use of org.keycloak.models.credential.WebAuthnCredentialModel in project keycloak by keycloak.
the class WebAuthnCredentialProvider method getCredentialInputFromCredentialModel.
/**
* Convert WebAuthnCredentialModel, which was usually retrieved from DB, to the CredentialInput, which contains data in the webauthn4j specific format
*/
private WebAuthnCredentialModelInput getCredentialInputFromCredentialModel(CredentialModel credential) {
WebAuthnCredentialModel webAuthnCredential = getCredentialFromModel(credential);
WebAuthnCredentialData credData = webAuthnCredential.getWebAuthnCredentialData();
WebAuthnCredentialModelInput auth = new WebAuthnCredentialModelInput(getType());
byte[] credentialId = null;
try {
credentialId = Base64.decode(credData.getCredentialId());
} catch (IOException ioe) {
// NOP
}
AAGUID aaguid = new AAGUID(credData.getAaguid());
COSEKey pubKey = credentialPublicKeyConverter.convertToEntityAttribute(credData.getCredentialPublicKey());
AttestedCredentialData attrCredData = new AttestedCredentialData(aaguid, credentialId, pubKey);
auth.setAttestedCredentialData(attrCredData);
long count = credData.getCounter();
auth.setCount(count);
auth.setCredentialDBId(credential.getId());
auth.setAttestationStatementFormat(credData.getAttestationStatementFormat());
return auth;
}
use of org.keycloak.models.credential.WebAuthnCredentialModel in project keycloak by keycloak.
the class WebAuthnCredentialProvider method isValid.
@Override
public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) {
if (!WebAuthnCredentialModelInput.class.isInstance(input))
return false;
WebAuthnCredentialModelInput context = WebAuthnCredentialModelInput.class.cast(input);
List<WebAuthnCredentialModelInput> auths = getWebAuthnCredentialModelList(realm, user);
WebAuthnAuthenticationManager webAuthnAuthenticationManager = new WebAuthnAuthenticationManager();
AuthenticationData authenticationData = null;
try {
for (WebAuthnCredentialModelInput auth : auths) {
byte[] credentialId = auth.getAttestedCredentialData().getCredentialId();
if (Arrays.equals(credentialId, context.getAuthenticationRequest().getCredentialId())) {
Authenticator authenticator = new AuthenticatorImpl(auth.getAttestedCredentialData(), auth.getAttestationStatement(), auth.getCount());
// parse
authenticationData = webAuthnAuthenticationManager.parse(context.getAuthenticationRequest());
// validate
AuthenticationParameters authenticationParameters = new AuthenticationParameters(context.getAuthenticationParameters().getServerProperty(), authenticator, context.getAuthenticationParameters().isUserVerificationRequired());
webAuthnAuthenticationManager.validate(authenticationData, authenticationParameters);
logger.debugv("response.getAuthenticatorData().getFlags() = {0}", authenticationData.getAuthenticatorData().getFlags());
CredentialModel credModel = getCredentialStore().getStoredCredentialById(realm, user, auth.getCredentialDBId());
WebAuthnCredentialModel webAuthnCredModel = getCredentialFromModel(credModel);
// update authenticator counter
// counters are an optional feature of the spec - if an authenticator does not support them, it
// will always send zero. MacOS/iOS does this for keys stored in the secure enclave (TouchID/FaceID)
long count = auth.getCount();
if (count > 0) {
webAuthnCredModel.updateCounter(count + 1);
getCredentialStore().updateCredential(realm, user, webAuthnCredModel);
}
logger.debugf("Successfully validated WebAuthn credential for user %s", user.getUsername());
dumpCredentialModel(webAuthnCredModel, auth);
return true;
}
}
} catch (WebAuthnException wae) {
wae.printStackTrace();
throw (wae);
}
// no authenticator matched
return false;
}
use of org.keycloak.models.credential.WebAuthnCredentialModel in project keycloak by keycloak.
the class WebAuthnCredentialProvider method getCredentialModelFromCredentialInput.
/**
* Convert WebAuthn credential input to the model, which can be saved in the persistent storage (DB)
*
* @param input should be typically WebAuthnCredentialModelInput
* @param userLabel label for the credential
*/
public WebAuthnCredentialModel getCredentialModelFromCredentialInput(CredentialInput input, String userLabel) {
if (!supportsCredentialType(input.getType()))
return null;
WebAuthnCredentialModelInput webAuthnModel = (WebAuthnCredentialModelInput) input;
String aaguid = webAuthnModel.getAttestedCredentialData().getAaguid().toString();
String credentialId = Base64.encodeBytes(webAuthnModel.getAttestedCredentialData().getCredentialId());
String credentialPublicKey = credentialPublicKeyConverter.convertToDatabaseColumn(webAuthnModel.getAttestedCredentialData().getCOSEKey());
long counter = webAuthnModel.getCount();
String attestationStatementFormat = webAuthnModel.getAttestationStatementFormat();
final Set<String> transports = webAuthnModel.getTransports().stream().map(AuthenticatorTransport::getValue).collect(Collectors.toSet());
WebAuthnCredentialModel model = WebAuthnCredentialModel.create(getType(), userLabel, aaguid, credentialId, null, credentialPublicKey, counter, attestationStatementFormat, transports);
model.setId(webAuthnModel.getCredentialDBId());
return model;
}
use of org.keycloak.models.credential.WebAuthnCredentialModel in project keycloak by keycloak.
the class WebAuthnRegister method requiredActionChallenge.
