WebAuthn: Add user id to PublicKeyCredentialsCreateOptions, Authenticator and WebAuthnCredentials (#580, #581)

Author: mnylen

vertx-auth-webauthn/src/main/generated/io/vertx/ext/auth/webauthn/AuthenticatorConverter.java

@@ -60,6 +60,10 @@ public static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json,
             obj.setUserName((String)member.getValue());
           }
           break;
+        case "userId":
+          if (member.getValue() instanceof String) {
+            obj.setUserId((String)member.getValue());
+          }
       }
     }
   }
@@ -91,5 +95,8 @@ public static void toJson(Authenticator obj, java.util.Map<String, Object> json)
     if (obj.getUserName() != null) {
       json.put("userName", obj.getUserName());
     }
+    if (obj.getUserId() != null) {
+      json.put("userId", obj.getUserId());
+    }
   }
 }

vertx-auth-webauthn/src/main/generated/io/vertx/ext/auth/webauthn/WebAuthnCredentialsConverter.java

@@ -45,6 +45,11 @@ public static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json,
             obj.setWebauthn(((JsonObject)member.getValue()).copy());
           }
           break;
+        case "userId":
+          if (member.getValue() instanceof String) {
+            obj.setUserId((String)member.getValue());
+          }
+          break;
       }
     }
   }
@@ -69,5 +74,8 @@ public static void toJson(WebAuthnCredentials obj, java.util.Map<String, Object>
     if (obj.getWebauthn() != null) {
       json.put("webauthn", obj.getWebauthn());
     }
+    if (obj.getUserId() != null) {
+      json.put("userId", obj.getUserId());
+    }
   }
 }

vertx-auth-webauthn/src/main/java/io/vertx/ext/auth/webauthn/Authenticator.java

@@ -73,6 +73,11 @@ public class Authenticator {
   private AttestationCertificates attestationCertificates;
   private String fmt;
 
+  /**
+   * The base64 url encoded user handle associated with this authenticator.
+   */
+  private String userId;
+
   public Authenticator() {}
   public Authenticator(JsonObject json) {
     AuthenticatorConverter.fromJson(json, this);
@@ -168,4 +173,13 @@ public Authenticator setAaguid(String aaguid) {
   public String getAaguid() {
     return aaguid;
   }
+
+  public String getUserId() {
+    return userId;
+  }
+
+  public Authenticator setUserId(String userId) {
+    this.userId = userId;
+    return this;
+  }
 }

vertx-auth-webauthn/src/main/java/io/vertx/ext/auth/webauthn/WebAuthn.java

@@ -20,6 +20,7 @@
 import io.vertx.codegen.annotations.VertxGen;
 import io.vertx.core.*;
 import io.vertx.core.json.JsonObject;
+import io.vertx.ext.auth.User;
 import io.vertx.ext.auth.authentication.AuthenticationProvider;
 import io.vertx.ext.auth.webauthn.impl.WebAuthnImpl;
 
@@ -59,7 +60,24 @@ static WebAuthn create(Vertx vertx, WebAuthnOptions options) {
    * Gets a challenge and any other parameters for the {@code navigator.credentials.create()} call.
    *
    * The object being returned is described here <a href="https://w3c.github.io/webauthn/#dictdef-publickeycredentialcreationoptions">https://w3c.github.io/webauthn/#dictdef-publickeycredentialcreationoptions</a>
-   * @param user    - the user object with name and optionally displayName and icon
+   *
+   * The caller should extract the generated challenge and store it, so it can be fetched later for the
+   * {@link #authenticate(JsonObject)} call. The challenge could for example be stored in a session and later
+   * pulled from there.
+   *
+   * The user object should contain base64 url encoded id (the user handle), name and, optionally, displayName and icon.
+   * See the above link for more documentation on the content of the different fields. The user handle should be base64
+   * url encoded. You can use <code>java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(byte[])</code>
+   * to encode any user id bytes to base64 url format.
+   *
+   * For backwards compatibility, if user id is not defined, a random UUID will be generated instead. This has some
+   * drawbacks, as it might cause user to register the same authenticator multiple times.
+   *
+   * Will use the configured {@link #authenticatorFetcher(Function)} to fetch any existing authenticators
+   * by the user id or name. Any authenticators found will be added as excludedCredentials, so the application
+   * knows not to register those again.
+   *
+   * @param user    - the user object with id, name and optionally displayName and icon
    * @param handler server encoded make credentials request
    * @return fluent self
    */
@@ -106,6 +124,7 @@ default WebAuthn getCredentialsOptions(@Nullable String name, Handler<AsyncResul
    *
    * The implementation must consider the following fields <strong>exclusively</strong>, while performing the lookup:
    * <ul>
+   *   <li>{@link Authenticator#getUserId()}</li>
    *   <li>{@link Authenticator#getUserName()}</li>
    *   <li>{@link Authenticator#getCredID()} ()}</li>
    * </ul>

