-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for extensions #104
Comments
There's nothing about py_webauthn that prevents you from leveraging extensions. For now, though, you need to manually add the extensions to the options before you send them to the front end. Something like this: # Generate options as usual
simple_registration_options = generate_registration_options(
rp_id="example.com",
rp_name="Example Co",
user_id="12345",
user_name="bob",
)
# Prepare to transmit to front end as JSON
options_json = options_to_json(simple_registration_options)
# Add in the extensions you want to leverage
options_json["extensions"] = {"credProps": True} On the front end you have to remember to call {
credProps: {
rk: true
}
} At which point you can include that in the response you send back to your RP however you want. It's not quite as easy as handing things off to py_webauthn, that might come later, but hopefully you won't find this too onerous to implement yourself for now 🙇 Simplifying the use of extensions has been something I've wanted to do in my other WebAuthn library, and now in py_webauthn, but haven't spent a whole lot of time on trying to architect because of how spotty support is for extensions across browsers. |
Thanks for the detailed instructions - not too onerous at all! I find that while jumping back and forth through the spec I lose track of what is JSON and what is encoded. Feel free to close this or leave it as a 'feature' request. |
As a followup - it isn't quite as simple/nice: options_to_json returns a string - you have to do something like:
And on the response you can't just use parse_raw - you have to decode the entire response:
Again not a super big deal - but unfortunate that can't just use the help parse/encode utilities. Note that one cant do:
since pydantic doesn't like that (which I suppose is the point of using pydantic). |
We also stumbled upon the extension problem while working with large blobs. We patched the library with appropriate structs and additional parameters for generate_registration_options. You can find these changes at #128, happy to discuss whether this approach is fine for you |
Copy-pasting some brainstorming on extension support I wrote down in #128:
This is specifically about |
My reading of https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-authenticator-credential-properties-extension
implies that if I as a RP want to know for example, if the authenticator created a resident key - the RegistrationCreateOptions should contains appropriate values in:
AuthenticationExtensionsClientInputs extensions;
That doesn't seem to be supported....
The text was updated successfully, but these errors were encountered: