WebAuthn support

[ynojima]

Issue: #5238
Previous PR: #5665

This pull request adds W3C Web Authentication specification support to Spring Security.

It is consisted by 3 parts.

• Add MultifactorAuthenticationToken (f5859e9)
• Implement W3C WebAuthentication specification (adb014e)
• Add WebAuthn sample application (8808a2c)

Add MultifactorAuthenticationToken

Make a foundation for multi-factor(step) authentication including WebAuthn.

Changes

• Add MultifactorAuthenticationToken to represent a user in the middle of multi factor(step) authentication process
• Add MFATokenEvaluator/MFATokenEvaluatorImpl for Authentication type check
• Make ExceptionTranslationFilter, AuthenticationTrustResolverImpl, and HttpSessionSecurityContextRepository use MFATokenEvaluator to support multi-factor authentication
• Add MultiFactorAuthenticationProvider, which authenticates a user by delegating to another AuthenticationProvider and generates MultifactorAuthenticationToken

Implement W3C WebAuthentication specification

Adds Web Authentication specification support as spring-security-webauthn module.
Nothing is changed in existing spring security modules.

Add WebAuthn sample application

It is a sample application demonstrates spring-security-webauthn module.

Please run with this command.

cd <project root dir>
./gradlew spring-security-samples-javaconfig-webauthn-spa:bootRun

Reference doc

Reference document is not included in this pull request, but the draft exists here: https://sharplab.github.io/spring-security-webauthn/en/
When the design is finailized after the pull request review, I'll rewrite it to fit Spring Security reference doc.

for reviewers

Sorry for the huge pull-request. LoC is increased by sample application to demonstrate concrete usecase.
As the previous commit is not corrected in the later commit, please read commit by commit.

[ynojima]

Hello @rwinch, just a gentle ping to see if this PR needs any more polish or anything.

[ynojima]

Hello @rwinch, is there anything I can do for you to move things forward?

[ynojima]

@rwinch One more ping...
Could you take a look at this please?

[rwinch]

Thanks for the ping @ynojima! I'm sorry this somehow got lost in my notifications.

My first reaction is that a pull request with over 300 files is going to take a very long time to merge. Additionally, I love that you have a sample included, but we should try to simplify it a bit. We do not want our users to need to understand Angular to follow the sample (what if they don't know JavaScript, what if they use another JS framework, etc?). We want the focus of the sample to be security not JavaScript. So I suggest we simplify the sample a lot. This will also help with the number of files in the pull request.

Once you have that taken care of, I can start reviewing the code more easily.

[ynojima]

Thank you for response! I'll rewrite the sample application without JS framework.

To implement the authenticator management feature, I thought writing with Angular would make code simple, but it is not good to require users to have knowledge of Angular.
If you have other concern, please let me know. I'll fix it.

[ynojima]

@rwinch

For now all of the code should be self contained within the sample application. Pretend (for now) that you are not allowed to modify the Spring Security code base

That's imsossible. I have not idea how to implement MFA without modifying spring-security core codebase.
spring-security doesn't have any way to represent a user who have provided first authentication factor but not provided second factor (in the middle of authentication steps).
That's why I send this pull-request.
At least this patch ( f5859e9 ) is needed.
If there is a way, would you propose a sample code?

This means the sample should not have any new interface or domain objects. I'd expect that the number of .java classes be less than 10.

It's also impossible. WebAuthn is not so simple. I added five commits (be92253, b430a71, ca07572, c9411eb, ba25a7e) temporarily to reduce number of classes by removing test classes and exception class variation for review. These commits need to be reverted later, but I hope this helps your review.

Now the number of files is 62. lines add is 4800+. I know this is still large, but there is no room to remove without damaging core logic.
If you need to focus on smaller part, could we focus on MFA patch ( f5859e9 ) review first?

[rwinch]

That's imsossible. I have not idea how to implement MFA without modifying spring-security core codebase.
spring-security doesn't have any way to represent a user who have provided first authentication factor but not provided second factor (in the middle of authentication steps).

If you are not aware of a way to do it without modifying the Spring Security code, then let's start even smaller then. Do the same steps (continue to use Spring Boot), but do not use Spring Security.

Here is how we need to proceed:

• Start off by creating an absolute minimal sample application that uses the latest Spring Boot milestone
• Your first feature is to implement WebAuthn using a third party library to implement WebAuthn
• For now all of the code should be self contained within the sample application. Pretend (for now) that you are not allowed to modify the Spring Security code base
• It is absolutely critical to ensure that the code is as minimal as possible. This means the sample should not have any new interface or domain objects. I'd expect that the number of .java classes be less than 10. The number of classes is a guideline, but keeping it as minimal as possible is a requirement.
• Create a README file for the sample that explains how to run it
• Ping me to take a look at the sample. I will review and provide you feedback that includes the next steps.

