Background
As indicated here, I am in the process of adding WebAuthN support to Apereo CAS. CAS does already support MFA providers such as YubiKey and FIDO U2F with typical flows that account for device registration and authentication, and I'd like be able to use the library provided here to continue the effort for WebAuthN support.
Progress
Much of the work is already done and is based on the example web application that is available in this repository, which was extremely useful (thank you!). We have started off with v1.6.0 and hope to keep up and/or even contribute to further development of the codebase here by releasing the integration between CAS and WebAuthn and collecting feedback. In doing the work so far, here is what I have had to do:
- Move relevant components of the example web application to a webauthn module in the CAS codebase. Abstractions such as
RegistrationStorage, WebAuthnServer, SessionManager, U2fVerifier, etc and more and wired them up appropriately as Spring Beans (CAS at its core is a Spring Boot/Cloud type of application)
- Wired in additional flows for registration and authentication as they related to CAS handling MFA flows in general, much like what it done for YubiKey, etc.
- Moved client-side code over to the CAS webapp to handle webauthn-related matters between CAS and the browser.
All and all, this has been quite instructive and interesting.
Suggestion
My main concern is the components that are copied off of the example web application to CAS. I realize the intention for these might be to just live their life as examples and demonstrations, and one should really start with their version of the same based on available documentation, but I also think they can be quite re-useable and useful to serve as a baseline for implementations and integrations like the one I have. (i.e. I did not want to create yet again another RegistrationStorage) I would rather not maintain a separate copy of such files, keep it in sync, patch it, match and fix differences in code styles, etc. Rather, it would be much more applicable if such components were available in binary form in jar that one could, optionally, use and wire into an application.
So my suggestions are:
- Could we extract the core components of the example webapp out into a separate module?
- Could we, then, release that module as a separate jar along with other modules here for maximum reuse?
This way, applications such as CAS would not be forced to start from scratch (if they don't want to) and could re-use what is already worked out here and build on top of those, specially for things like support for different types of RegistrationStorage components.
If this does make sense, I am happy to start a modest refactoring process to move things into a new module and submit a pull request for review.
Thank you for your time!
Background
As indicated here, I am in the process of adding WebAuthN support to Apereo CAS. CAS does already support MFA providers such as YubiKey and FIDO U2F with typical flows that account for device registration and authentication, and I'd like be able to use the library provided here to continue the effort for WebAuthN support.
Progress
Much of the work is already done and is based on the example web application that is available in this repository, which was extremely useful (thank you!). We have started off with v1.6.0 and hope to keep up and/or even contribute to further development of the codebase here by releasing the integration between CAS and WebAuthn and collecting feedback. In doing the work so far, here is what I have had to do:
RegistrationStorage,WebAuthnServer,SessionManager,U2fVerifier, etc and more and wired them up appropriately as Spring Beans (CAS at its core is a Spring Boot/Cloud type of application)All and all, this has been quite instructive and interesting.
Suggestion
My main concern is the components that are copied off of the example web application to CAS. I realize the intention for these might be to just live their life as examples and demonstrations, and one should really start with their version of the same based on available documentation, but I also think they can be quite re-useable and useful to serve as a baseline for implementations and integrations like the one I have. (i.e. I did not want to create yet again another
RegistrationStorage) I would rather not maintain a separate copy of such files, keep it in sync, patch it, match and fix differences in code styles, etc. Rather, it would be much more applicable if such components were available in binary form in jar that one could, optionally, use and wire into an application.So my suggestions are:
This way, applications such as CAS would not be forced to start from scratch (if they don't want to) and could re-use what is already worked out here and build on top of those, specially for things like support for different types of
RegistrationStoragecomponents.If this does make sense, I am happy to start a modest refactoring process to move things into a new module and submit a pull request for review.
Thank you for your time!