Merge pull request #71 from privacyidea/passkey

lukasmatusiewicz · web-flow · commit fe769f171f6c · 2025-03-26T10:23:32.000+01:00
passkey functions and constants
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -40,7 +40,7 @@ jobs:
         echo "branches = ${{ steps.jacoco.outputs.branches }}"
 
     - name: Upload JaCoCo coverage report as a workflow artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: jacoco-report
         path: target/site/jacoco/
diff --git a/pom.xml b/pom.xml
@@ -48,7 +48,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.8.1</version>
+                <version>3.13.0</version>
                 <configuration>
                     <source>11</source>
                     <target>11</target>
diff --git a/src/main/java/org/privacyidea/Endpoint.java b/src/main/java/org/privacyidea/Endpoint.java
@@ -125,21 +125,21 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S
         }
         privacyIDEA.log(method + " " + endpoint);
         params.forEach((k, v) ->
-                           {
+                       {
                            if (k.equals("pass") || k.equals("password"))
                            {
                                v = "*".repeat(v.length());
                            }
                            privacyIDEA.log(k + "=" + v);
-                           });
+                       });
 
         if (GET.equals(method))
         {
             params.forEach((key, value) ->
-                               {
+                           {
                                String encValue = URLEncoder.encode(value, StandardCharsets.UTF_8);
                                urlBuilder.addQueryParameter(key, encValue);
-                               });
+                           });
         }
 
         String url = urlBuilder.build().toString();
@@ -157,7 +157,7 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S
         {
             FormBody.Builder formBodyBuilder = new FormBody.Builder();
             params.forEach((key, value) ->
-                               {
+                           {
                                if (key != null && value != null)
                                {
                                    String encValue = value;
@@ -169,13 +169,13 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S
                                    }
                                    formBodyBuilder.add(key, encValue);
                                }
-                               });
+                           });
             // This switches okhttp to make a post request
             requestBuilder.post(formBodyBuilder.build());
         }
 
         Request request = requestBuilder.build();
-        //privacyIDEA.log("HEADERS:\n" + request.headers().toString());
+        //privacyIDEA.log("HEADERS:\n" + request.headers());
         client.newCall(request).enqueue(callback);
     }
 }
diff --git a/src/main/java/org/privacyidea/JSONParser.java b/src/main/java/org/privacyidea/JSONParser.java
@@ -129,7 +129,7 @@ public PIResponse parsePIResponse(String serverResponse)
         if (result != null)
         {
             String r = getString(result, AUTHENTICATION);
-            for (AuthenticationStatus as: AuthenticationStatus.values())
+            for (AuthenticationStatus as : AuthenticationStatus.values())
             {
                 if (as.toString().equals(r))
                 {
@@ -168,14 +168,25 @@ else if ("interactive".equals(modeFromResponse))
                 response.preferredClientMode = modeFromResponse;
             }
             response.message = getString(detail, MESSAGE);
+            response.username = getString(detail, USERNAME);
             response.image = getString(detail, IMAGE);
             response.serial = getString(detail, SERIAL);
             response.transactionID = getString(detail, TRANSACTION_ID);
             response.type = getString(detail, TYPE);
             response.otpLength = getInt(detail, OTPLEN);
-
+            JsonObject passkeyChallenge = detail.getAsJsonObject(PASSKEY);
+            if (passkeyChallenge != null && !passkeyChallenge.isJsonNull())
+            {
+                response.passkeyChallenge = passkeyChallenge.toString();
+                // The passkey challenge can contain a transaction id, use that if none was set prior
+                // This will happen if the passkey challenge was requested via /validate/initialize
+                if (response.transactionID == null || response.transactionID.isEmpty())
+                {
+                    response.transactionID = getString(passkeyChallenge, TRANSACTION_ID);
+                }
+            }
             String r = getString(detail, CHALLENGE_STATUS);
-            for (ChallengeStatus cs: ChallengeStatus.values())
+            for (ChallengeStatus cs : ChallengeStatus.values())
             {
                 if (cs.toString().equals(r))
                 {
@@ -187,12 +198,12 @@ else if ("interactive".equals(modeFromResponse))
             if (arrMessages != null)
             {
                 arrMessages.forEach(val ->
-                                        {
+                                    {
                                         if (val != null)
                                         {
                                             response.messages.add(val.getAsString());
                                         }
-                                        });
+                                    });
             }
 