vertx-auth-webauthn/src/main/java/io/vertx/ext/auth/webauthn/WebAuthnCredentials.java

@@ -26,6 +26,7 @@ public class WebAuthnCredentials implements Credentials {
   private String challenge;
   private JsonObject webauthn;
   private String username;
+  private String userId;
   private String origin;
   private String domain;
 
@@ -80,6 +81,15 @@ public WebAuthnCredentials setDomain(String domain) {
     return this;
   }
 
+  public String getUserId() {
+    return userId;
+  }
+
+  public WebAuthnCredentials setUserId(String userId) {
+    this.userId = userId;
+    return this;
+  }
+
   @Override
   public <V> void checkValid(V arg) throws CredentialValidationException {
     if (challenge == null || challenge.length() == 0) {

vertx-auth-webauthn/src/main/java/io/vertx/ext/auth/webauthn/impl/WebAuthnImpl.java

@@ -159,9 +159,20 @@ public WebAuthn authenticatorUpdater(Function<Authenticator, Future<Void>> updat
 
   @Override
   public Future<JsonObject> createCredentialsOptions(JsonObject user) {
+    String userId;
+
+    if (user.getString("id") != null) {
+      userId = user.getString("id");
+    } else if (user.getString("rawId") != null) {
+      // For backwards compatibility, allow using rawId in place of id. Should be removed in future.
+      userId = user.getString("rawId");
+    } else {
+      // For backwards compatibility, if both id and rawId is missing, use a random base64url encoded UUID
+      userId = uUIDtoBase64Url(UUID.randomUUID());
+    }
 
     return fetcher
-      .apply(new Authenticator().setUserName(user.getString("name")))
+      .apply(new Authenticator().setUserId(userId).setUserName(user.getString("name")))
       .map(authenticators -> {
         // empty structure with all required fields
         JsonObject json = new JsonObject()
@@ -177,10 +188,11 @@ public Future<JsonObject> createCredentialsOptions(JsonObject user) {
         putOpt(json.getJsonObject("rp"), "icon", options.getRelyingParty().getIcon());
 
         // put non null values for User
-        putOpt(json.getJsonObject("user"), "id", uUIDtoBase64Url(UUID.randomUUID()));
+        putOpt(json.getJsonObject("user"), "id", userId);
         putOpt(json.getJsonObject("user"), "name", user.getString("name"));
         putOpt(json.getJsonObject("user"), "displayName", user.getString("displayName"));
         putOpt(json.getJsonObject("user"), "icon", user.getString("icon"));
+
         // put the public key credentials parameters
         for (PublicKeyCredential pubKeyCredParam : options.getPubKeyCredParams()) {
           addOpt(
@@ -294,6 +306,7 @@ public void authenticate(Credentials credentials, Handler<AsyncResult<User>> han
       WebAuthnCredentials authInfo = (WebAuthnCredentials) credentials;
       // check
       authInfo.checkValid(null);
+
       // The basic data supplied with any kind of validation is:
       //    {
       //      "rawId": "base64url",
@@ -339,6 +352,7 @@ public void authenticate(Credentials credentials, Handler<AsyncResult<User>> han
       }
 
       // optional data
+
       if (clientData.containsKey("tokenBinding")) {
         JsonObject tokenBinding = clientData.getJsonObject("tokenBinding");
         if (tokenBinding == null) {
@@ -358,6 +372,7 @@ public void authenticate(Credentials credentials, Handler<AsyncResult<User>> han
         }
       }
 
