webauthnutil

package
v0.22.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 4, 2023 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package webauthnutil contains types and functions for working with the webauthn package.

Index

Constants

View Source 
const DefaultDeviceType = urlutil.DefaultDeviceType

DefaultDeviceType is the default device type when none is specified.

Variables

This section is empty.

Functions

func GenerateChallenge 

func GenerateChallenge(key []byte, expiry time.Time) cryptutil.SecureToken

GenerateChallenge generates a new Challenge.

func GenerateCreationOptions 

func GenerateCreationOptions(
	r *http.Request,
	key []byte,
	deviceType *device.Type,
	user *user.User,
) *webauthn.PublicKeyCredentialCreationOptions

GenerateCreationOptions generates creation options for WebAuthn.

func GenerateRequestOptions 

func GenerateRequestOptions(
	r *http.Request,
	key []byte,
	deviceType *device.Type,
	knownDeviceCredentials []*device.Credential,
) *webauthn.PublicKeyCredentialRequestOptions

GenerateRequestOptions generates request options for WebAuthn.

func GetCreationOptionsForCredential 

func GetCreationOptionsForCredential(
	r *http.Request,
	key []byte,
	deviceType *device.Type,
	user *user.User,
	credential *webauthn.PublicKeyCreationCredential,
) (*webauthn.PublicKeyCredentialCreationOptions, error)

GetCreationOptionsForCredential gets the creation options for the public key creation credential. An error may be returned if the challenge used to generate the credential is invalid.

func GetDeviceCredentialID 

func GetDeviceCredentialID(credentialID []byte) string

GetDeviceCredentialID gets the device credential id from a public key credential id.

func GetDeviceType 

func GetDeviceType(
	ctx context.Context,
	client databroker.DataBrokerServiceClient,
	deviceTypeID string,
) *device.Type

GetDeviceType gets the device type from the databroker. If the device type does not exist in the databroker a pre-defined device type may be returned.

func GetEffectiveDomain added in v0.21.0 

func GetEffectiveDomain(r *http.Request) string

GetEffectiveDomain returns the effective domain for an HTTP request.

func GetRelyingParty added in v0.21.0 

func GetRelyingParty(r *http.Request, client databroker.DataBrokerServiceClient) *webauthn.RelyingParty

GetRelyingParty gets a RelyingParty for the given request and databroker client.

func GetRequestOptionsForCredential 

func GetRequestOptionsForCredential(
	r *http.Request,
	key []byte,
	deviceType *device.Type,
	knownDeviceCredentials []*device.Credential,
	credential *webauthn.PublicKeyAssertionCredential,
) (*webauthn.PublicKeyCredentialRequestOptions, error)

GetRequestOptionsForCredential gets the request options for the public key request credential. An error may be returned if the challenge used to generate the credential is invalid.

func GetUserEntity 

func GetUserEntity(pomeriumUser *user.User) webauthn.PublicKeyCredentialUserEntity

GetUserEntity gets the PublicKeyCredentialUserEntity from a Pomerium user.

func GetUserEntityID 

func GetUserEntityID(pomeriumUserID string) []byte

GetUserEntityID gets the UserEntity ID.

The WebAuthn spec states:

> The user handle of the user account entity. A user handle is an opaque byte sequence with a maximum size of 64 > bytes, and is not meant to be displayed to the user. > > To ensure secure operation, authentication and authorization decisions MUST be made on the basis of this id > member, not the displayName nor name members. See Section 6.1 of [RFC8266]. > > The user handle MUST NOT contain personally identifying information about the user, such as a username or e-mail > address; see §14.6.1 User Handle Contents for details. The user handle MUST NOT be empty, though it MAY be > null.

To meet these requirements we hash the user ID (since it's often an email address in the IdP) using a UUID v5 in a custom UUID namespace: 2929d3f7-f0b0-478f-9dd5-970d51eb3859.

func NewEnrollmentToken 

func NewEnrollmentToken(key []byte, ttl time.Duration, deviceEnrollmentID string) (string, error)

NewEnrollmentToken creates a new EnrollmentToken.

func ParseAndVerifyEnrollmentToken 

func ParseAndVerifyEnrollmentToken(key []byte, rawEnrollmentToken string) (string, error)

ParseAndVerifyEnrollmentToken parses and verifies an enrollment token

Types

type CredentialStorage 

type CredentialStorage struct {
	// contains filtered or unexported fields
}

CredentialStorage stores credentials in the databroker.

func NewCredentialStorage 

func NewCredentialStorage(client databroker.DataBrokerServiceClient) *CredentialStorage

NewCredentialStorage creates a new CredentialStorage.

func (*CredentialStorage) GetCredential 

func (storage *CredentialStorage) GetCredential(
	ctx context.Context,
	credentialID []byte,
) (*webauthn.Credential, error)

GetCredential gets a credential from the databroker.

func (*CredentialStorage) SetCredential 

func (storage *CredentialStorage) SetCredential(
	ctx context.Context,
	credential *webauthn.Credential,
) error

SetCredential sets the credential for the enrollment.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.