Bugfix to migrate Factor U2F to WebAuthn.

.circleci/config.yml

@@ -22,6 +22,11 @@ jobs:
       - image: circleci/golang:1.13
     working_directory: /go/src/github.com/segmentio/aws-okta
     steps:
+      - run:
+          # Do this prior to checkout so that it doesn't modify go.mod file.
+          name: Install modvendor
+          command: |
+            go get -u github.com/goware/modvendor
       - checkout
       - run:
           name: Install linux dependencies - libusb
@@ -38,6 +43,7 @@ jobs:
             export GO111MODULE=on
             go mod tidy
             go mod vendor
+            modvendor -copy="**/*.c **/*.h" -v
             if [ "$(git status --porcelain)" != "" ]; then
               echo "git tree is dirty after tidying and vendoring modules"
               echo "ensure go.mod and go.sum are tidy and vendor is checked in"

go.mod

@@ -6,10 +6,10 @@ require (
 	github.com/aws/aws-sdk-go v1.25.25
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/karalabe/hid v1.0.0 // indirect
 	github.com/keybase/go-keychain v0.0.0-20190604185112-cc436cc9fe98 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
-	github.com/marshallbrekka/go-u2fhost v0.0.0-20170128051651-72b0e7a3f583
-	github.com/marshallbrekka/go.hid v0.0.0-20161227002717-2c1c4616a9e7 // indirect
+	github.com/marshallbrekka/go-u2fhost v0.0.0-20200114212649-cc764c209ee9
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/segmentio/analytics-go v3.0.1+incompatible
 	github.com/segmentio/backo-go v0.0.0-20160424052352-204274ad699c // indirect
@@ -20,7 +20,6 @@ require (
 	github.com/spf13/pflag v1.0.0 // indirect
 	github.com/stretchr/testify v1.3.0
 	github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec
-	github.com/vitaminwater/cgo.wchar v0.0.0-20160320123332-5dd6f4be3f2a // indirect
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 	golang.org/x/net v0.0.0-20190628185345-da137c7871d7

go.sum

@@ -25,6 +25,8 @@ github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5i
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/karalabe/hid v1.0.0 h1:+/CIMNXhSU/zIJgnIvBD2nKHxS/bnRHhhs9xBryLpPo=
+github.com/karalabe/hid v1.0.0/go.mod h1:Vr51f8rUOLYrfrWDFlV12GGQgM5AT8sVh+2fY4MPeu8=
 github.com/keybase/go-keychain v0.0.0-20190423185029-8441f7257eb1/go.mod h1:JJNrCn9otv/2QP4D7SMJBgaleKpOf66PnW6F5WGNRIc=
 github.com/keybase/go-keychain v0.0.0-20190604185112-cc436cc9fe98 h1:CIcvKEAP7i7v/SWSwzAvq1ATWWs4+J/ezHqZT116+JA=
 github.com/keybase/go-keychain v0.0.0-20190604185112-cc436cc9fe98/go.mod h1:JJNrCn9otv/2QP4D7SMJBgaleKpOf66PnW6F5WGNRIc=
@@ -36,10 +38,8 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/marshallbrekka/go-u2fhost v0.0.0-20170128051651-72b0e7a3f583 h1:PmKzeWNGbrlpxS1PoMfvHQaFZjY6tBWzl2Dni9IjBPE=
-github.com/marshallbrekka/go-u2fhost v0.0.0-20170128051651-72b0e7a3f583/go.mod h1:U9kRL9P37LGrkikKWuekWsReXRKe2fkZdRSXpI7pP3A=
-github.com/marshallbrekka/go.hid v0.0.0-20161227002717-2c1c4616a9e7 h1:OWtSIWxw/A5amtd2wDFMtFILVoCuHC+k4V5Y/0aM4/Y=
-github.com/marshallbrekka/go.hid v0.0.0-20161227002717-2c1c4616a9e7/go.mod h1:EKx8PPAql1ncHKW3HCDlw4d7ELZ/kmfiDJjLfNf+Ek0=
+github.com/marshallbrekka/go-u2fhost v0.0.0-20200114212649-cc764c209ee9 h1:7dYglvg2+WRsvX//65GyQTYJyooO1HYKGVpKBlIAoms=
+github.com/marshallbrekka/go-u2fhost v0.0.0-20200114212649-cc764c209ee9/go.mod h1:U9kRL9P37LGrkikKWuekWsReXRKe2fkZdRSXpI7pP3A=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -69,8 +69,6 @@ github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec h1:DGmKwyZwEB8dI7tbLt/I/gQuP559o/0FrAkHKlQM/Ks=
 github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec/go.mod h1:owBmyHYMLkxyrugmfwE/DLJyW8Ro9mkphwuVErQ0iUw=
-github.com/vitaminwater/cgo.wchar v0.0.0-20160320123332-5dd6f4be3f2a h1:ob45GSHxZJ5H2Sf8WzcJWqNmqiBLr2QIHmun1its9d4=
-github.com/vitaminwater/cgo.wchar v0.0.0-20160320123332-5dd6f4be3f2a/go.mod h1:2DpU0Ek6K9QFbDyQwPa3PAOPSfdp38Pk+MXM6y/sDR0=
 github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c h1:3lbZUMbMiGUW/LMkfsEABsc5zNT9+b1CvsJx47JzJ8g=
 github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c/go.mod h1:UrdRz5enIKZ63MEE3IF9l2/ebyx59GyGgPi+tICQdmM=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=