+      final String userId = authInfo.getUserId();
       final String username = authInfo.getUsername();
 
       // Step #4
@@ -379,6 +394,7 @@ public void authenticate(Credentials credentials, Handler<AsyncResult<User>> han
             final Authenticator authrInfo = verifyWebAuthNCreate(authInfo, clientDataJSON);
             // by default the store can upsert if a credential is missing, the user has been verified so it is valid
             // the store however might disallow this operation
+            authrInfo.setUserId(userId);
             authrInfo.setUserName(username);
 
             // the create challenge is complete we can finally safe this
@@ -393,6 +409,7 @@ public void authenticate(Credentials credentials, Handler<AsyncResult<User>> han
           return;
         case "webauthn.get":
           Authenticator query = new Authenticator();
+
           if (options.getRequireResidentKey()) {
             // username are not provided (RK) we now need to lookup by id
             query.setCredID(webauthn.getString("id"));
@@ -402,9 +419,14 @@ public void authenticate(Credentials credentials, Handler<AsyncResult<User>> han
               handler.handle(Future.failedFuture("username can't be null!"));
               return;
             }
+
             query.setUserName(username);
           }
 
+          if (userId != null) {
+            query.setUserId(userId);
+          }
+
           fetcher.apply(query)
             .onFailure(err -> handler.handle(Future.failedFuture(err)))
             .onSuccess(authenticators -> {

vertx-auth-webauthn/src/test/java/io/vertx/ext/auth/webauthn/DummyStore.java

@@ -4,6 +4,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;
 import java.util.stream.Collectors;
 
 public class DummyStore {
@@ -20,17 +21,25 @@ public void clear() {
   }
 
   public Future<List<Authenticator>> fetch(Authenticator query) {
+    if (query.getUserName() == null && query.getCredID() == null && query.getUserId() == null) {
+      return Future.failedFuture(new IllegalArgumentException("Bad authenticator query! All conditions were null"));
+    }
+
     return Future.succeededFuture(
       database.stream()
         .filter(entry -> {
+          boolean matches = true;
           if (query.getUserName() != null) {
-            return query.getUserName().equals(entry.getUserName());
+            matches = query.getUserName().equals(entry.getUserName());
           }
           if (query.getCredID() != null) {
-            return query.getCredID().equals(entry.getCredID());
+            matches = matches || query.getCredID().equals(entry.getCredID());
           }
-          // This is a bad query! both username and credID are null
-          return false;
+          if (query.getUserId() != null) {
+            matches = matches || query.getUserId().equals(entry.getUserId());
+          }
+
+          return matches;
         })
         .collect(Collectors.toList())
     );

vertx-auth-webauthn/src/test/java/io/vertx/ext/auth/webauthn/NavigatorCredentialsCreate.java

@@ -1,6 +1,8 @@
 package io.vertx.ext.auth.webauthn;
 
+import io.vertx.core.json.JsonArray;
 import io.vertx.core.json.JsonObject;
+import io.vertx.ext.auth.impl.Codec;
 import io.vertx.ext.unit.Async;
 import io.vertx.ext.unit.TestContext;
 import io.vertx.ext.unit.junit.RunTestOnContext;
@@ -10,7 +12,13 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
-import static org.junit.Assert.assertNotNull;
+import javax.naming.AuthenticationException;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+
+import static org.junit.Assert.*;
 
 @RunWith(VertxUnitRunner.class)
 public class NavigatorCredentialsCreate {
@@ -36,10 +44,19 @@ public void testRequestRegister(TestContext should) {
       .authenticatorFetcher(database::fetch)
       .authenticatorUpdater(database::store);
 
