-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement appid
extension in WebAuthn?
#145
Comments
This extension is already supported, see the U2FFido2Server class for reference: https://github.com/Yubico/python-fido2/blob/main/fido2/server.py#L387 |
Thank you for your reply. AFAICT, that is the implementation on the server side, to help verify both U2F and FIDO2 signatures. In browsers, we normally make a single assertion call like this with WebAuthn to assert both rpid and originally registered appid. await navigator.credentials.get({
publicKey: {
challenge: randomUint8ArrayFromServer,
rpid: "example.com"
allowCredentials: [{
id: Uint8Array(credentialId),
type: 'public-key',
transports: ['usb'],
}],
timeout: 60000,
extensions: {
appid: "https://login.example.com/appid.json",
}
}
}); To achieve the same result using python-fido2, we need to call the Is this your suggested approach to achieve this behavior described by WebAuthn? |
Ah, sorry I misunderstood. You're correct, this extension is only implemented for the server-side. It's a little trickier to implement cleanly on the client as it is quite different from the other extensions in that it changes the logic of the command quite a bit. One reason we didn't implement this was also that we didn't see an immediate use case for it: Our assumption being that if you have existing U2F-credentials these are very likely to come from a browser-based client, and would likely only be used in a browser setting. Maybe this assumption doesn't hold up. Can you share a bit more about your use case and why you need the appId extension support on the client? |
The issue is:
After I looked at the code, I do agree that it can be hard to implement this cleanly. |
Are we able to support the
appid
extension which is defined in WebAuthn?To transfer from old U2F api to WebAuthn, we face the issue that both old appid and rpid exist. Is it possible to support this extension?
The text was updated successfully, but these errors were encountered: