[keycloak-dev] Request for someone to contribute an WebAuthn4j extension

Fri Jun 7 02:22:33 EDT 2019

Hello,

I've sent the pull-request of the design document about WebAuthn support.
https://github.com/keycloak/keycloak-community/pull/11

I've already done the preliminary analysis by developing the prototype.
Before moving onto developing product level codes, I'd like to clarify whether my design is appropriate or not at first.

Regards,

Takashi Norimatsu
Hitachi, Ltd.

-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of 乗松隆志 / NORIMATSU，TAKASHI
Sent: Friday, May 10, 2019 4:50 PM
To: 'stian at redhat.com' <stian at redhat.com>; 中村雄一 / NAKAMURA，YUUICHI <yuichi.nakamura.fe at hitachi.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension

Thank you for comments.

>* Don't require clicking "Authenticate" button, it's confusing and 
>should happen automatically
>* Use a required action for registration, not an authenticator and custom registration flow. This fits better with the future plans of application initiated actions, and also allows users not self-registered.

Yes, I agree with you. I'll revise our prototype.

>* Don't use custom table for credentials. I see it's marked as an open issue, but just wanted to mention it again. Custom entities are not supported, this has issues with hot-deployment and I don't want to have to add additional tables for each credential type.

Could you please the following master branch? I hope this would resolve your concern.
https://clicktime.symantec.com/3MAs6Rwqhcr46HvYrs4eB3m7Vc?u=https%3A%2F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator%2F

At first, I've referred to FIDO U2F Authenticator for Keycloak.
https://clicktime.symantec.com/3RZaGXroD3f7kN6dP3qZcUZ7Vc?u=https%3A%2F%2Fgithub.com%2Fstianst%2Fkeycloak-experimental%2Ftree%2Fmaster%2Ffido-u2f

And, I've used the existing credential store as follows instead of creating a new table.
https://clicktime.symantec.com/385Nkm51Mqizdw6m5JnezBW7Vc?u=https%3A%2F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator%2Fissues%2F7

>* Problems on re-build/deploy as mentioned in open issues is related to two things I think. Firstly, the above with regards to custom entities. Secondly, we have an issue that theme resources are not re-loaded on re-load (see https://clicktime.symantec.com/3Lsa2WMfYXDxYYeDYNzSjZu7Vc?u=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-8044).

I see. I'll watch this issue.

>With regards to testing have you done any research into possibility of functional testing? I know we've discussed this in the past, but not sure if any progress has been made here.

I'm currently investigating it. Firstly, I'll clarify whether I can use "Web Authentication Testing API" suggested by Yoshikazu Nojima in https://clicktime.symantec.com/3GSzo2tW2LN6YTVVjVbDyLU7Vc?u=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-9359 for Arquillian integration tests.

Regards,
Takashi Norimatsu

-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Stian Thorgersen
Sent: Monday, April 29, 2019 8:08 PM
To: 中村雄一 / NAKAMURA，YUUICHI <yuichi.nakamura.fe at hitachi.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension

Sorry for late reply. Finally found some time to try this out. It works pretty well for me, but here's a few discussion points:

* Don't require clicking "Authenticate" button, it's confusing and should happen automatically
* Use a required action for registration, not an authenticator and custom registration flow. This fits better with the future plans of application initiated actions, and also allows users not self-registered.
* Don't use custom table for credentials. I see it's marked as an open issue, but just wanted to mention it again. Custom entities are not supported, this has issues with hot-deployment and I don't want to have to add additional tables for each credential type.
* Problems on re-build/deploy as mentioned in open issues is related to two things I think. Firstly, the above with regards to custom entities.
Secondly, we have an issue that theme resources are not re-loaded on re-load (see https://clicktime.symantec.com/3JzfAFCPayipxzHfDuqGJYs7Vc?u=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-8044).

With regards to testing have you done any research into possibility of functional testing? I know we've discussed this in the past, but not sure if any progress has been made here.

On Thu, 11 Apr 2019 at 05:56, 中村雄一 / NAKAMURA，YUUICHI < yuichi.nakamura.fe at hitachi.com> wrote:

