webauthn: Relying party (server) implementation of the WebAuthn 2 specification

[ apache, authentication, library, web ] [ Propose Tags ] [ Report a vulnerability ]

About

This library implements the Relying Party conformance class of the Web Authentication Level 2 specification. This allows web applications to create strong, attested, scoped, public key-based credentials for the purpose of strongly authenticating users.

Getting started

The Crypto.WebAuthn module and its documentation is the best place to get started with the library. The example server: Main.hs shows how this module may be used to implement a relying party.

Stability

While the general design of the library won't change, it's still in an alpha state, so smaller breaking changes should be expected for now. We will however follow the PVP and properly label changes with the appropriate version increase.


[Skip to Readme]

Modules

[Index] [Quick Jump]

Downloads

Maintainer's Corner

Package maintainers

For package maintainers and hackage trustees

Candidates

  • No Candidates
Versions [RSS] 0, 0.1.0.0, 0.1.1.0, 0.2.0.0, 0.3.0.0, 0.4.0.0, 0.4.1.0, 0.4.1.1, 0.4.1.2, 0.5.0.0, 0.5.0.1, 0.6.0.0, 0.6.0.1, 0.7.0.0, 0.8.0.0, 0.9.0.0, 0.10.0.0
Change log changelog.md
Dependencies aeson (>=1.4.7 && <2.2), asn1-encoding (>=0.9.6 && <0.10), asn1-parse (>=0.9.5 && <0.10), asn1-types (>=0.3.4 && <0.4), base (>=4.13.0 && <4.17), base16-bytestring (>=1.0.0 && <1.1), base64-bytestring (>=1.2.1 && <1.3), binary (>=0.8.7 && <0.9), bytestring (>=0.10.10 && <0.12), cborg (>=0.2.4 && <0.3), containers (>=0.6.2 && <0.7), cryptonite (>=0.27 && <0.31), file-embed (>=0.0.11 && <0.1), hashable (>=1.3.0 && <1.5), hourglass (>=0.2.12 && <0.3), jose (>=0.8.5 && <0.10), lens (>=4.18.1 && <5.2), memory (>=0.15.0 && <0.18), monad-time (>=0.3.1 && <0.5), mtl (>=2.2.2 && <2.3), serialise (>=0.2.3 && <0.3), singletons (>=2.6 && <3.2), text (>=1.2.4 && <1.3), time (>=1.9.3 && <1.12), unordered-containers (>=0.2.11 && <0.3), uuid (>=1.3.13 && <1.4), validation (>=1.1 && <1.2), x509 (>=1.7.5 && <1.8), x509-store (>=1.6.7 && <1.7), x509-validation (>=1.6.12 && <1.7) [details]
Tested with ghc ==8.10.7
License Apache-2.0
Copyright 2020 - 2021: Arian van Putten, 2021 - : Tweag I/O
Author Silvan Mosberger <contact@infinisil.com>, Erin van der Veen <erin@erinvanderveen.nl>, Arian van Putten <arian.vanputten@gmail.com>, Laurens Duijvesteijn <git@duijf.io>
Maintainer Silvan Mosberger <contact@infinisil.com>
Category Web, Authentication
Home page https://github.com/tweag/webauthn
Bug tracker https://github.com/tweag/webauthn/issues
Uploaded by infinisil at 2023-01-25T22:37:28Z
Distributions
Downloads 1683 total (74 in the last 30 days)
Rating 2.0 (votes: 1) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs uploaded by user
Build status unknown [no reports yet]

Readme for webauthn-0.5.0.0

[back to package description]

Haskell WebAuthn Library

Hackage

This library implements the server-side Web Authentication Relying Party specification Level 2. The goal of Web Authentication (WebAuthn) is to bring passwordless login/second factor authentication to the web, logging in using a FIDO U2F Security Key, finger print scanner and some other authenticator.

This project was originally developed in 2020 as a Zurihac project by @arianvp and @duijf. Starting September 2021 a team at Tweag was sponsored by Mercury to create a production-ready open-source implementation of this standard, which was done by @infinisil and @ErinvanderVeen.

Setting up the environment

We assume Nix is used for the development of this library. If not using Nix, take a look at default.nix for the dependencies and GHC version. All instructions below assume the use of Nix.

Nix Caches

Tweag provides a Cachix cache for the library itself and all non-Haskell dependencies, setting up the tweag-webauthn cache can be done using the instructions provided by Cachix.

Nix Shell

The Nix shell provides all libraries and tools required to build the library, tests, and example server. Simply call nix-shell to enter a shell. If the binary caches have been configured properly, this should take little time. If they have not been properly configured, entering the Nix shell will take multiple hours.

All further instructions in this README assume that you are in a Nix shell.

Getting Started

To get started with the library it is best to read the documentation of the Crypto.WebAuthn module. An example of how to use this library to implement a relying party can be found in the server directory, particularly the server/src/Main.hs module. Additionally, we highly recommend reading the relying party section of the WebAuthn security considerations chapter before implementing a relying party.

Developing the Library

The Haskell Language Server (hls) and Ormolu are highly recommended for the development of this library. The hls documentation describes how to configure your editor to use it. We also recommend enabling auto-format using Ormolu for your editor. We do, however, also provide a bash script in bin/autoformat.sh that uses Ormolu to format all Haskell source files in the repository.

Code not formatted using Ormolu will be rejected in CI.

Running the tests

Tests are provided in the tests directory. Running these tests is done via cabal:

cabal run test-suite:tests

Running the demo

The library comes with an example implementation for a server that makes use of it, which can be found in the server directory. All dependencies required to build the example server are included in the Nix shell.

cd server
./run.sh

Changes to the server's source files automatically trigger a rebuild of the server.

Testing with an Authenticator

The easiest way to test the server, or your own application, is to use the Chrome WebAuthn development tool. Simply open the Chrome DevTools, click on the three dots in the top right, select "More tools -> WebAuthn", and then enable the virtual environment.

Testing with a physical authenticator is easiest using an Android or iOS phone supporting it, or a dedicated token like a YubiKey or the open-source SoloKey. Testing with a phone requires setting up a certificate for the domain of the relying party as WebAuthn only works via https, with an exception being made for localhost.

Acknowledgements

The test files in tests/responses/ were not created by Tweag, but were instead copied from existing WebAuthn libraries. Notably the .NET and python libraries by the .NET foundation and Duo Labs respectively.

LICENSES

Copyright
  2020 - 2021 Arian van Putten
  2021 -      Tweag I/O

Licensed under the Apache License, Version 2.0 (the "License"); you may not use
this file except in compliance with the License. You may obtain a copy of the
License at

  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed
under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.