-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conformity of java-webauthn-server to FIDO2 #94
Comments
+1 for this information. |
Hi, We have not yet run the FIDO tests against this library, and unfortunately haven't implemented all the attestation formats yet - specifically, the |
Hello, According to W3 android-safetynet-attestation and Android verify-attestation-response, it seems like this library performs all the verification procedures for Android SafetyNet Attestion in class Thank you. |
Ah, sorry, that should have been A Or in other words: the library by implements steps 1-19 and 22-24 of §7.1. Registering a New Credential, but by default skips steps 20 and 21. A |
Oh, and the |
Hello, me again 😄 Is there any chance this library will implement MetadaService for devices other than Yubico in the year 2022? Thank you. |
Hi! Work is currently underway to implement built-in support for the FIDO Metadata Service 3, which will make up the bulk of release 2.0. We're hoping to finish and release that in January 2022. |
Hi @emlun , Will the new version support all the attestation formats and conform to all mandatory test cases of FIDO2 Test Tool provided by FIDO Alliance as well. Also, can we expect the release this month? |
Hi @ashensw, Sorry, version 2.0 will not yet support all attestation formats and will not be finished this month. Conformance tests will also come later. Sorry for the slow progress on this. |
Hi @emlun I have a question related to the userHandle from the authentication part. My question is, does that validation meet the spec requirements? We have a case where a user is using Mac Studio (Ventura 13.3.1 ), and for the authentication where options.allowCredentials is empty his request is failing because it looks like Mac Studio is not setting the userHandle on the response either. So the validation in FinishAssertionSteps.Step6 is failing. |
@ionelMihai Hm, that's actually a very good question. The intent behind The purpose of having both the credential ID and the user handle is so that RPs aren't forced to use the credential ID as a primary lookup key, since the RP has no control of the choice of the credential ID. See this discussion from when user handles were introduced. So it's certainly against the spirit of the spec to not return a user handle when But looking through the spec, I don't think we actually require the authenticator to return a user handle when I'd say this is a question for a WebAuthn spec issue. Either we amend the spec to explicitly require a non-null I'll open the issue in w3c/webauthn, then once that is resolved we'll decide if anything needs to change in java-webauthn-server. Thanks for raising the question! |
Hey, |
The We would welcome contributions to implement |
Hi,
I am comparing this lib to other libraries specifically webauthn4j which says they are conformant to all the tests set by fido specification. Also, it says it supports all the attestation format.
Can someone please confirm if this lib is fido conformant and supports all the attestation formats?
Thanks
The text was updated successfully, but these errors were encountered: