A simple PHP WebAuthn (FIDO2) server library
Goal of this project is to provide a small, lightweight, understandable library to protect logins with security keys like Yubico or Solo or fingerprint on Android.
This is Forked from https://github.com/lbuchs/Webauthn to provide some extra features for the library, his example, and another example with A LOT Less JS, especially no outside JS, which, as the original dev nicely pointed out, is entirely not needed.
It is very simple to create a button that opens Webauthn, but does basically nothing except preparing to send the response over an HTML Form which can be very useful in slow or throttled internet where on AJAX style sites the user gets no feedback and just nothing works.
Extra Features include:
- "discouraged" User Verification (try not to ask for a PIN) by setting the UV Value to
-1 - Second Example with Database Backend and Multi-User Support (and to illustrate RK Sign in better)
- UV Dropdown in default Example between the 3 options
- fix in the default example to properly handle no registrations
- Update Signature counter in the default example (obviously also happens in second example)
- Automatic selection of the right domain in examples
- changed default options in default example to allow no attestation and ignore attestation certificate for easier tryout.
See /_test for a simple usage of this library. Check my1.dev/wa for a working example.
- android-key ✅
- android-safetynet ✅
- fido-u2f ✅
- none ✅
- packed ✅
- tpm ❌
This library supports only authenticators which are signed with a X.509 certificate (except for none format). ECDAA and self attestation is not supported.
JAVASCRIPT | SERVER
------------------------------------------------------------
REGISTRATION
window.fetch -----------------> getCreateArgs
|
navigator.credentials.create <-------------'
|
'-------------------------> processCreate
|
alert ok or fail <----------------'
------------------------------------------------------------
VALIDATION
window.fetch ------------------> getGetArgs
|
navigator.credentials.get <----------------'
|
'-------------------------> processGet
|
alert ok or fail <----------------'
A Client-side-resident Public Key Credential Source, or Resident Credential for short, is a public key credential source whose credential private key is stored in the authenticator, client or client device. Such client-side storage requires a resident credential capable authenticator. This is only supported by FIDO2 hardware, not by older U2F hardware. On the browser side, at the moment only Microsoft Edge 18 seems to be supporting it.
With normal server-side key process, the user enters its username (and maybe password), then the server replys with a list of all public key credential identifier, which had been registered by the user. Then, the authenticator takes the first of the provided credential identifier, which has been issued by himself, and responses with a signature which can be validated with the public key provided on registration. With client-side key process, the user don't have to provide it's username or password, he can actually just press a 'login' button! Then, the server don't send any identifier; rather, the authenticator is looking up in it's own memory, if there is a key saved for this relying party. If yes, he's responding the same way like he's doing if you provide a list of identifier, there is no difference in checking the registration.
When calling WebAuthn\WebAuthn->getCreateArgs, set $requireResidentKey to true,
to notify the authenticator that he should save the registration in its memory.
When calling WebAuthn\WebAuthn->getGetArgs, don't provide any $credentialIds (the authenticator will look up the ids in its own memory).
- PHP >= 5.6 with OpenSSL
- Browser with WebAuthn support (Firefox 60+, Chrome 67+, Opera 54+, Edge 18+)