep that.
Lots of details - an alternative if duolabs/cisco isn't interested in maintaining/improving this package...
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/duo-labs/py_webauthn/issues/91#issuecomment-858952371, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAI4TSZQ2UPDIUSAOMU6MBTTSEGUPANCNFSM45EHV3HQ .
ping
Hello all, I'm one of the new maintainers of this repo. Thank you for your continued interest in py_webauthn, it's been a motivating force in the work I've been doing at Duo to rewrite this library from the ground up. Gaining access to this repo was the first step in the deployment plan, next will be preparing the library to be released and maintained here. I don't have an ETA on this work, but it is high up my priority list.
I'm still trying to figure out what to do about open PR's and issues. The library I've been working on is a complete rewrite with nothing in common with the current webauthn
package. Some PR's may become invalid, while others stand a chance of rebasing off master and updating to the new internal code structure. Stay tuned for more info.
I promise it'll be worth it! In terms of functionality that's already been developed, the new library already supports:
"none"
"fido-u2f"
"packed"
"tpm"
("apple"
, and the "android-safetynet"
and "android-key"
are still WIP)
And the library will be framework-agnostic, making it suitable for use in Flask via custom middlewares, Django, you name it! Hopefully that'll be enticing enough to smooth out any issue that arise with the upcoming transition.
Thank you for your patience going forward :bow:
Great!
I am a heavy Flask user. Zooming way out for a moment, why would I want to use this package rather than or in addition to what comes with Flask (flask-login)? What does it get me?
On Thu, Jul 8, 2021 at 12:14 PM Matthew Miller @.***> wrote:
Hello all, I'm one of the new maintainers of this repo. Thank you for your continued interest in py_webauthn, it's been a motivating force in the work I've been doing at Duo to rewrite this library from the ground up. Gaining access to this repo was the first step in the deployment plan, next will be preparing the library to be released and maintained here. I don't have an ETA on this work, but it is high up my priority list.
I'm still trying to figure out what to do about open PR's and issues. The library I've been working on is a complete rewrite with nothing in common with the current webauthn package. Some PR's may become invalid, while others stand a chance of rebasing off master and updating to the new internal code structure. Stay tuned for more info.
I promise it'll be worth it! In terms of functionality that's already been developed, the new library already supports:
- Registration options generation
- Authentication options generation
- Authentication response verification
- Registration with the following attestation statement formats:
- "none"
- "fido-u2f"
- "packed"
- "tpm"
("apple", and the "android-safetynet" and "android-key" are still WIP)
And the library will be framework-agnostic, making it suitable for use in Flask via custom middlewares, Django, you name it! Hopefully that'll be enticing enough to smooth out any issue that arise with the upcoming transition.
Thank you for your patience going forward 🙇
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/duo-labs/py_webauthn/issues/91#issuecomment-876569117, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAI4TS25UNKJ6NX6HSLX5ILTWXFHBANCNFSM45EHV3HQ .
@MasterKale What's the rationale behind rewriting this from ground up? What does it exactly mean that the new one will have 'nothing in common' with the current lib?
@MasterKale What's the rationale behind rewriting this from ground up?
I have opinions on how a WebAuthn library should be written and architected to achieve the flexibility needed to easily accommodate changes to an evolving API spec. With the benefit of my experiences in writing such a library, and with the benefit of time (as the spec is on L2 while a lot of this code was written to the L1 spec) I believed this library had a better chance of growing along with the spec if I started from scratch.
What does it exactly mean that the new one will have 'nothing in common' with the current lib?
The code is all new, unit tests are all new, the API is new, new helper methods will be available to help with getting options and responses to and from the browser...it is an entirely new package that will be published as a major release.
@MasterKale how soon should we be expecting this release?
@MasterKale how soon should we be expecting this release?
As I mentioned earlier I don't have an ETA on this work. I'd measure the wait in months, though, and definitely not years :)
Hi! any chance we could get an update? I don't see any commits or branches for this rewrite. I think everyone on this thread really appreciates all the work that goes into maintaining and updating packages like this. I know that I am keen to get my hands on any early-access drops you might have.
Thanks again.
Hello @jwag956, thank you for the bump. As a matter of fact the rewrite has largely been completed internally - as of today I've got a new version waiting in the wings with full support for WebAuthn L2 registration (including all current attestation formats) and authentication. The trick has been finding the time to take the code and sanitize it for open-sourcing (removing references to Duo from imports, making sure unit tests work, etc...) Coincidentally I've started that effort today. No ETA yet because I won't commit to anything I know I can't hit.
Please bear with me as I work on getting the new version of the library ready. I also plan on revamping the example app, and redoing docs for the new library API, but if the demand from you all is there then perhaps I release the library itself as "1.0.0-beta" for all of you to start testing, then start work on the example app and docs. Once that's done I can release it all as "1.0.0" proper to signify my confidence that this library is ready for use in production environments.
Awesome! I am working on adding webauthn support in Flask-Security - so I would love access to an early-access version. Given the large change, getting it out early (and often) might be a good tactic - you could start with 1.0.0-alpha1 which has caveats around lack of tests, possible API changes, things that aren't implemented yet - and get some of the community to start playing with it. Who knows what we'll find!
I suppose it goes without saying - but no need to post a release on PyPI - just get the code into main/master and simply add a tag anytime you think there is nice incremental progress - some of us would probably just grab main/master for testing.
It's your lucky day, it didn't take as long to prepare the codebase as I thought. Take a look at PR #95 and let me know what you think. If I don't merge it tomorrow I'll aim to do so early next week and then release "1.0.0-beta1" for testing (and also to make sure the publishing pipeline is still good to go)
@MasterKale I think this is great. Hope to experiment with it and write about it.
Let the newly-released v1.0.0 signal my intention to maintain this library for as long as Duo sees fit to employ me. I look forward to your feedback 🙇
Hi! Latest issues are left without comments from project developers. Some important things are not implemented, like additional attestation formats etc. PR's seems also not reviewed. Is there some development in this project?