             JsonArray arrChallenges = detail.getAsJsonArray(MULTI_CHALLENGE);
@@ -208,6 +219,17 @@ else if ("interactive".equals(modeFromResponse))
                     String transactionID = getString(challenge, TRANSACTION_ID);
                     String type = getString(challenge, TYPE);
 
+                    if (challenge.has(PASSKEY_REGISTRATION))
+                    {
+                        response.passkeyRegistration = challenge.get(PASSKEY_REGISTRATION).toString();
+                        // TODO for passkey registration with enroll_via_multichallenge, the txid is probably in the wrong place
+                        // as of 3.11.0
+                        if (response.transactionID == null || response.transactionID.isEmpty())
+                        {
+                            response.transactionID = transactionID;
+                        }
+                    }
+
                     if (TOKEN_TYPE_WEBAUTHN.equals(type))
                     {
                         String webauthnSignRequest = getItemFromAttributes(WEBAUTHN_SIGN_REQUEST, challenge);
@@ -352,24 +374,24 @@ private TokenInfo parseSingleTokenInfo(String json)
         if (joInfo != null)
         {
             joInfo.entrySet().forEach(entry ->
-                                          {
+                                      {
                                           if (entry.getKey() != null && entry.getValue() != null)
                                           {
                                               info.info.put(entry.getKey(), entry.getValue().getAsString());
                                           }
-                                          });
+                                      });
         }
 
         JsonArray arrRealms = obj.getAsJsonArray(REALMS);
         if (arrRealms != null)
         {
             arrRealms.forEach(val ->
-                                  {
+                              {
                                   if (val != null)
                                   {
                                       info.realms.add(val.getAsString());
                                   }
-                                  });
+                              });
         }
         return info;
     }
@@ -465,7 +487,7 @@ Map<String, String> parseWebAuthnSignResponse(String json)
         }
         catch (JsonSyntaxException e)
         {
-            privacyIDEA.error("WebAuthn sign response has the wrong format: " + e.getLocalizedMessage());
+            privacyIDEA.error("FIDO2 sign response has the wrong format: " + e.getLocalizedMessage());
             return null;
         }
 
@@ -488,6 +510,40 @@ Map<String, String> parseWebAuthnSignResponse(String json)
         return params;
     }
 
+    Map<String, String> parseFIDO2AuthenticationResponse(String json)
+    {
+        Map<String, String> params = new LinkedHashMap<>();
+        JsonObject obj;
+        try
+        {
+            obj = JsonParser.parseString(json).getAsJsonObject();
+        }
+        catch (JsonSyntaxException e)
+        {
+            privacyIDEA.error("FIDO2 sign response has the wrong format: " + e.getLocalizedMessage());
+            return null;
+        }
+
+        params.put(CREDENTIAL_ID, getString(obj, CREDENTIAL_ID));
+        params.put(CLIENTDATAJSON, getString(obj, CLIENTDATAJSON));
+        params.put(SIGNATURE, getString(obj, SIGNATURE));
+        params.put(AUTHENTICATOR_DATA, getString(obj, AUTHENTICATOR_DATA));
+
+        // The userhandle and assertionclientextension fields are optional
+        String userhandle = getString(obj, USERHANDLE);
+        if (!userhandle.isEmpty())
+        {
+            params.put(USERHANDLE, userhandle);
+        }
+        String extensions = getString(obj, ASSERTIONCLIENTEXTENSIONS);
+        if (!extensions.isEmpty())
+        {
+            params.put(ASSERTIONCLIENTEXTENSIONS, extensions);
+        }
+        return params;
+    }
+
+
     private boolean getBoolean(JsonObject obj, String name)
     {
         JsonPrimitive primitive = getPrimitiveOrNull(obj, name);
@@ -521,4 +577,26 @@ private JsonPrimitive getPrimitiveOrNull(JsonObject obj, String name)
         }
         return primitive;
     }
-}
+
+    public Map<String, String> parseFIDO2RegistrationResponse(String registrationResponse)
+    {
+        Map<String, String> params = new LinkedHashMap<>();
+        JsonObject obj;
+        try
+        {
+            obj = JsonParser.parseString(registrationResponse).getAsJsonObject();
+        }
+        catch (JsonSyntaxException e)
+        {
+            privacyIDEA.error("Passkey registration response is not JSON: " + e.getLocalizedMessage());
+            return null;
+        }
+
+        params.put(CREDENTIAL_ID, getString(obj, CREDENTIAL_ID));
+        params.put(CLIENTDATAJSON, getString(obj, CLIENTDATAJSON));
+        params.put(ATTESTATION_OBJECT, getString(obj, ATTESTATION_OBJECT));
+        params.put(AUTHENTICATOR_ATTACHMENT, getString(obj, AUTHENTICATOR_ATTACHMENT));
+        params.put(RAW_ID, getString(obj, RAW_ID));
+        return params;
+    }
+}
diff --git a/src/main/java/org/privacyidea/PIConstants.java b/src/main/java/org/privacyidea/PIConstants.java
@@ -21,10 +21,6 @@
 
