SimpleWebAuthn icon indicating copy to clipboard operation
SimpleWebAuthn copied to clipboard

Published 20 hours ago verified publisher icon MasterKale

Expand the example server into a reference passkey implementation?

Open MasterKale opened this issue 3 years ago • 3 comments

Now that passkeys are on the horizon, I believe the current challenge for WebAuthn adoption is a dearth of decent reference implementations. Based on posts like this on the FIDO-DEV mailing list I think I'd find others who agree.

The current example server tries to be such a thing but is hand-wavey in some areas, specifically around challenge management and credential storage. I think there's an opportunity here to flesh out some of these parts of the server to offer others an "ideal" Express implementation of WebAuthn, including guidance on how to leverage Conditional UI (finally enabling "usernameless" auth that can't know the user's identity ahead of time) and future functionality like the upcoming devicePubKey extension.

MasterKale avatar Jul 13 '22 03:07 MasterKale

Note that this'd likely involve some kind of in-memory data storage library, to avoid going overboard and implementing an actual RDBMS. As straightforward as it might be to implement as a series of Docker containers, for example, I still like the idea of the example server being something you can npm start locally to get up and running.

MasterKale avatar Jul 13 '22 03:07 MasterKale

For the data storage, prisma along with SQLite might be a good choice: https://www.prisma.io/docs/concepts/database-connectors/sqlite.

P4sca1 avatar Aug 05 '22 12:08 P4sca1

Prisma is an interesting suggestion. I'll look into that.

And I agree SQLite is the way to go here regardless of the ORM I land on.

MasterKale avatar Aug 05 '22 14:08 MasterKale

Hey @MasterKale, I'm happy to hear that you want to take things further, especially with passkeys on the verge of being widely adopted. I'm currently also thinking about a standard authentication and authorization solution solely based on webauthn, because in my current projects the implementation varies not that much, and it would be neat, to just spin up a docker container for example, which is able to handle such a task. I would be more than willing to support you with that venture, taking into account I already have made some webauthn implementation with prisma and jwt tokens on my projects.

lmarschall avatar Aug 17 '22 08:08 lmarschall

I'm going to close this, I don't think I want to spend much more of my free time building and maintaining more than the little example app I keep within this repo.

I'd encourage those who choose to build such a reference implementation to follow the lead of the conversation in #266 and share out your project in the Discussions here. People looking to adopt WebAuthn in the wake of passkeys hype will all benefit from such real examples, and so I believe such projects will help expand WebAuthn adoption.

MasterKale avatar Sep 29 '22 05:09 MasterKale