search

tweag / webauthn

A library for parsing and validating webauthn/fido2 credentials
Apache License 2.0
34 stars 11 forks source link

Have an extension mechanism #35

Open infinisil opened 2 years ago

infinisil commented 2 years ago

The Webauthn specification allows having extensions to the standard, as defined here. We should have a generic way to specify such extensions.

lykahb commented 1 year ago

@infinisil @ErinvanderVeen Mercury plans to implement the credProps extension. What do you think about the idea below, particularly about adding extensions data as Maybe fields under AuthenticationExtensionsClientInputs and AuthenticationExtensionsClientOutputs? After adding the fields, updating the instances would be trivial. The extensions don't seem to need much logic in this library, just encoding and decoding.

Changes

Extend the types AuthenticationExtensionsClientInputs and AuthenticationExtensionsClientOutputs. Using Maybe fields is similar to the examples of partial dictionaries at the W3C spec. The naming follows the spec too, ignoring the prefix for the haskell record field name.

data CredentialPropertiesOutput = CredentialPropertiesOutput
  { cpoResidentKey :: Bool
  -- ^ the W3C spec calls this field `rk`, but a full name is more self-explanatory.
  }

data AuthenticationExtensionsClientInputs = AuthenticationExtensionsClientInputs
  { aeciCredProps :: Maybe Bool
  }

data AuthenticationExtensionsClientOutputs = AuthenticationExtensionsClientOutputs
  { aecoCredProps :: Maybe CredentialPropertiesOutput
  }
infinisil commented 1 year ago

Looks good to me! Afaik currently all fields use the same naming as the spec, but I'm not religious about maintaining that