 public class PIConstants
 {
-    private PIConstants()
-    {
-    }
-
     public static final String GET = "GET";
     public static final String POST = "POST";
 
@@ -34,6 +30,7 @@ private PIConstants()
     public static final String ENDPOINT_TRIGGERCHALLENGE = "/validate/triggerchallenge";
     public static final String ENDPOINT_POLLTRANSACTION = "/validate/polltransaction";
     public static final String ENDPOINT_VALIDATE_CHECK = "/validate/check";
+    public static final String ENDPOINT_VALIDATE_INITIALIZE = "/validate/initialize";
     public static final String ENDPOINT_TOKEN = "/token/";
 
     public static final String HEADER_ORIGIN = "Origin";
@@ -43,6 +40,7 @@ private PIConstants()
     // TOKEN TYPES
     public static final String TOKEN_TYPE_PUSH = "push";
     public static final String TOKEN_TYPE_WEBAUTHN = "webauthn";
+    public static final String TOKEN_TYPE_PASSKEY = "passkey";
 
     // JSON KEYS
     public static final String USERNAME = "username";
@@ -81,20 +79,28 @@ private PIConstants()
     public static final String ID = "id";
     public static final String MAXFAIL = "maxfail";
     public static final String INFO = "info";
+    public static final String PASSKEY_REGISTRATION = "passkey_registration";
+    public static final String AUTH_FORM = "authenticationForm";
+    public static final String AUTH_FORM_RESULT = "authenticationFormResult";
 
-    // WebAuthn params
+    // WebAuthn/Passkey params
     public static final String WEBAUTHN_SIGN_REQUEST = "webAuthnSignRequest";
     public static final String CREDENTIALID = "credentialid";
+    public static final String CREDENTIAL_ID = "credential_id";
     public static final String CLIENTDATA = "clientdata";
+    public static final String CLIENTDATAJSON = "clientDataJSON";
     public static final String SIGNATUREDATA = "signaturedata";
     public static final String AUTHENTICATORDATA = "authenticatordata";
+    public static final String AUTHENTICATOR_DATA = "authenticatorData";
     public static final String USERHANDLE = "userhandle";
     public static final String ASSERTIONCLIENTEXTENSIONS = "assertionclientextensions";
-
+    public static final String PASSKEY = "passkey";
+    public static final String RAW_ID = "rawId";
+    public static final String AUTHENTICATOR_ATTACHMENT = "authenticatorAttachment";
+    public static final String ATTESTATION_OBJECT = "attestationObject";
 
