Description
Proposal Details
Passkey Authentication is seeing wide-spread industry adoption for authenticating users on websites and is implemented through the https://w3c.github.io/webauthn specification.
It would be great if Golang would support this authentication mechanism out of the box.
As a first step towards this path, I would like to propose introducing WebAuthn signature verification to Golang. The verification algorithm should follow the steps outlined in https://w3c.github.io/webauthn/#sctn-verifying-assertion
WebAuthn registration is a lot more specific to people's usecases (e.g. need to think about attestation and whatnot) so I would leave it out of scope for the first draft.
Related proposals:
WebAuthn is also used for the ecdsa-sk keytype in SSH and somebody asked for support for that here: #69999 . In order to implement that we need this proposal.
Initial design
Interface
type CoseAlgorithmIdentifier int64
const (
EdDSA CoseAlgorithmIdentifier = -8
ES256 CoseAlgorithmIdentifier = -7
ES384 CoseAlgorithmIdentifier = -35
ES512 CoseAlgorithmIdentifier = -36
PS256 CoseAlgorithmIdentifier = -37
RS256 CoseAlgorithmIdentifier = -257
)
type OriginInfo struct {
Origin string
CrossOrigin bool
TopOrigin string
}
type OriginPolicy func(OriginInfo) error
func OriginWhitelist(origins ...string) OriginPolicy
type AuthenticatorFlags uint8
const (
FlagUserPresent AuthenticatorFlags = 1 << iota
_
FlagUserVerified
FlagBackupEligibility
FlagBackupState
_
FlagAttestedCredentialData
FlagExtensionData
)
type AuthenticatorAssertionResponse struct {
ClientDataJson []byte
AuthenticatorData []byte
Signature []byte
}
type AuthenticatorData struct {
RpIdHash [32]byte
Flags AuthenticatorFlags
Count uint32
// NOTE: Contains variable length AttestedCredentialData if FlagAttestedCredentialData is set
// Because we only do assertion, this field is currently always nil
AttestedCredentialData []byte
// NOTE: Contains variable length ExtensionData if FlagExtensionData is set
ExtensionData []byte
}
type VerifyOptions struct {
RpId string
OriginPolicy OriginPolicy
UserVerificationRequired bool
UserPresenceRequired bool
}
// Verify verifies the signature of the assertion response and returns the
// parsed authenticator data which can be processed further by the caller.
func (r *AuthenticatorAssertionResponse) Verify(challenge []byte, key crypto.PublicKey, alg CoseAlgorithmIdentifier, opts VerifyOptions) (*AuthenticatorData, error)Example implementation
Metadata
Metadata
Assignees
Type
Projects
Status