Understanding the process of webauthn assertions and their responses

Barkley101 · May 1, 2023, 5:03am

What happened?

I am attempting to use the webauthn go package to send a challenge to a Yubikey registered to an org using Okta. I am reaching out in regards to how to correctly implement this process using the pomerium package.

What did you expect to happen?

I have a challenge token from Okta that I want to use with your package to receive the AuthenticatorAssertionResponse see here

How’d it happen?

So far my efforts have fallen short of understanding how to implement the package.

What’s your environment like?

Golang version 1.19.4 darwin/arm64

Additional context

Unsure if this is the correct place to post, did not want to go directly into the Slack for me not understanding the package.

calebdoxsey · May 2, 2023, 2:23pm

Hi Barkley101,

The webauthn package is modeled on the RFC which describes two “ceremonies” for registering and authenticating devices. It can be pretty confusing. I’ve not tried it with a Yubikey but I have tried it with a Google Titan security key.

An example can be found in our verify app:

github.com

pomerium/verify/blob/main/http_webauthn.go

package verify

import (
	"encoding/json"
	"io"
	"net/http"

	"github.com/pomerium/verify/internal/storage"
	"github.com/pomerium/webauthn"
	"github.com/rs/zerolog/log"
)

const maxBodySize = 4 * 1024 * 1024

func (srv *Server) serveAPIWebAuthnAuthenticate(w http.ResponseWriter, r *http.Request) {
	var req storage.WebAuthnAuthenticateRequest
	err := decodeJSONBody(r, &req)
	if err != nil {
		log.Error().Err(err).Msg("bad request for webauthn authenticate")
		http.Error(w, err.Error(), http.StatusBadRequest)

This file has been truncated. show original

And the frontend: