[keycloak-dev] Request for someone to contribute an WebAuthn4j extension
乗松隆志 / NORIMATSU,TAKASHI
takashi.norimatsu.ws at hitachi.com
Fri May 10 03:49:30 EDT 2019
Thank you for comments.
>* Don't require clicking "Authenticate" button, it's confusing and should happen automatically
>* Use a required action for registration, not an authenticator and custom registration flow. This fits better with the future plans of application initiated actions, and also allows users not self-registered.
Yes, I agree with you. I'll revise our prototype.
>* Don't use custom table for credentials. I see it's marked as an open issue, but just wanted to mention it again. Custom entities are not supported, this has issues with hot-deployment and I don't want to have to add additional tables for each credential type.
Could you please the following master branch? I hope this would resolve your concern.
https://github.com/webauthn4j/keycloak-webauthn-authenticator/
At first, I've referred to FIDO U2F Authenticator for Keycloak.
https://github.com/stianst/keycloak-experimental/tree/master/fido-u2f
And, I've used the existing credential store as follows instead of creating a new table.
https://github.com/webauthn4j/keycloak-webauthn-authenticator/issues/7
>* Problems on re-build/deploy as mentioned in open issues is related to two things I think. Firstly, the above with regards to custom entities. Secondly, we have an issue that theme resources are not re-loaded on re-load (see https://issues.jboss.org/browse/KEYCLOAK-8044).
I see. I'll watch this issue.
>With regards to testing have you done any research into possibility of functional testing? I know we've discussed this in the past, but not sure if any progress has been made here.
I'm currently investigating it. Firstly, I'll clarify whether I can use "Web Authentication Testing API" suggested by Yoshikazu Nojima in https://issues.jboss.org/browse/KEYCLOAK-9359 for Arquillian integration tests.
Regards,
Takashi Norimatsu
-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Stian Thorgersen
Sent: Monday, April 29, 2019 8:08 PM
To: 中村雄一 / NAKAMURA,YUUICHI <yuichi.nakamura.fe at hitachi.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension
Sorry for late reply. Finally found some time to try this out. It works pretty well for me, but here's a few discussion points:
* Don't require clicking "Authenticate" button, it's confusing and should happen automatically
* Use a required action for registration, not an authenticator and custom registration flow. This fits better with the future plans of application initiated actions, and also allows users not self-registered.
* Don't use custom table for credentials. I see it's marked as an open issue, but just wanted to mention it again. Custom entities are not supported, this has issues with hot-deployment and I don't want to have to add additional tables for each credential type.
* Problems on re-build/deploy as mentioned in open issues is related to two things I think. Firstly, the above with regards to custom entities.
Secondly, we have an issue that theme resources are not re-loaded on re-load (see https://clicktime.symantec.com/3JzfAFCPayipxzHfDuqGJYs7Vc?u=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-8044).
With regards to testing have you done any research into possibility of functional testing? I know we've discussed this in the past, but not sure if any progress has been made here.
On Thu, 11 Apr 2019 at 05:56, 中村雄一 / NAKAMURA,YUUICHI < yuichi.nakamura.fe at hitachi.com> wrote:
> Hi,
>
> We've updated the webauthn authenticator prototype based on webauthn4j :
>
> https://clicktime.symantec.com/3WCzrfPNkLpaxtUGpjWEzmE7Vc?u=https%3A%2
> F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator%2Ftree%2
> Fdemo-completed
>
> We've confirmed that this demo worked well under the following
> environments:
> * U2F with Resident Key Not supported Authenticator Scenario OS :
> Windows 10 Browser : Google Chrome (ver 73), Mozilla FireFox (ver 66)
> Authenticator : Yubico Security Key
> Server(RP) : keycloak-5.0.0
>
> * U2F with Resident Key supported Authenticator Scenario OS : Windows
> 10 Browser : Microsoft Edge (ver 44) Authenticator : Internal
> Fingerprint Authentication Device
> Server(RP) : keycloak-5.0.0
>
> * UAF with Resident Key supported Authenticator Scenario OS : Windows
> 10 Browser : Microsoft Edge (ver 44) Authenticator : Internal
> Fingerprint Authentication Device
> Server(RP) : keycloak-5.0.0
>
> We will continue to improve the prototype, so feedback is welcomed.
>
> Regards,
> Yuichi Nakamura
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org <
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of 中村雄一 /
> NAKAMURA,YUUICHI
> Sent: Tuesday, March 19, 2019 4:32 PM
> To: stian at redhat.com
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an
> WebAuthn4j extension
>
> Hi,
>
> Sorry, we have implemented only for Edge now.
