Skip to content

Commit

Permalink
feat(webauthn): implement refresh using webauth
Browse files Browse the repository at this point in the history 
This change introduces the ability to refresh a session (for example when entering "sudo" mode") using WebAuthn credentials. In this case, it does not matter whether the WebAuthN credentials are for MFA or passwordless flows.

Closes #2284
  • Loading branch information
@aeneasr
aeneasr committed Mar 6, 2022
1 parent 6e97641 commit 57f9c9f
Show file tree
Hide file tree
Showing 24 changed files with 1,151 additions and 47 deletions.
3 changes: 2 additions & 1 deletion identity/test/pool.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,13 @@ import (
"context"
"encoding/base64"
"fmt"
"github.com/ory/x/randx"
"strconv"
"strings"
"testing"
"time"

"github.com/ory/x/randx"

"github.com/tidwall/gjson"

"github.com/ory/x/assertx"
Expand Down
10 changes: 9 additions & 1 deletion internal/testhelpers/selfservice_login.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ func NewLoginUIWith401Response(t *testing.T, c *config.Config) *httptest.Server
type initFlowOptions struct {
aal identity.AuthenticatorAssuranceLevel
returnTo string
refresh bool
}

func (o *initFlowOptions) apply(opts []InitFlowWithOption) *initFlowOptions {
Expand All @@ -64,7 +65,7 @@ func getURLFromInitOptions(ts *httptest.Server, path string, forced bool, opts .
o := new(initFlowOptions).apply(opts)
q := url.Values{}

if forced {
if forced || o.refresh {
q.Set("refresh", "true")
}

Expand All @@ -88,12 +89,19 @@ func InitFlowWithAAL(aal identity.AuthenticatorAssuranceLevel) InitFlowWithOptio
o.aal = aal
}
}

func InitFlowWithReturnTo(returnTo string) InitFlowWithOption {
return func(o *initFlowOptions) {
o.returnTo = returnTo
}
}

func InitFlowWithRefresh() InitFlowWithOption {
return func(o *initFlowOptions) {
o.refresh = true
}
}

func InitializeLoginFlowViaBrowser(t *testing.T, client *http.Client, ts *httptest.Server, forced bool, isSPA bool, opts ...InitFlowWithOption) *kratos.SelfServiceLoginFlow {
publicClient := NewSDKCustomClient(ts, client)

Expand Down
2 changes: 1 addition & 1 deletion selfservice/strategy/password/login.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func (s *Strategy) PopulateLoginMethod(r *http.Request, requestedAAL identity.Au
if identifier == "" {
return nil
}

count, err := s.CountActiveFirstFactorCredentials(id.Credentials)
if err != nil {
return err
Expand Down
26 changes: 13 additions & 13 deletions .../webauthn/.snapshots/TestCompleteLogin-flow=passwordless-case=webauthn_button_exists.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,19 @@
},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "csrf_token",
"node_type": "input",
"required": true,
"type": "hidden"
},
"group": "default",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"disabled": false,
Expand All @@ -38,18 +51,5 @@
}
},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "csrf_token",
"node_type": "input",
"required": true,
"type": "hidden"
},
"group": "default",
"messages": [],
"meta": {},
"type": "input"
}
]
75 changes: 75 additions & 0 deletions ...resh-case=passwordless-case=mfa_v0_credentials-passwordless_enabled=false#01-browser.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
[
{
"attributes": {
"disabled": false,
"name": "csrf_token",
"node_type": "input",
"required": true,
"type": "hidden"
},
"group": "default",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "identifier",
"node_type": "input",
"type": "hidden",
"value": "[email protected]"
},
"group": "default",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "webauthn_login_trigger",
"node_type": "input",
"type": "button",
"value": ""
},
"group": "webauthn",
"messages": [],
"meta": {
"label": {
"id": 1010008,
"text": "Use security key",
"type": "info"
}
},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "webauthn_login",
"node_type": "input",
"type": "hidden",
"value": ""
},
"group": "webauthn",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"async": true,
"crossorigin": "anonymous",
"id": "webauthn_script",
"integrity": "sha512-E3ctShTQEYTkfWrjztRCbP77lN7L0jJC2IOd6j8vqUKslvqhX/Ho3QxlQJIeTI78krzAWUQlDXd9JQ0PZlKhzQ==",
"node_type": "script",
"referrerpolicy": "no-referrer",
"type": "text/javascript"
},
"group": "webauthn",
"messages": [],
"meta": {},
"type": "script"
}
]
75 changes: 75 additions & 0 deletions ...=refresh-case=passwordless-case=mfa_v0_credentials-passwordless_enabled=false#01-spa.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
[
{
"attributes": {
"disabled": false,
"name": "csrf_token",
"node_type": "input",
"required": true,
"type": "hidden"
},
"group": "default",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "identifier",
"node_type": "input",
"type": "hidden",
"value": "[email protected]"
},
"group": "default",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "webauthn_login_trigger",
"node_type": "input",
"type": "button",
"value": ""
},
"group": "webauthn",
"messages": [],
"meta": {
"label": {
"id": 1010008,
"text": "Use security key",
"type": "info"
}
},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "webauthn_login",
"node_type": "input",
"type": "hidden",
"value": ""
},
"group": "webauthn",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"async": true,
"crossorigin": "anonymous",
"id": "webauthn_script",
"integrity": "sha512-E3ctShTQEYTkfWrjztRCbP77lN7L0jJC2IOd6j8vqUKslvqhX/Ho3QxlQJIeTI78krzAWUQlDXd9JQ0PZlKhzQ==",
"node_type": "script",
"referrerpolicy": "no-referrer",
"type": "text/javascript"
},
"group": "webauthn",
"messages": [],
"meta": {},
"type": "script"
}
]
75 changes: 75 additions & 0 deletions ...resh-case=passwordless-case=mfa_v0_credentials-passwordless_enabled=false#02-browser.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
[
{
"attributes": {
"disabled": false,
"name": "csrf_token",
"node_type": "input",
"required": true,
"type": "hidden"
},
"group": "default",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "identifier",
"node_type": "input",
"type": "hidden",
"value": "[email protected]"
},
"group": "default",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "webauthn_login_trigger",
"node_type": "input",
"type": "button",
"value": ""
},
"group": "webauthn",
"messages": [],
"meta": {
"label": {
"id": 1010008,
"text": "Use security key",
"type": "info"
}
},
"type": "input"
},
{
"attributes": {
"disabled": false,
"name": "webauthn_login",
"node_type": "input",
"type": "hidden",
"value": ""
},
"group": "webauthn",
"messages": [],
"meta": {},
"type": "input"
},
{
"attributes": {
"async": true,
"crossorigin": "anonymous",
"id": "webauthn_script",
"integrity": "sha512-E3ctShTQEYTkfWrjztRCbP77lN7L0jJC2IOd6j8vqUKslvqhX/Ho3QxlQJIeTI78krzAWUQlDXd9JQ0PZlKhzQ==",
"node_type": "script",
"referrerpolicy": "no-referrer",
"type": "text/javascript"
},
"group": "webauthn",
"messages": [],
"meta": {},
"type": "script"
}
]
Loading

0 comments on commit 57f9c9f

Please sign in to comment.