Interested in joining XWiki for GSOC '21

DamianArado · February 9, 2021, 8:40pm

Hey everyone! I am Mohammad Humayun Khan, a sophomore year computer engineering undergraduate student from ZHCET, India. I am a self-motivated individual who is writing code since the age of 15. I just love the whole process of developing software, to develop the applications that allow people to do specific tasks on a computer or any other device. I can write quality code in C, C++, Python, and Javascript as I have a good grasp of data structures and algorithms and I also do competitive coding on CodeChef and codeforces in my free time as a hobby. I have a good background in frameworks like ExpressJs and Django.

After going through the huge list of organizations that are there, I chose XWiki as I noticed everything is quite organized here. Also, I wanted to work on a project that involves Java programming language as I don’t have much expertise over it, I know the syntax and various other concepts involving Object-Oriented Programming using Java, Conditional Statements, Loops, Exception Handling in Java, etc. By going through the XWiki website, I got to know that development on XWiki platform involves server-side platform programming in Java with Servlet technologies(that is what I have to go through in the coming days), and I am fine with client-side technologies like HTML, CSS, and JS.

Firstly, I checked out the XWiki Guidelines for GSOC. I am completely fine with it. Secondly, after going through the Proposed Projects that are proposed by @tmortagne, I found myself really interested in the project “Add WebAuthn support to XWiki”. I believe it does not require a huge understanding of concepts as I already have an understanding of the HTTP/HTTPS verbs and various authentication systems (user/pass, header, OAuth2, etc.) I am quite confident that considering 10 weeks of time this year, I will be able to complete this project abiding to the deadlines. I am all enthusiastic to start, I will search for ‘servlet programming’, what it is, and most probably will spend time on tutorials as well =).

It would be great if someone can tell me what tools, framework, or technologies of java, I need to know in order to be well-versed with the back-end of the XWiki platform for a quick headstart and since I am using Win10 OS, I will have to do a setup of XWiki locally and see if there are any problems during setup. After gaining enough knowledge, I’ll be moving on to solve JIRA issues by the end of February and along with that, will be discussing the project along with my mentor @tmortagne in March. =)

It’s absolutely my pleasure joining the XWiki community! I am quite confident that I will surely increase my skills and knowledge of Java (which is what I wanted to do for quite some time) while working with an awesome organization like XWiki on this open-source project during GSoC 2021.

Thanks. Good Day,
@DamianArado

My Profile if you to want to check out ->
Linkedin: https://www.linkedin.com/in/mohammad-humayun-khan-b16973147/
GitHub: https://github.com/DamianArado

tmortagne · February 26, 2021, 1:59pm

Hi,

Sorry for the delay and great to see someone interested in working on WebAuthn support.

XWiki does not really use much other frameworks that Servlet APIs and of course XWiki own tools in the area in which the authenticators are running. The first place to look at (after the generic onboarding you probably read already by now) is https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Authentication/ which give pointed to existing authenticators which will be good inspiration and some generic information on how to create a new XWiki authenticator.

On the development tool side you can find quite a lot of info about the development tools used by the various members of the team in XWiki Development Zone (Main.WebHome) - XWiki in general (especially in Development Tools (Community.DevelopmentTools) - XWiki). In general the only things which are really mandatory on this front are Maven and Java, and then you can use whatever development tool you are comfortable with on top of that.

By the way it’s very possible that new ideas were added to https://gsoc.xwiki.org since the last time you look at it.

DamianArado · February 26, 2021, 6:55pm

Thanks a lot for the info. @tmortagne
I’m on it. Yes, new ideas are there, but my prime focus right now is the project “Add WebAuthn support to XWiki” which I personally found, is best for me among the 11 of them.

DamianArado · April 2, 2021, 4:24pm

Hi @tmortagne! What is your preference for the library that we can use for the project?

Is it?

GitHub - webauthn4j/webauthn4j: A portable Java library for WebAuthn and Apple App Attest server side verification
GitHub - Yubico/java-webauthn-server: Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
or some other…

I am just trying to ask if you have any specific preference?

And regarding the flow, there will be 2 of them:

Registration of a new user:
- new user comes → we first ask them to register → they enter a username → we prompt the user to confirm their presence by making them enter a pin/password,etc → a private and public key pair is generated which will be used in authentication → after registration we show success message
Authentication of an existing user:
- user enters their username → we prompt the user to confirm their presence by making them enter a pin/password,etc → authenticator will then check if there is a match in the public and private ids → if yes, user is logged in

Also, will this project depend on any existing xwiki-authenticator?

tmortagne · April 2, 2021, 4:54pm

Not really as I did not really ever tried any yet.

I don’t understand this flow. Are you are talking about the first time the user access XWiki with a specific browser ?

I don’t think so since it’s a completely new authenticator it should just extend XWikiAuthServiceImpl like the others.

But the WebAuthn authenticator should have a property where you indicate the “real” authenticator to fallback on when there is no private key registered yet on the client.

DamianArado · April 2, 2021, 6:05pm

Okay.

Nope, the first time user access XWiki with a particular supported browser, they go through registration first because if they will do Login there won’t be any credential(username), that they can use, so the prompt will tell them to register first.

Here, the match between the public and private ids mean that there is an assertion that the public-key(credential/username) matches with the private-key(the one stored in the authenticator).

BTW, we will also keep a limit on the number of usernames using which a user can create credentials(the number of public and private key pairs) for any particular supported web browser.

Okay.

I guess for a scenario where the user doesn’t want to use WebAuthn authenticator for any reason(for e.g., when user accesses with any unsupported web browser), we can add a property which links to the “real” authenticator(default authentication).

But, how will it go with XWiki currently allows only one method of authentication to be enabled at a time. This will probably be improved in the future.? WDYT
as written here: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Authentication/