java-webauthn-server
java-webauthn-server copied to clipboard
Yubico
Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
# Summary I'd like to construct an instance of `Extensions.CredentialProperties.CredentialPropertiesOutput` but the constructor is not public. Can you please make the constructor public? # Details The `Extensions.CredentialProperties.CredentialPropertiesOutput` is not public...
Not necessarily an issue, but the [JavaDoc](https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.4.0/com/yubico/webauthn/CredentialRepository.html) isn't entirely clear on this. (Or, if it is, I couldn't find it - apologies if so.) I am trying to integrate passwordless...
Sibling issue to #274, I suppose... Is there a way to pass opaque data about the user to the `CredentialRepository` (in particular, the `getCredentialIdsForUsername` implementation) _without_ that data being exposed...
Hello team, I've observed that sometime we use `user_name` to look up stored public key credentials, examples are when we resolve the `allowCredentials` list in [authentication ceremony](https://github.com/Yubico/java-webauthn-server/blob/4a794e515b9d2fd77b905412011b76dddf9e9b82/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java#L527) and `excludeCredentials` list...
Within my code I have the following in several places: ```java startAssertionOptionsBuilder.userVerification(UserVerificationRequirement.valueOf(userVerification.toUpperCase())); ... authenticatorSelectionCriteriaBuilder .residentKey(ResidentKeyRequirement.valueOf(residentKey.toUpperCase())); ``` while all these enums have a private static `fromString`. Maybe make these methods public?
`RelyingParty.startAssertion` constructs a list of `allowCredentials` based on the `credentialRepository`, which makes sense. However, it would be handy if you could also restrict the allowed credential via some `StartAssertionOptions` option....
I've had to add the PRF extension support kind of around the library. See: https://github.com/e-Contract/enterprise-jsf/blob/master/ejsf-taglib/src/main/java/be/e_contract/ejsf/component/webauthn/WebAuthnUtils.java Would be nice if `java-webauthn-server` would support this PRF extension out of the box.
See https://github.com/w3c/webauthn/issues/1446#issuecomment-1715884170 and https://www.ietf.org/archive/id/draft-jones-jose-fully-specified-algorithms-01.html This memo is not yet approved, but would add fully-specified COSE algorithm identifiers and deprecate the polymorphic ones currently used by default.
Hello, @emlun ! I have a question. I saw several variants of cross-domain rp-ids, like example: ```my-site.my-domain.com``` and ```my-site-2.my-domain.com```. We could make rp-id like ```my-domain.com```. Then ceremonies on subdomains would...
### Discussed in https://github.com/Yubico/java-webauthn-server/discussions/284 Originally posted by **voirtimid** May 18, 2023 Hi guys, I was playing around with FIDO authentication and wanted to try out Secure Payment Confirmation SPC (https://www.w3.org/TR/secure-payment-confirmation/)...