eclipse-vertx/vertx-auth

WebAuthn: Add userId property to Authenticator and WebAuthnCredentials

mnylen opened this issue · 0 comments

mnylen commented

Describe the feature

Depends on fixing #580 first.

1. Add userId property to relevant classes

  • Add userId property to both Authenticator and WebAuthnCredentials.
  • After successful WebAuthn authentication or credential registration, the userId property from Authenticator should be included in the principal of returned User.

2. Populating the user id

After the property is added to relevant classes, the Authenticator instances passed to authenticatorFetcher and authenticatorUpdater should include the user ID (once #580 is fixed) property:

  • When fetching authenticators with a query:
    • In WebAuthn#createCredentialOptions(): copy the value from the user object passed in as parameter.
    • In WebAuthn#authenticate(): use the user id defined in WebAuthnCredentials passed in as parameter
  • When inserting or updating authenticators:
    • In WebAuthn#authenticate() for webauthn.get: use the user id defined in WebAuthnCredentials
    • In WebAuthn#authenticate() for webauthn.create: use the user id from the authenticator found by credential id lookup

3. Extra check in authentication

Additionally, the verification process should ensure that the userHandle returned in the AuthenticationAssertionResponse matches the userId property on the Authenticator found with credential id lookup.

The spec:

If the user was not identified before the authentication ceremony was initiated,
verify that response.userHandle is present, and that the user identified by this value is the owner of credentialSource.

Use cases

This would allow Relying Party to index authenticators in persistent storage based on a stable user ID (read: a primary key for user table). User names (emails, nicknames, etc.) often change during user's lifecycle, but IDs don't.

Currently it's not possible to do this without doing an extra lookup to find user ID based on username (as authenticatorUpdater).

Contribution

Already have a PR in the works at https://github.com/mnylen/vertx-auth/pull/1/files