Greetings to the xwiki community! I hope you all are doing good.
Thanks for the update @DamianArado.
It’s a good idea to use this thread to report progress and planning, but It would be better to create dedicated threads if you have specific questions to ask or proposals to make instead of reusing this one as otherwise it will be hard to follow (of course once a dedicated thread get resolved you can reference it here as a status report). Maybe this was your plan already, and you just meant other people asking questions to you on this thread, in which case it’s fine.
I was thinking of creating threads regarding a specific topic, in which I will be taking suggestions or/and making a proposal regarding my approach. When they will be resolved, I will mention the summary here, so that everything is well inter-connected.
[Update]: Hi, I wanted to request some time from project development to focus on my university’s end semester theoretical examinations, which are scheduled to be held from 4-12June, unfortunately they got shifted from last week of May here, owing to the Covid crisis.
As of now, I have created the JIRA issues on which I’ll start working after these examinations, i.e., from 13th of June.
Nonetheless, I will keep checking the Forum and matrix #xwiki chat and will be available to communicate anytime.
Imp. threads regarding the project before the end of Ist Evaluation(16 July) are added here:
Hii XWiki community!
Sharing some updates below:
A blog that summarizes my experience at XWiki during the GSoC period: https://www.xwiki.org/xwiki/bin/view/Blog/My%20Journey%20with%20XWiki%20-%20GSoC'21%20and%20Beyond
This project is currently in progress.
In case you need any further clarifications and/or you are interested to work with me on this project, catch me up on XWiki matrix chat. (my username: damian_arado). I’ll be available.
Until this point, I ran into these problems which made it difficult to integrate WebAuthn with XWiki:
java-webauthn-server: This library can return request objects, which after being serialized to JSON, are passed as a
public keyargument to
PublicKeyCredentialJS object (response) as JSON and deserialize it (which is also challenging), and then with the
requestobject, we pass it in to get the result after validation of various parameters (challenge, origin, etc). The Java part of it (the server) is not difficult to implement but since this doesn’t support HTTP request & response, I really doubt if it is possible to use this library considering the authentication framework of XWiki (hardly found a place where I could have used XWikiContext and/or XWikiRequest).
- webauthn4j: Similar thing with this library except it does not use the Builder design pattern. We can easily use both of these libraries with the Spring Framework but as of now, it’s quite complicated to use them in XWiki POV. Some parameters like RP ID, and origin, etc., would have multiple instances for a single XWiki user’s WebAuthn credential whenever we use WebAuthn on different wikis on a single client, for example.
I won’t be working on this now but if in the future, any student and/or developer wants to work on it, I welcome them to do so. They can look into this servlet-based implementation which uses java-webauthn-server as a dependency. They can gain valuable info from this post as well as the conversations I had with @tmortagne and can plan accordingly. They can add themselves along with me in the contrib repo. They can create, or update/delete issues in JIRA according to their plans. They should create a new design page considering the library/mechanism of their choice.
If time allows, I will try to assist and review the changes myself. Apart from this, I think it would be great to have “2 Factor Authentication” and “OAuth 2.0 / Social Login” based authenticator in XWiki instead of WebAuthn for the time being since it is not been implemented by the majority of the orgs and with time, maybe we’ll see more suitable Java libraries for the same.
I found this project very educational to get familiar with the webauthn concept: