Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Security WebAuthn is missing Registration by anonymous user, a use case specified in WebAuthn L2 Subsection 1.3.1 #16351

Open
justincranford opened this issue Dec 30, 2024 · 0 comments
Open

Spring Security WebAuthn is missing Registration by anonymous user, a use case specified in WebAuthn L2 Subsection 1.3.1 #16351

justincranford opened this issue Dec 30, 2024 · 0 comments
Labels
status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement

Comments

@justincranford
Copy link

I upgraded from Spring Security 6.3 to 6.4. I was using Yubico's WebAuthn, and I am in the process of trying to switch to Spring Security's WebAuthn. However, Spring Security WebAuthn is missing support for registration by an anonymous user. It is a blocker for switching.

Expected Behavior

WebAuthn L1 (2019) and L2 (2021) specifications support registration of a credential by an anonymous user. If the user doesn't exist, then registration is supposed to create the account before associating the credential to it.

Current Behavior

Visiting /webauthn/registration and /webauthn/registration/options fails due to the implementation looking at request.getRemoteUser(), and returning an error if found to be null.

Context

WebAuthn L2 Specification => https://www.w3.org/TR/2021/REC-webauthn-2-20210408

Subsection 1.3.1. Registration specifically says Or the user may be in the process of creating a new account. It is the last sentence from this excerpt.

The user visits example.com, which serves up a script.
At this point, the user may already be logged in using a legacy username and password, or additional authenticator, or other means acceptable to the [Relying Party](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#relying-party).
Or the user may be in the process of creating a new account.

Example 1

Yubico's demo website https://webauthn.io/ shows how registration by anonymous user is supposed to work. Note, as the user, can choose between two WebAuthn registration types (Non-Resident vs Resident) under Advanced Settings via this setting.

Discoverable Credential:

  1. Discouraged (Client wants Non-Resident/Non-Discoverable)
  2. Preferred (Client wants Resident/Discoverable, but fallback to Non-Resident/Non-Discoverable is OK)
  3. Required (Client wants Resident/Discoverable)
image

Passkeys is an alias for Resident/Discoverable added in the L2 spec, but the spec is backwards compatible with Non-Resident/Non-Discoverable.

Example 2

Yubico offers a Java WebAuthn Server. It comes with a demo you can run yourself and debug. It supports credential registration by an anonymous user too.

Example 3

I used Yubico's WebAuthn Server with Spring Security 6.3 in my own project.

It is a new project, only WebAuthn registration and authentication are supported, and there are no other "legacy" authentication methods. Anonymous registration works. In this screenshot, you can see I used Google Chrome. Chrome's Developer Tools supports WebAuthn virtual authenticators for testing, and you can see I registered multiple Non-Resident and Resident credentials.

image
@justincranford justincranford added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@justincranford