lib/mfa/fido.go

@@ -22,19 +22,19 @@ var (
 type FidoClient struct {
 	ChallengeNonce string
 	AppId          string
-	Version        string
 	Device         u2fhost.Device
 	KeyHandle      string
 	StateToken     string
 }
 
 type SignedAssertion struct {
-	StateToken    string `json:"stateToken"`
-	ClientData    string `json:"clientData"`
-	SignatureData string `json:"signatureData"`
+	StateToken        string `json:"stateToken"`
+	ClientData        string `json:"clientData"`
+	SignatureData     string `json:"signatureData"`
+	AuthenticatorData string `json:"authenticatorData"`
 }
 
-func NewFidoClient(challengeNonce, appId, version, keyHandle, stateToken string) (FidoClient, error) {
+func NewFidoClient(challengeNonce, appId, keyHandle, stateToken string) (FidoClient, error) {
 	var device u2fhost.Device
 	var err error
 
@@ -55,7 +55,6 @@ func NewFidoClient(challengeNonce, appId, version, keyHandle, stateToken string)
 			Device:         device,
 			ChallengeNonce: challengeNonce,
 			AppId:          appId,
-			Version:        version,
 			KeyHandle:      keyHandle,
 			StateToken:     stateToken,
 		}, nil
@@ -72,9 +71,10 @@ func (d *FidoClient) ChallengeU2f() (*SignedAssertion, error) {
 	request := &u2fhost.AuthenticateRequest{
 		Challenge: d.ChallengeNonce,
 		// the appid is the only facet.
-		Facet:     d.AppId,
+		Facet:     "https://" + d.AppId,
 		AppId:     d.AppId,
 		KeyHandle: d.KeyHandle,
+		WebAuthn:  true,
 	}
 	// do the change
 	prompted := false
@@ -96,9 +96,10 @@ func (d *FidoClient) ChallengeU2f() (*SignedAssertion, error) {
 			response, err := d.Device.Authenticate(request)
 			if err == nil {
 				responsePayload = &SignedAssertion{
-					StateToken:    d.StateToken,
-					ClientData:    response.ClientData,
-					SignatureData: response.SignatureData,
+					StateToken:        d.StateToken,
+					ClientData:        response.ClientData,
+					SignatureData:     response.SignatureData,
+					AuthenticatorData: response.AuthenticatorData,
 				}
 				fmt.Printf("  ==> Touch accepted. Proceeding with authentication\n")
 				return responsePayload, nil

lib/okta.go

@@ -75,7 +75,7 @@ type OktaCreds struct {
 }
 
 type OktaCookies struct {
-	Session string
+	Session     string
 	DeviceToken string
 }
 
@@ -419,15 +419,14 @@ func (o *OktaClient) postChallenge(payload []byte, oktaFactorProvider string, ok
 		} else if oktaFactorProvider == "FIDO" {
 			f := o.UserAuth.Embedded.Factor
 
-			log.Debug("FIDO U2F Details:")
-			log.Debug("  ChallengeNonce: ", f.Embedded.Challenge.Nonce)
-			log.Debug("  AppId: ", f.Profile.AppId)
+			log.Debug("FIDO WebAuthn Details:")
+			log.Debug("  ChallengeNonce: ", f.Embedded.Challenge.Challenge)
+			log.Debug("  AppId: ", o.Domain)
 			log.Debug("  CredentialId: ", f.Profile.CredentialId)
 			log.Debug("  StateToken: ", o.UserAuth.StateToken)
 
-			fidoClient, err := mfa.NewFidoClient(f.Embedded.Challenge.Nonce,
-				f.Profile.AppId,
-				f.Profile.Version,
+			fidoClient, err := mfa.NewFidoClient(f.Embedded.Challenge.Challenge,
+				o.Domain,
 				f.Profile.CredentialId,
 				o.UserAuth.StateToken)
 			if err != nil {
@@ -526,7 +525,7 @@ func GetFactorId(f *OktaUserAuthnFactor) (id string, err error) {
 		id = f.Id
 	case "sms":
 		id = f.Id
-	case "u2f":
+	case "u2f", "webauthn":
 		id = f.Id
 	case "push":
 		if f.Provider == "OKTA" || f.Provider == "DUO" {

lib/struct.go

@@ -53,6 +53,7 @@ type OktaUserAuthnFactorEmbeddedVerification struct {
 
 type OktaUserAuthnFactorEmbeddedChallenge struct {
 	Nonce           string `json:"nonce"`
+	Challenge       string `json:"challenge"`
 	TimeoutSeconnds int    `json:"timeoutSeconds"`
 }
 type OktaUserAuthnFactorEmbeddedVerificationLinks struct {