+    final String userId = Codec.base64UrlEncode(UUID.randomUUID().toString().getBytes());
+
+    // Authenticator to test excludedCredentials
+    database.add(
+      new Authenticator()
+        .setUserId(userId)
+        .setType("public-key")
+        .setCredID("-r1iW_eHUyIpU93f77odIrdUlNVfYzN-JPCTWGtdn-1wxdLxhlS9NmzLNbYsQ7XVZlGSWbh_63E5oFHcNh4JNw")
+    );
+
     // Dummy user
     JsonObject user = new JsonObject()
-      // id is expected to be a base64url string
-      .put("id", "000000000000000000000000")
+      .put("id", userId)
       .put("name", "[email protected]")
       .put("displayName", "John Doe")
       .put("icon", "https://pics.example.com/00/p/aBjjjpqPb.png");
@@ -56,7 +73,77 @@ public void testRequestRegister(TestContext should) {
         assertNotNull(challengeResponse.getJsonArray("pubKeyCredParams"));
         // ensure that challenge and user.id are base64url encoded
         assertNotNull(challengeResponse.getBinary("challenge"));
-        assertNotNull(challengeResponse.getJsonObject("user").getBinary("id"));
+
+        final JsonObject challengeResponseUser = challengeResponse.getJsonObject("user");
+        assertNotNull(challengeResponseUser);
+        assertEquals(userId, challengeResponseUser.getString("id"));
+        assertEquals(user.getString("name"), challengeResponseUser.getString("name"));
+        assertEquals(user.getString("displayName"), challengeResponseUser.getString("displayName"));
+        assertEquals(user.getString("icon"), challengeResponseUser.getString("icon"));
+
+        final JsonArray excludeCredentials = challengeResponse.getJsonArray("excludeCredentials");
+        assertEquals(1, excludeCredentials.size());
+
+        final JsonObject excludeCredential = excludeCredentials.getJsonObject(0);
+        assertEquals("public-key", excludeCredential.getString("type"));
+        assertEquals("-r1iW_eHUyIpU93f77odIrdUlNVfYzN-JPCTWGtdn-1wxdLxhlS9NmzLNbYsQ7XVZlGSWbh_63E5oFHcNh4JNw", excludeCredential.getString("id"));
+        assertEquals(new JsonArray(Arrays.asList("usb", "nfc", "ble", "internal")), excludeCredential.getJsonArray("transports"));
+
+        test.complete();
+      });
+  }
+
+  @Test
+  public void testRequestRegisterWithRawId(TestContext should) {
+    final Async test = should.async();
+
+    WebAuthn webAuthN = WebAuthn.create(
+        rule.vertx(),
+        new WebAuthnOptions().setRelyingParty(new RelyingParty().setName("ACME Corporation"))
+          .setAttestation(Attestation.of("direct")))
+      .authenticatorFetcher(database::fetch)
+      .authenticatorUpdater(database::store);
+
+    final String userId = Codec.base64UrlEncode(UUID.randomUUID().toString().getBytes());
+
+    // Dummy user
+    JsonObject user = new JsonObject()
+      .put("rawId", userId)
+      .put("displayName", "John Doe");
+
+    webAuthN
+      .createCredentialsOptions(user)
+      .onFailure(should::fail)
+      .onSuccess(challengeResponse -> {
+        final JsonObject challengeResponseUser = challengeResponse.getJsonObject("user");
+        assertNotNull(challengeResponseUser);
+        assertEquals("rawId should have been used as-is", user.getString("rawId"), challengeResponseUser.getString("id"));
+        test.complete();
+      });
+  }
+
+  @Test
+  public void testRequestRegisterWithNoId(TestContext should) {
+    final Async test = should.async();
+
+    WebAuthn webAuthN = WebAuthn.create(
+        rule.vertx(),
+        new WebAuthnOptions().setRelyingParty(new RelyingParty().setName("ACME Corporation"))
+          .setAttestation(Attestation.of("direct")))
+      .authenticatorFetcher(database::fetch)
+      .authenticatorUpdater(database::store);
+
+    // Dummy user
+    JsonObject user = new JsonObject()
+      .put("displayName", "John Doe");
+
+    webAuthN
+      .createCredentialsOptions(user)
+      .onFailure(should::fail)
+      .onSuccess(challengeResponse -> {
+        final JsonObject challengeResponseUser = challengeResponse.getJsonObject("user");
+        assertNotNull(challengeResponseUser);
+        assertNotNull("random id should have been generated", challengeResponseUser.getBinary("id"));
         test.complete();
       });
   }