java-webauthn-server icon indicating copy to clipboard operation
java-webauthn-server copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Support Secure Payment Confirmation (SPC)

Open emlun opened this issue 1 year ago • 5 comments

Discussed in https://github.com/Yubico/java-webauthn-server/discussions/284

Originally posted by voirtimid May 18, 2023 Hi guys,

I was playing around with FIDO authentication and wanted to try out Secure Payment Confirmation SPC (https://www.w3.org/TR/secure-payment-confirmation/) also. I'm using this library for the server part. Do you have any plans to extend the library with SPC specific features.

Thank you in advance.

Regards,

Oliver

emlun avatar May 19 '23 10:05 emlun

We'll look into adding support for this in version 2.5.0, but I can't promise anything definitive just yet.

Perhaps we'll split this up and do the minimum soon and the rest later to give it more time to mature:

  1. At minimum, the library needs to (conditionally) allow collectedClientData.type: "payment.get" in RelyingParty.finishAssertion(). This could be added fairly soon as an experimental feature. Then an RP that wants to use SPC could add the extension inputs
  2. For completeness, the library should add the option to configure all of the extension inputs and any server-side steps specified in the SPC spec. This will need some more careful thought, but it doesn't seem like a lot of work.

So perhaps we might do (1) in the next release and (2) soon after. I can't say for certain now, but we're definitely putting this on the to do list.

emlun avatar May 19 '23 14:05 emlun

Thank you for your quick answer and for putting SPC support into consideration.

I just want to share what I observed while testing SPC. As addition to what you wrote in point 1 above, I would like to add that the origin validation that is done in Step13 of FinishAssertionSteps should be skipped for SPC authentications (https://www.w3.org/TR/secure-payment-confirmation/#sctn-use-case-merchant-authentication).

Thanks,

Oliver

voirtimid avatar May 23 '23 09:05 voirtimid

Minimal support for this is now implemented in PR #310. We aim to release this as an experimental feature in an early pre-release later this week, and refine SPC support later in the release cycle.

As of now the origin validation remains unchanged, but this does not stop downstream applications from "overriding" the default origin validation. Similar to the discussion in https://github.com/Yubico/java-webauthn-server/issues/289#issuecomment-1610990004, the RelyingParty class can easily be re-instantiated per request with a new origins setting in order to customize the acceptable origins on a per-request basis. The RelyingParty class has no internal mutable state, so re-instantiating like this is perfectly safe. This is probably not the ideal end state, but it's enough for downstream applications to start experimenting with SPC support.

emlun avatar Jul 05 '23 20:07 emlun

Minimal support is now available in experimental release 2.6.0-alpha1. Please note that experimental features may change or be deleted before reaching a mature release.

emlun avatar Jul 07 '23 18:07 emlun

Hi Emil, thank you a lot.

voirtimid avatar Jul 07 '23 20:07 voirtimid