Implement FIDO2 login and registration #11166
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Note to reviewers: a reasonable chunk of the PR are test tables, the production code added is not that big. I've written it so it may be reviewed commit-by-commit, which should make it easier to absorb, but let me know if you'd rather have me split registration to a separate PR. I also have a test program that runs the code against real authenticators, which I didn't include here, but give me a shout if you'd like to try it out. |
zmb3
reviewed
Mar 16, 2022
codingllama
force-pushed
the
codingllama/pwdless-fido2
branch
from
754a272 to
9469f1d
Compare
|
PTAL? |
|
Friendly ping @zmb3 @rosstimothy @Tener ? |
rosstimothy
reviewed
Mar 17, 2022
There was a problem hiding this comment.
Sorry @codingllama I was half way through looking at this earlier when GitHub started having issues
codingllama
force-pushed
the
codingllama/pwdless-fido2
branch
from
9469f1d to
67a0ff4
Compare
|
Thanks for the review, @rosstimothy. PTAL? |
zmb3
approved these changes
Mar 17, 2022
rosstimothy
approved these changes
Mar 18, 2022
|
Thanks for the approval, folks. |
codingllama
force-pushed
the
codingllama/pwdless-fido2
branch
from
67a0ff4 to
47fc78e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements CLI login and registration using go-libfido2. Covers both MFA and passwordless use cases.
The FIDO2 implementation is akin to the existing U2F Login / Registration logic, including a similar "device detection" loop. A few notable differences are:
The MFA UX for end-users should remain mostly unaltered.
There are no separate methods for MFA and passwordless, as much of the logic would be the same. Instead, the methods react to the assertion/credential parameters accordingly.
At this moment this code is isolated from other callers, as well as from our build processes via the
libfido2tag. This is to avoid impact to other developers, as go-libfido2 has a few requirements before it can be downloaded or executed.#9160