[keycloak-dev] Request for someone to contribute an WebAuthn4j extension

Mon Apr 29 07:08:16 EDT 2019

Sorry for late reply. Finally found some time to try this out. It works
pretty well for me, but here's a few discussion points:

* Don't require clicking "Authenticate" button, it's confusing and should
happen automatically
* Use a required action for registration, not an authenticator and custom
registration flow. This fits better with the future plans of application
initiated actions, and also allows users not self-registered.
* Don't use custom table for credentials. I see it's marked as an open
issue, but just wanted to mention it again. Custom entities are not
supported, this has issues with hot-deployment and I don't want to have to
add additional tables for each credential type.
* Problems on re-build/deploy as mentioned in open issues is related to two
things I think. Firstly, the above with regards to custom entities.
Secondly, we have an issue that theme resources are not re-loaded on
re-load (see https://issues.jboss.org/browse/KEYCLOAK-8044).

With regards to testing have you done any research into possibility of
functional testing? I know we've discussed this in the past, but not sure
if any progress has been made here.

On Thu, 11 Apr 2019 at 05:56, 中村雄一 / NAKAMURA，YUUICHI <
yuichi.nakamura.fe at hitachi.com> wrote:

> Hi,
>
> We've updated the webauthn authenticator prototype based on webauthn4j :
>
> https://github.com/webauthn4j/keycloak-webauthn-authenticator/tree/demo-completed
>
> We've confirmed that this demo worked well under the following
> environments:
> * U2F with Resident Key Not supported Authenticator Scenario
> OS : Windows 10
> Browser : Google Chrome (ver 73), Mozilla FireFox (ver 66)
> Authenticator : Yubico Security Key
> Server(RP) : keycloak-5.0.0
>
> * U2F with Resident Key supported Authenticator Scenario
> OS : Windows 10
> Browser : Microsoft Edge (ver 44)
> Authenticator : Internal Fingerprint Authentication Device
> Server(RP) : keycloak-5.0.0
>
> * UAF with Resident Key supported Authenticator Scenario
> OS : Windows 10
> Browser : Microsoft Edge (ver 44)
> Authenticator : Internal Fingerprint Authentication Device
> Server(RP) : keycloak-5.0.0
>
> We will continue to improve the prototype, so feedback is welcomed.
>
> Regards,
> Yuichi Nakamura
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org <
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of 中村雄一 / NAKAMURA，YUUICHI
> Sent: Tuesday, March 19, 2019 4:32 PM
> To: stian at redhat.com
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an
> WebAuthn4j extension
>
> Hi,
>
> Sorry, we have implemented only for Edge now.
> Please wait for other browsers.
>
> > One comment is that it shouldn't create a new table, but rather just
> serialize the value to the existing credential table in the same way as the
> FIDO U2F example does [1].
> Thank you, we will fix.
>
> Regards,
> Yuichi Nakamura
>
>
> From: Stian Thorgersen <sthorger at redhat.com>
> Sent: Monday, March 18, 2019 5:49 PM
> To: 中村雄一 / NAKAMURA，YUUICHI <yuichi.nakamura.fe at hitachi.com>
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>; 乗松隆志 / NORIMATSU，TAKASHI
> <takashi.norimatsu.ws at hitachi.com>; 茂木昂士 / MOGI，TAKASHI <
> takashi.mogi.ep at hitachi.com>; Yoshikazu Nojima <mail at ynojima.net>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an
> WebAuthn4j extension
>
> Tried this out today and it didn't work for me. I was getting some JS
> error both on Chrome and Firefox when trying to register authenticator.
>
> One comment is that it shouldn't create a new table, but rather just
> serialize the value to the existing credential table in the same way as the
> FIDO U2F example does [1].
>
> [1]
> https://clicktime.symantec.com/3XYorxFfnwRutc8N4z3Ubc77Vc?u=https%3A%2F%2Fgithub.com%2Fstianst%2Fkeycloak-experimental%2Ftree%2Fmaster%2Ffido-u2f
>
> On Fri, 15 Mar 2019 at 08:13, 中村雄一 / NAKAMURA，YUUICHI <mailto:
> yuichi.nakamura.fe at hitachi.com> wrote:
> Hi,
>
> We’ve uploaded the initial prototype of webauthn authenticator below:
> https://clicktime.symantec.com/37NWG7BAMWtR42Swt5VUTw77Vc?u=https%3A%2F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator
>
> Feedback is welcomed.
>
> From: Stian Thorgersen <mailto:sthorger at redhat.com>
> Sent: Thursday, February 28, 2019 6:53 PM
> To: 中村雄一 / NAKAMURA，YUUICHI <mailto:yuichi.nakamura.fe at hitachi.com>
> Cc: keycloak-dev <mailto:keycloak-dev at lists.jboss.org>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an
> WebAuthn4j extension
>
> That's great, thanks.
>
> Do you have an idea on roughly when you can have a prototype ready?
>
> On Thu, 28 Feb 2019 at 00:32, 中村雄一 / NAKAMURA，YUUICHI <mailto:mailto:
> yuichi.nakamura.fe at hitachi.com> wrote:
> Hi,
>
> My team has begun to help webauthn4j project, and is going to develop
> prototype of authenticator for keycloak.
> We'd like to take this.
>
> Regards,
> Yuichi Nakamura
> Hitachi, Ltd.
>
> -----Original Message-----
> From: mailto:mailto:keycloak-dev-bounces at lists.jboss.org <mailto:mailto:
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of Stian Thorgersen
> Sent: Thursday, February 28, 2019 12:26 AM
> To: keycloak-dev <mailto:mailto:keycloak-dev at lists.jboss.org>
> Subject: [!][keycloak-dev] Request for someone to contribute an WebAuthn4j
> extension
>
> A while back I created an experimental extension to Keycloak for FIDO U2F.
> It would be great if someone could adapt this to WebAuthn by leveraging
> webauthn4j library [1].
>
> Any takers? It shouldn't be hard ;)
>
> [1]
> https://clicktime.symantec.com/3DJdi8ZVRTPPRjKw5d1qT287Vc?u=https%3A%2F%2Fgithub.com%2Fwebauthn4j%2Fwebauthn4j
> _______________________________________________
> keycloak-dev mailing list
> mailto:mailto:keycloak-dev at lists.jboss.org
>
> https://clicktime.symantec.com/35NVx3Bd41ZVjjssocqwjpK7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
>
> https://clicktime.symantec.com/3K7AmDtC5f54UYS4NNrH1wo7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>