[ynojima]

Without a framework(spring-security), it cannot be simple. much larger number of classes are needed compareing to current pull-request.

[rwinch]

This seems surprising to me that it cannot be simple. Isn't that what the library should do...make it simple to do?

[rwinch]

Here is something similar to what I had in mind https://github.com/Yubico/java-webauthn-server/tree/master/webauthn-server-demo There are 21 java files in it. The difference would be that we should leverage Spring Boot

[ynojima]

WebAuthn4J is independent from Web framework like Spring MVC, WebFlux, ServletAPI, etc. Bridging WebAuthn4J and Web framework is left to Authentication framework like Spring Security.
Without Authentication framework, application code need to cover it. That what I mean to say.

[rwinch]

Without Authentication framework, application code need to cover it.

That makes sense, but it still seems like this can be done in very little code. Does the sample I provided you help?

[ynojima]

I'm doubtful whether creating a sample application like Yubico's one promote discussions on how to implement MFA into Spring Security.

This is because the Yubico demo does not implement two step authentication flow.

Two-step authentication flow with WebAuthn (FIDO-U2F) is to be performed in this way:

1．Authenticate a user by first authentication factor (ex. password). (But the authentication must not be regarded as completed at this point.) (Authentication step 1)
2．The server return the credentialId (https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#credential-id) of the user identified in #1 to the front end
3. Call WebAuthn JS API in the frontend to generate Assertion. (You must pass credentialId as one of the parameters of WebAuthn JS API)
4. Send the assertion to server and authenticate (Authentication step 2)

In the Yubico demo, step 1 is omitted.
How to implement Step 1 is the key point of how to implement WebAuthn in Spring Security.
It greatly affects the design. Without that, size of code decreases, but it won't be an effective design discussion.

Moreover, Yubico's webauthn-server-demo contains 8,597 lines in /src/main directory. It's not small sample application.

[rwinch]

@ynojima Thanks for the feedback.

We have used this mechanism for providing features in countless features. I am in disbelief that we cannot come up with a minimal sample similar to as I have described. If we cannot provide a minimal sample, I'm worried we will end up with more code than the Spring Security team can maintain. I will spend some time in the next week to investigate further and see.

[rwinch]

@ynojima I put together a simple application that registers a new key and then uses it to authenticate https://github.com/rwinch/spring-security-webauthn

This is certainly a work in progress, but it demos how to use webauth4j within a Spring Boot application. Next week I will work on making it so that it actually updates the security authentication.

[ynojima]

Thank you for showing me an example.
It is simpler than a thing I thought I need to implement.
I'm looking forward to see your next update.

[rwinch]

This is still a work in progress, but I have updated the sample to provide a very simple integration with Spring Security. I also added a very simple README to describe the functionality.

The next steps will be simplifying the setup for a user.

• Provide default pages for /webauthn/registration and /login/webauthn
• Simplify access to the properties necessary for registration and log in
• Provide a basic DSL for configuring the support

[rwinch]

I have cleaned this up a bit more.

• Removed unnecessary use of https. The app is only intended for localhost and that is a secure context that WebAuthn works in
• Added a Configurer for the DSL
• Defaults for all the endpoint

Next up is to introduce domain objects and APIs specific to Spring Security.

[ynojima]

Any update on this issue?
If you cannot take time to implement this feature by yourself for now, let me try it again based on your PoC (https://github.com/rwinch/spring-security-webauthn).

[rwinch]

@ynojima Please go ahead and try and work on it based on the sample I have

[ynojima]

As a first step, I've sent a pull request to your repository for updating WebAuthn4J, which has a breaking changes in 0.10.0.RELEASE.
rwinch/spring-security-webauthn#2

You wrote "Next up is to introduce domain objects and APIs specific to Spring Security".
Could you elaborate it?

[rwinch]

I merged the PR.

You wrote "Next up is to introduce domain objects and APIs specific to Spring Security".
Could you elaborate it?

It's been a while since I've looked at this. Perhaps start with finding things to fix in the comments. For example:

https://github.com/rwinch/spring-security-webauthn/blob/8dde03044ae183ba6b347c9ed01fc0bf4292ec13/src/main/java/org/springframework/security/web/webauthn/WebAuthnManager.java#L36-L39

https://github.com/rwinch/spring-security-webauthn/blob/8dde03044ae183ba6b347c9ed01fc0bf4292ec13/src/main/java/org/springframework/security/web/webauthn/WebAuthnManager.java#L57

I'd suggest on keeping changes small (i.e. a single change at a time) so they are easy to review.

[rwinch]

Closing as progress has stalled. The issue remains to track the desire for the feature gh-5238