Add WebAuthn Support to XWiki(GSoC'21 project)

Greetings to the xwiki community! I hope you all are doing good.

This thread will host the discussion/planning/information/update on all things important about my ongoing GSoC 2021 project. The less important/temporary doubts will be asked on the matrix chat.

Design page: AddWebAuthnsupporttoXWiki.
Contrib repository: authenticator-webauthn.
JIRA project: WEBAUTHN.

Student: Mohammad Humayun Khan.
Mentors: Thomas Mortagne and Fawad Ali.

1 Like

Thanks for the update @DamianArado.

It’s a good idea to use this thread to report progress and planning, but It would be better to create dedicated threads if you have specific questions to ask or proposals to make instead of reusing this one as otherwise it will be hard to follow (of course once a dedicated thread get resolved you can reference it here as a status report). Maybe this was your plan already, and you just meant other people asking questions to you on this thread, in which case it’s fine.

1 Like

I was thinking of creating threads regarding a specific topic, in which I will be taking suggestions or/and making a proposal regarding my approach. When they will be resolved, I will mention the summary here, so that everything is well inter-connected.

Exactly.

[Update]: Hi, I wanted to request some time from project development to focus on my university’s end semester theoretical examinations, which are scheduled to be held from 4-12June, unfortunately they got shifted from last week of May here, owing to the Covid crisis.
As of now, I have created the JIRA issues on which I’ll start working after these examinations, i.e., from 13th of June.
Nonetheless, I will keep checking the Forum and matrix #xwiki chat and will be available to communicate anytime. :smiley:

1 Like

Imp. threads regarding the project before the end of Ist Evaluation(16 July) are added here:

1 Like

Hii XWiki community! :wave:

Sharing some updates below:

This project is currently in progress. :grinning:

In case you need any further clarifications and/or you are interested to work with me on this project, catch me up on XWiki matrix chat. (my username: damian_arado). I’ll be available.

Until this point, I ran into these problems which made it difficult to integrate WebAuthn with XWiki:

  • java-webauthn-server: This library can return request objects, which after being serialized to JSON, are passed as a public key argument to navigator.credentials.create() or .get() (WebAuthn JavaScript API) for creating or accessing the credentials. After this, from the client, we retrieve a PublicKeyCredential JS object (response) as JSON and deserialize it (which is also challenging), and then with the request object, we pass it in to get the result after validation of various parameters (challenge, origin, etc). The Java part of it (the server) is not difficult to implement but since this doesn’t support HTTP request & response, I really doubt if it is possible to use this library considering the authentication framework of XWiki (hardly found a place where I could have used XWikiContext and/or XWikiRequest).
  • webauthn4j: Similar thing with this library except it does not use the Builder design pattern. We can easily use both of these libraries with the Spring Framework but as of now, it’s quite complicated to use them in XWiki POV. Some parameters like RP ID, and origin, etc., would have multiple instances for a single XWiki user’s WebAuthn credential whenever we use WebAuthn on different wikis on a single client, for example.

I won’t be working on this now but if in the future, any student and/or developer wants to work on it, I welcome them to do so. They can look into this servlet-based implementation which uses java-webauthn-server as a dependency. They can gain valuable info from this post as well as the conversations I had with @tmortagne and can plan accordingly. They can add themselves along with me in the contrib repo. They can create, or update/delete issues in JIRA according to their plans. They should create a new design page considering the library/mechanism of their choice.

If time allows, I will try to assist and review the changes myself. Apart from this, I think it would be great to have “2 Factor Authentication” and “OAuth 2.0 / Social Login” based authenticator in XWiki instead of WebAuthn for the time being since it is not been implemented by the majority of the orgs and with time, maybe we’ll see more suitable Java libraries for the same.

A big thanks to the whole XWiki community, developers, and my mentors, @tmortagne & @ginpachi who have been quite supportive and helpful! See you around :upside_down_face:

1 Like

Having investigated into webauthn in the past I can relate to your comment of it being difficult to create a test setup, due to the pattern not supporting HTTP request & response. On the browser side this is the same by design. The webauthn javascript object in the browsers only supports HTTPS requests, as sending requests over HTTP is considered insecure. With the only exception when doing the requests both from & to localhost, but apparently java-webauthn-server doesn’t support that.

I found this project very educational to get familiar with the webauthn concept:
https://github.com/line/line-fido2-server