1

Recenty I have started working on webauthn implementation for an web app

A POC and basic implementation for create and get works fine with no issue.

I want to understand the publicKey which is to be passed to authenticator.Should the publicKey be generated in server or client.If to be generated or response from authentication which will be in binary or utf format,how can I send it as request and response from axios

chandra chaitanya
  • 11
  • 1

2 Answers2

2

I want to understand the publicKey which is to be passed to authenticator.Should the publicKey be generated in server or client.

No public key is passed to the authenticator. You pass options that represent the security policy of your application (the RP). Within the options, you have a challenge, which is a random string. The authenticator will receive the options, generate a key pair (private and public keys) depending on the security policy and its capabilities and return a response that contains the public key (during the creation ceremony only).

Neither the client nor the RP are involved in the key GENERATION process. With that being said, you have recommendations to follow as showed in https://www.w3.org/TR/webauthn-2/#sctn-security-considerations. In particular, the challenge should be at least 16 bytes long. See https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges

how can I send it as request and response from axios

I recommend the use of https://simplewebauthn.dev/docs/ which provide easy to use functions for communicating with the RP or the client.

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
-3

The object containing the publicKey should be generated by a server, commonly referred to as the Relying Party.

You can choose to implement the functionality to generate the object with publicKey, or you can opt to use a pre-built library (which is what I recommend).

webauthn.io has a list of libraries that you could leverage, depending on your server-side language of choice.

When it comes to sending your authenticator responses through Axios. I tend to opt for an approach where:

  1. Authenticator generates the response
  2. Call JSON.stringify(response) on the authenticator response
  3. Pass the response string through my API
  4. Decode the JSON string when it reaches my server app
  5. Perform validation
Cody Salas
  • 431
  • 1
  • 6
  • Thanks for the explanation.Suppose if challenge and user ids are generated in server and sent to client in encrypted format,even then should it be generated by server – chandra chaitanya Sep 29 '22 at 19:24
  • Yes, your relying party acts as the centralized authority that decides if a user should be authenticated by validating the signed challenge returned by the authenticator. This authority should be consistent for all of your users. It might help you visualize the flow better I have some documentation on WebAuthn architecture here: https://developers.yubico.com/Developer_Program/WebAuthn_Starter_Kit/Back-end_System_Design.html – Cody Salas Sep 30 '22 at 13:56
  • With that said you could perform offline authentication if an authenticator can utilize an hmac-secret. I have an answer supporting that flow here, but it might be out of scope for what you're trying to accomplish: https://stackoverflow.com/questions/72561218/fido2-authentication-for-offline-net-application/72566184#72566184 – Cody Salas Sep 30 '22 at 14:01