> Please wait for other browsers.
>
> > One comment is that it shouldn't create a new table, but rather just
> serialize the value to the existing credential table in the same way
> as the FIDO U2F example does [1].
> Thank you, we will fix.
>
> Regards,
> Yuichi Nakamura
>
>
> From: Stian Thorgersen <sthorger at redhat.com>
> Sent: Monday, March 18, 2019 5:49 PM
> To: 中村雄一 / NAKAMURA,YUUICHI <yuichi.nakamura.fe at hitachi.com>
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>; 乗松隆志 /
> NORIMATSU,TAKASHI
> <takashi.norimatsu.ws at hitachi.com>; 茂木昂士 / MOGI,TAKASHI <
> takashi.mogi.ep at hitachi.com>; Yoshikazu Nojima <mail at ynojima.net>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an
> WebAuthn4j extension
>
> Tried this out today and it didn't work for me. I was getting some JS
> error both on Chrome and Firefox when trying to register authenticator.
>
> One comment is that it shouldn't create a new table, but rather just
> serialize the value to the existing credential table in the same way
> as the FIDO U2F example does [1].
>
> [1]
> https://clicktime.symantec.com/3XYorxFfnwRutc8N4z3Ubc77Vc?u=https%3A%2
> F%2Fgithub.com%2Fstianst%2Fkeycloak-experimental%2Ftree%2Fmaster%2Ffid
> o-u2f
>
> On Fri, 15 Mar 2019 at 08:13, 中村雄一 / NAKAMURA,YUUICHI <mailto:
> yuichi.nakamura.fe at hitachi.com> wrote:
> Hi,
>
> We’ve uploaded the initial prototype of webauthn authenticator below:
> https://clicktime.symantec.com/37NWG7BAMWtR42Swt5VUTw77Vc?u=https%3A%2
> F%2Fgithub.com%2Fwebauthn4j%2Fkeycloak-webauthn-authenticator
>
> Feedback is welcomed.
>
> From: Stian Thorgersen <mailto:sthorger at redhat.com>
> Sent: Thursday, February 28, 2019 6:53 PM
> To: 中村雄一 / NAKAMURA,YUUICHI <mailto:yuichi.nakamura.fe at hitachi.com>
> Cc: keycloak-dev <mailto:keycloak-dev at lists.jboss.org>
> Subject: [!]Re: [keycloak-dev] Request for someone to contribute an
> WebAuthn4j extension
>
> That's great, thanks.
>
> Do you have an idea on roughly when you can have a prototype ready?
>
> On Thu, 28 Feb 2019 at 00:32, 中村雄一 / NAKAMURA,YUUICHI <mailto:mailto:
> yuichi.nakamura.fe at hitachi.com> wrote:
> Hi,
>
> My team has begun to help webauthn4j project, and is going to develop
> prototype of authenticator for keycloak.
> We'd like to take this.
>
> Regards,
> Yuichi Nakamura
> Hitachi, Ltd.
>
> -----Original Message-----
> From: mailto:mailto:keycloak-dev-bounces at lists.jboss.org <mailto:mailto:
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of Stian Thorgersen
> Sent: Thursday, February 28, 2019 12:26 AM
> To: keycloak-dev <mailto:mailto:keycloak-dev at lists.jboss.org>
> Subject: [!][keycloak-dev] Request for someone to contribute an
> WebAuthn4j extension
>
> A while back I created an experimental extension to Keycloak for FIDO U2F.
> It would be great if someone could adapt this to WebAuthn by
> leveraging webauthn4j library [1].
>
> Any takers? It shouldn't be hard ;)
>
> [1]
> https://clicktime.symantec.com/3DJdi8ZVRTPPRjKw5d1qT287Vc?u=https%3A%2
> F%2Fgithub.com%2Fwebauthn4j%2Fwebauthn4j
> _______________________________________________
> keycloak-dev mailing list
> mailto:mailto:keycloak-dev at lists.jboss.org
>
> https://clicktime.symantec.com/35NVx3Bd41ZVjjssocqwjpK7Vc?u=https%3A%2
> F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
>
> https://clicktime.symantec.com/3K7AmDtC5f54UYS4NNrH1wo7Vc?u=https%3A%2
> F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://clicktime.symantec.com/3NyVEGQ7RdnBC2VTZQtDSHz7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
More information about the keycloak-dev
mailing list