@Override
public void requiredActionChallenge(RequiredActionContext context) {
UserModel userModel = context.getUser();
// Use standard UTF-8 charset to get bytes from string.
// Otherwise the platform's default charset is used and it might cause problems later when
// decoded on different system.
String userId = Base64Url.encode(userModel.getId().getBytes(StandardCharsets.UTF_8));
String username = userModel.getUsername();
Challenge challenge = new DefaultChallenge();
String challengeValue = Base64Url.encode(challenge.getValue());
context.getAuthenticationSession().setAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE, challengeValue);
// construct parameters for calling WebAuthn API navigator.credential.create()
// mandatory
WebAuthnPolicy policy = getWebAuthnPolicy(context);
List<String> signatureAlgorithmsList = policy.getSignatureAlgorithm();
String signatureAlgorithms = stringifySignatureAlgorithms(signatureAlgorithmsList);
String rpEntityName = policy.getRpEntityName();
// optional
String rpId = policy.getRpId();
if (rpId == null || rpId.isEmpty())
rpId = context.getUriInfo().getBaseUri().getHost();
String attestationConveyancePreference = policy.getAttestationConveyancePreference();
String authenticatorAttachment = policy.getAuthenticatorAttachment();
String requireResidentKey = policy.getRequireResidentKey();
String userVerificationRequirement = policy.getUserVerificationRequirement();
long createTimeout = policy.getCreateTimeout();
boolean avoidSameAuthenticatorRegister = policy.isAvoidSameAuthenticatorRegister();
String excludeCredentialIds = "";
if (avoidSameAuthenticatorRegister) {
excludeCredentialIds = session.userCredentialManager().getStoredCredentialsByTypeStream(context.getRealm(), userModel, getCredentialType()).map(credentialModel -> {
WebAuthnCredentialModel credModel = WebAuthnCredentialModel.createFromCredentialModel(credentialModel);
return Base64Url.encodeBase64ToBase64Url(credModel.getWebAuthnCredentialData().getCredentialId());
}).collect(Collectors.joining(","));
}
String isSetRetry = null;
if (isFormDataRequest(context.getHttpRequest())) {
isSetRetry = context.getHttpRequest().getDecodedFormParameters().getFirst(WebAuthnConstants.IS_SET_RETRY);
}
Response form = context.form().setAttribute(WebAuthnConstants.CHALLENGE, challengeValue).setAttribute(WebAuthnConstants.USER_ID, userId).setAttribute(WebAuthnConstants.USER_NAME, username).setAttribute(WebAuthnConstants.RP_ENTITY_NAME, rpEntityName).setAttribute(WebAuthnConstants.SIGNATURE_ALGORITHMS, signatureAlgorithms).setAttribute(WebAuthnConstants.RP_ID, rpId).setAttribute(WebAuthnConstants.ATTESTATION_CONVEYANCE_PREFERENCE, attestationConveyancePreference).setAttribute(WebAuthnConstants.AUTHENTICATOR_ATTACHMENT, authenticatorAttachment).setAttribute(WebAuthnConstants.REQUIRE_RESIDENT_KEY, requireResidentKey).setAttribute(WebAuthnConstants.USER_VERIFICATION_REQUIREMENT, userVerificationRequirement).setAttribute(WebAuthnConstants.CREATE_TIMEOUT, createTimeout).setAttribute(WebAuthnConstants.EXCLUDE_CREDENTIAL_IDS, excludeCredentialIds).setAttribute(WebAuthnConstants.IS_SET_RETRY, isSetRetry).createForm("webauthn-register.ftl");
context.challenge(form);
}
use of org.keycloak.models.credential.WebAuthnCredentialModel in project keycloak by keycloak.
the class WebAuthnRegister method processAction.
