Closed jcarranzan closed 8 months ago
/cc @sberyozkin (security)
Also, area/documentation
@FroMage Hi Steph, is there a chance you can have a quick look, we keep getting issues opened against the WebAuthn extension, see also #32376
I am really sorry, that I have to support the OP (original poster). The quarkus-webauthn docu does have issues. To add another example:
@Doogiemuc I think it works without https. Do you have the bitwarden extension installed? https://github.com/bitwarden/clients/issues/6882 Because that does check for https.
- In the introduction section https://quarkus.io/guides/security-webauthn#introduction-to-webauthn in the second paragraph also could be added the emulated with webauthn devtools from Chrome browser (https://developer.chrome.com/docs/devtools/webauthn/).
Good point, I didn't know it existed. I'll add a note about it in Prerequisites and in Testing the Application.
- MyWebAuthnSetup class in the quickstart application uses
@ReactiveTransactional
annotation that has been deprecated and points users to useio.quarkus.hibernate.reactive.panache.common.WithTransaction
instead. It would be nice to have this change reflected in https://github.com/quarkusio/quarkus/wiki/Migration-Guide-3.0#hibernate-reactive-panache.
OK, let's fix that.
- If I execute the security-webauthn-quickstart as said in the README steps, it will throw an error as I described here security-web-authn-quickstart fails with a netty connection refused in localhost/127.0.0.1:32769 quarkus-quickstarts#1336
HR000021: DDL command failed [io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:32769]
When the db is up and running (after docker-compose up) , we need to specify in our mvn command these parameters to connect wh the db properly: mvn quarkus:dev -Dquarkus.datasource.reactive.url=postgresql://localhost:5432/elytron_security_webauthn -Dquarkus.datasource.username=quarkus -Dquarkus.datasource.password=quarkus So I would suggest changing some description steps in the READ.me
I can't reproduce that.
- On the other hand, when the application is running and we go to localhost:8080 and go on the Admin API section (http://localhost:8080/api/admin) without logging in, the server returns a 302 and no changes are observed on the page. Perhaps the server should perform a proper redirection to a new webpage and send a 403 Forbidden code for unauthorized access.
This is by design: you get auto-redirected when credentials are needed and you're not logged in. You will get a non-redirect error when trying to access the admin page and you're logged in, though.
The quarkus-webauthn must definitely mention that this whole thing ONLY works in HTTPS with all TLS setup in place!
For Google Chrome, this is not true, localhost is allowed. I will mention it in the guide, though, because this is relevant for production deployment.
https://github.com/quarkusio/quarkus/pull/38373 should fix that.
Ok, thank you @FroMage .
Describe the bug
I went through
https://quarkus.io/guides/security-webauthn
guide and found the following issues:@ReactiveTransactional
annotation that has been deprecated and points users to useio.quarkus.hibernate.reactive.panache.common.WithTransaction
instead. It would be nice to have this change reflected in https://github.com/quarkusio/quarkus/wiki/Migration-Guide-3.0#hibernate-reactive-panache.HR000021: DDL command failed [io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:32769]
When the db is up and running (after docker-compose up) , we need to specify in our mvn command these parameters to connect wh the db properly: mvn quarkus:dev -Dquarkus.datasource.reactive.url=postgresql://localhost:5432/elytron_security_webauthn -Dquarkus.datasource.username=quarkus -Dquarkus.datasource.password=quarkus So I would suggest changing some description steps in the READ.meExpected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response