spring security 4 way authentication with fido e.g. yubikey

Question

I've already looked at WebAuthn4J Spring Security. I'm not asking "What library do I use to implement yubikey authentication" my question is "How do I perform 4 way authentication using the spring security framework?". Spring security seems to have the ideology that you can perform any type of authentication in a 2-way handshake, but this is not possible with yubikey authentication since the steps are

client sends username
server sends challenge for that username
client signs that challenge
server accepts or rejects the clients signature

The server cannot send the challenge before it's told the username, and the client has nothing to sign until it's sent a challenge. How do I instruct the spring security framework that I need 4 steps and not just 2?

score 4 · Answer 1 · answered Oct 10 '20 at 13:02

4

I'm an author of WebAuthn4J Spring Security. WebAuthn4J Spring Security has two sample applications. Hopefully these code might help you.

WebAuthn4J Spring Security SPA
WebAuthn4J Spring Security MPA

https://github.com/webauthn4j/webauthn4j-spring-security/tree/master/samples

https://webauthn4j.github.io/webauthn4j-spring-security/en/#sample-application

answered Oct 10 '20 at 13:02

ynojima

41
2

Could you please explain how it works conceptually? – trogper May 03 '23 at 22:20

spring security 4 way authentication with fido e.g. yubikey

1 Answers1