@Override
public void processAction(RequiredActionContext context) {
MultivaluedMap<String, String> params = context.getHttpRequest().getDecodedFormParameters();
String isSetRetry = params.getFirst(WebAuthnConstants.IS_SET_RETRY);
if (isSetRetry != null && !isSetRetry.isEmpty()) {
requiredActionChallenge(context);
return;
}
context.getEvent().detail(Details.CREDENTIAL_TYPE, getCredentialType());
// receive error from navigator.credentials.create()
String errorMsgFromWebAuthnApi = params.getFirst(WebAuthnConstants.ERROR);
if (errorMsgFromWebAuthnApi != null && !errorMsgFromWebAuthnApi.isEmpty()) {
setErrorResponse(context, WEBAUTHN_ERROR_REGISTER_VERIFICATION, errorMsgFromWebAuthnApi);
return;
}
WebAuthnPolicy policy = getWebAuthnPolicy(context);
String rpId = policy.getRpId();
if (rpId == null || rpId.isEmpty())
rpId = context.getUriInfo().getBaseUri().getHost();
String label = params.getFirst(WebAuthnConstants.AUTHENTICATOR_LABEL);
byte[] clientDataJSON = Base64.getUrlDecoder().decode(params.getFirst(WebAuthnConstants.CLIENT_DATA_JSON));
byte[] attestationObject = Base64.getUrlDecoder().decode(params.getFirst(WebAuthnConstants.ATTESTATION_OBJECT));
String publicKeyCredentialId = params.getFirst(WebAuthnConstants.PUBLIC_KEY_CREDENTIAL_ID);
Origin origin = new Origin(UriUtils.getOrigin(context.getUriInfo().getBaseUri()));
Challenge challenge = new DefaultChallenge(context.getAuthenticationSession().getAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE));
ServerProperty serverProperty = new ServerProperty(origin, rpId, challenge, null);
// check User Verification by considering a malicious user might modify the result of calling WebAuthn API
boolean isUserVerificationRequired = policy.getUserVerificationRequirement().equals(WebAuthnConstants.OPTION_REQUIRED);
final String transportsParam = params.getFirst(WebAuthnConstants.TRANSPORTS);
RegistrationRequest registrationRequest;
if (StringUtil.isNotBlank(transportsParam)) {
final Set<String> transports = new HashSet<>(Arrays.asList(transportsParam.split(",")));
registrationRequest = new RegistrationRequest(attestationObject, clientDataJSON, transports);
} else {
registrationRequest = new RegistrationRequest(attestationObject, clientDataJSON);
}
RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, isUserVerificationRequired);
WebAuthnRegistrationManager webAuthnRegistrationManager = createWebAuthnRegistrationManager();
try {
// parse
RegistrationData registrationData = webAuthnRegistrationManager.parse(registrationRequest);
// validate
webAuthnRegistrationManager.validate(registrationData, registrationParameters);
showInfoAfterWebAuthnApiCreate(registrationData);
checkAcceptedAuthenticator(registrationData, policy);
WebAuthnCredentialModelInput credential = new WebAuthnCredentialModelInput(getCredentialType());
credential.setAttestedCredentialData(registrationData.getAttestationObject().getAuthenticatorData().getAttestedCredentialData());
credential.setCount(registrationData.getAttestationObject().getAuthenticatorData().getSignCount());
credential.setAttestationStatementFormat(registrationData.getAttestationObject().getFormat());
credential.setTransports(registrationData.getTransports());
// Save new webAuthn credential
WebAuthnCredentialProvider webAuthnCredProvider = (WebAuthnCredentialProvider) this.session.getProvider(CredentialProvider.class, getCredentialProviderId());
WebAuthnCredentialModel newCredentialModel = webAuthnCredProvider.getCredentialModelFromCredentialInput(credential, label);
webAuthnCredProvider.createCredential(context.getRealm(), context.getUser(), newCredentialModel);
String aaguid = newCredentialModel.getWebAuthnCredentialData().getAaguid();
logger.debugv("WebAuthn credential registration success for user {0}. credentialType = {1}, publicKeyCredentialId = {2}, publicKeyCredentialLabel = {3}, publicKeyCredentialAAGUID = {4}", context.getUser().getUsername(), getCredentialType(), publicKeyCredentialId, label, aaguid);
webAuthnCredProvider.dumpCredentialModel(newCredentialModel, credential);
context.getEvent().detail(WebAuthnConstants.PUBKEY_CRED_ID_ATTR, publicKeyCredentialId).detail(WebAuthnConstants.PUBKEY_CRED_LABEL_ATTR, label).detail(WebAuthnConstants.PUBKEY_CRED_AAGUID_ATTR, aaguid);
context.success();
} catch (WebAuthnException wae) {
if (logger.isDebugEnabled())
logger.debug(wae.getMessage(), wae);
setErrorResponse(context, WEBAUTHN_ERROR_REGISTRATION, wae.getMessage());
return;
} catch (Exception e) {
if (logger.isDebugEnabled())
logger.debug(e.getMessage(), e);
setErrorResponse(context, WEBAUTHN_ERROR_REGISTRATION, e.getMessage());
return;
}
}
Aggregations