> Hi,
>
> We've updated the webauthn authenticator prototype based on webauthn4j :
>
> https://clicktime.symantec.com/3WCzrfPNkLpaxtUGpjWEzmE7Vc?u=https%3A%2
> F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator%2Ftree%2
> Fdemo-completed
>
> We've confirmed that this demo worked well under the following
> environments:
> * U2F with Resident Key Not supported Authenticator Scenario OS : 
> Windows 10 Browser : Google Chrome (ver 73), Mozilla FireFox (ver 66) 
> Authenticator : Yubico Security Key
> Server(RP) : keycloak-5.0.0
>
> * U2F with Resident Key supported Authenticator Scenario OS : Windows
> 10 Browser : Microsoft Edge (ver 44) Authenticator : Internal 
> Fingerprint Authentication Device
> Server(RP) : keycloak-5.0.0
>
> * UAF with Resident Key supported Authenticator Scenario OS : Windows
> 10 Browser : Microsoft Edge (ver 44) Authenticator : Internal 
> Fingerprint Authentication Device
> Server(RP) : keycloak-5.0.0
>
> We will continue to improve the prototype, so feedback is welcomed.
>
> Regards,
> Yuichi Nakamura
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org < 
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of 中村雄一 /
> NAKAMURA，YUUICHI
> Sent: Tuesday, March 19, 2019 4:32 PM
> To: stian at redhat.com
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an 
> WebAuthn4j extension
>
> Hi,
>
> Sorry, we have implemented only for Edge now.
> Please wait for other browsers.
>
> > One comment is that it shouldn't create a new table, but rather just
> serialize the value to the existing credential table in the same way 
> as the FIDO U2F example does [1].
> Thank you, we will fix.
>
> Regards,
> Yuichi Nakamura
>
>
> From: Stian Thorgersen <sthorger at redhat.com>
> Sent: Monday, March 18, 2019 5:49 PM
> To: 中村雄一 / NAKAMURA，YUUICHI <yuichi.nakamura.fe at hitachi.com>
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>; 乗松隆志 /
> NORIMATSU，TAKASHI
> <takashi.norimatsu.ws at hitachi.com>; 茂木昂士 / MOGI，TAKASHI < 
> takashi.mogi.ep at hitachi.com>; Yoshikazu Nojima <mail at ynojima.net>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an 
> WebAuthn4j extension
>
> Tried this out today and it didn't work for me. I was getting some JS 
> error both on Chrome and Firefox when trying to register authenticator.
>
> One comment is that it shouldn't create a new table, but rather just 
> serialize the value to the existing credential table in the same way 
> as the FIDO U2F example does [1].
>
> [1]
> https://clicktime.symantec.com/3XYorxFfnwRutc8N4z3Ubc77Vc?u=https%3A%2
> F%2Fgithub.com%2Fstianst%2Fkeycloak-experimental%2Ftree%2Fmaster%2Ffid
> o-u2f
>
> On Fri, 15 Mar 2019 at 08:13, 中村雄一 / NAKAMURA，YUUICHI <mailto:
> yuichi.nakamura.fe at hitachi.com> wrote:
> Hi,
>
> We’ve uploaded the initial prototype of webauthn authenticator below:
> https://clicktime.symantec.com/37NWG7BAMWtR42Swt5VUTw77Vc?u=https%3A%2
> F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator
>
> Feedback is welcomed.
>
> From: Stian Thorgersen <mailto:sthorger at redhat.com>
> Sent: Thursday, February 28, 2019 6:53 PM
> To: 中村雄一 / NAKAMURA，YUUICHI <mailto:yuichi.nakamura.fe at hitachi.com>
> Cc: keycloak-dev <mailto:keycloak-dev at lists.jboss.org>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an 
> WebAuthn4j extension
>
> That's great, thanks.
>
> Do you have an idea on roughly when you can have a prototype ready?
>
> On Thu, 28 Feb 2019 at 00:32, 中村雄一 / NAKAMURA，YUUICHI <mailto:mailto:
> yuichi.nakamura.fe at hitachi.com> wrote:
> Hi,
>
> My team has begun to help webauthn4j project, and is going to develop 
> prototype of authenticator for keycloak.
> We'd like to take this.
>
> Regards,
> Yuichi Nakamura
> Hitachi, Ltd.
>
> -----Original Message-----
> From: mailto:mailto:keycloak-dev-bounces at lists.jboss.org <mailto:mailto:
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of Stian Thorgersen
> Sent: Thursday, February 28, 2019 12:26 AM
> To: keycloak-dev <mailto:mailto:keycloak-dev at lists.jboss.org>
> Subject: [!][keycloak-dev] Request for someone to contribute an 
> WebAuthn4j extension
>
> A while back I created an experimental extension to Keycloak for FIDO U2F.
> It would be great if someone could adapt this to WebAuthn by 
> leveraging webauthn4j library [1].
>
> Any takers? It shouldn't be hard ;)
>
> [1]
> https://clicktime.symantec.com/3DJdi8ZVRTPPRjKw5d1qT287Vc?u=https%3A%2
> F%2Fgithub.com%2Fwebauthn4j%2Fwebauthn4j
> _______________________________________________
> keycloak-dev mailing list
> mailto:mailto:keycloak-dev at lists.jboss.org
>
> https://clicktime.symantec.com/35NVx3Bd41ZVjjssocqwjpK7Vc?u=https%3A%2
> F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
>
> https://clicktime.symantec.com/3K7AmDtC5f54UYS4NNrH1wo7Vc?u=https%3A%2
> F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://clicktime.symantec.com/3NyVEGQ7RdnBC2VTZQtDSHz7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://clicktime.symantec.com/3C1h6LsbwTQyQXDMT9GBKQf7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev