Until this point, I ran into these problems which made it difficult to integrate WebAuthn with XWiki:
java-webauthn-server: This library can return request objects, which after being serialized to JSON, are passed as a
public key argument to
PublicKeyCredential JS object (response) as JSON and deserialize it (which is also challenging), and then with the
request object, we pass it in to get the result after validation of various parameters (challenge, origin, etc). The Java part of it (the server) is not difficult to implement but since this doesn’t support HTTP request & response, I really doubt if it is possible to use this library considering the authentication framework of XWiki (hardly found a place where I could have used XWikiContext and/or XWikiRequest).
webauthn4j: Similar thing with this library except it does not use the Builder design pattern. We can easily use both of these libraries with the Spring Framework but as of now, it’s quite complicated to use them in XWiki POV. Some parameters like RP ID, and origin, etc., would have multiple instances for a single XWiki user’s WebAuthn credential whenever we use WebAuthn on different wikis on a single client, for example.
I won’t be working on this now but if in the future, any student and/or developer wants to work on it, I welcome them to do so. They can look into this servlet-based implementation which uses java-webauthn-server as a dependency. They can gain valuable info from this post as well as the conversations I had with @tmortagne and can plan accordingly. They can add themselves along with me in the contrib repo. They can create, or update/delete issues in JIRA according to their plans. They should create a new design page considering the library/mechanism of their choice.
If time allows, I will try to assist and review the changes myself. Apart from this, I think it would be great to have “2 Factor Authentication” and “OAuth 2.0 / Social Login” based authenticator in XWiki instead of WebAuthn for the time being since it is not been implemented by the majority of the orgs and with time, maybe we’ll see more suitable Java libraries for the same.
A big thanks to the whole XWiki community, developers, and my mentors, @tmortagne & @ginpachi who have been quite supportive and helpful! See you around