     // These will be excluded from url encoding
-    public static final List<String>
-            WEBAUTHN_PARAMETERS =
-            Arrays.asList(CREDENTIALID, CLIENTDATA, SIGNATUREDATA, AUTHENTICATORDATA, USERHANDLE,
-                          ASSERTIONCLIENTEXTENSIONS);
-}
+    public static final List<String> WEBAUTHN_PARAMETERS = Arrays.asList(CREDENTIALID, CLIENTDATA, SIGNATUREDATA, AUTHENTICATORDATA,
+                                                                         USERHANDLE, ASSERTIONCLIENTEXTENSIONS, CREDENTIAL_ID, RAW_ID,
+                                                                         AUTHENTICATOR_ATTACHMENT, ATTESTATION_OBJECT);
+}
diff --git a/src/main/java/org/privacyidea/PIResponse.java b/src/main/java/org/privacyidea/PIResponse.java
@@ -49,6 +49,22 @@ public class PIResponse
     public String type = ""; // Type of token that was matching the request
     public int otpLength = 0;
     public PIError error = null;
+    // Passkey content is json string and can be passed to the browser as is
+    public String passkeyChallenge = "";
+    public String passkeyRegistration = "";
+    public String username = "";
+
+    public boolean authenticationSuccessful()
+    {
+        if (authentication == AuthenticationStatus.ACCEPT)
+        {
+            return true;
+        }
+        else
+        {
+            return value && authentication != AuthenticationStatus.CHALLENGE;
+        }
+    }
 
     /**
      * Check if a PUSH token was triggered.
@@ -83,12 +99,8 @@ public String otpMessage()
     private String reduceChallengeMessagesWhere(Predicate<Challenge> predicate)
     {
         StringBuilder sb = new StringBuilder();
-        sb.append(multiChallenge.stream()
-                                .filter(predicate)
-                                .map(Challenge::getMessage)
-                                .distinct()
-                                .reduce("", (a, s) -> a + s + ", ")
-                                .trim());
+        sb.append(
+                multiChallenge.stream().filter(predicate).map(Challenge::getMessage).distinct().reduce("", (a, s) -> a + s + ", ").trim());
 
         if (sb.length() > 0)
         {
@@ -113,16 +125,13 @@ public List<String> triggeredTokenTypes()
     public List<WebAuthn> webAuthnSignRequests()
     {
         List<WebAuthn> ret = new ArrayList<>();
-        multiChallenge.stream()
-                      .filter(c -> TOKEN_TYPE_WEBAUTHN.equals(c.getType()))
-                      .collect(Collectors.toList())
-                      .forEach(c ->
-                                   {
-                                   if (c instanceof WebAuthn)
-                                   {
-                                       ret.add((WebAuthn) c);
-                                   }
-                                   });
+        multiChallenge.stream().filter(c -> TOKEN_TYPE_WEBAUTHN.equals(c.getType())).collect(Collectors.toList()).forEach(c ->
+                                                                                                                          {
+                                                                                                                              if (c instanceof WebAuthn)
+                                                                                                                              {
+                                                                                                                                  ret.add((WebAuthn) c);
+                                                                                                                              }
+                                                                                                                          });
         return ret;
     }
 
@@ -164,4 +173,4 @@ public String toString()
     {
         return rawMessage;
     }
-}
+}
diff --git a/src/main/java/org/privacyidea/PrivacyIDEA.java b/src/main/java/org/privacyidea/PrivacyIDEA.java

Original file line number	Diff line number	Diff line change
`@@ -125,21 +125,21 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S`
`125`	`125`	`}`
`126`	`126`	`privacyIDEA.log(method + " " + endpoint);`
`127`	`127`	`params.forEach((k, v) ->`
`128`		`- {`
	`128`	`+ {`
`129`	`129`	`if (k.equals("pass") \|\| k.equals("password"))`
`130`	`130`	`{`
`131`	`131`	`v = "*".repeat(v.length());`
`132`	`132`	`}`
`133`	`133`	`privacyIDEA.log(k + "=" + v);`
`134`		`- });`
	`134`	`+ });`
`135`	`135`
`136`	`136`	`if (GET.equals(method))`
`137`	`137`	`{`
`138`	`138`	`params.forEach((key, value) ->`
`139`		`- {`
	`139`	`+ {`
`140`	`140`	`String encValue = URLEncoder.encode(value, StandardCharsets.UTF_8);`
`141`	`141`	`urlBuilder.addQueryParameter(key, encValue);`
`142`		`- });`
	`142`	`+ });`
`143`	`143`	`}`
`144`	`144`
`145`	`145`	`String url = urlBuilder.build().toString();`
`@@ -157,7 +157,7 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S`
`157`	`157`	`{`
`158`	`158`	`FormBody.Builder formBodyBuilder = new FormBody.Builder();`
`159`	`159`	`params.forEach((key, value) ->`
`160`		`- {`
	`160`	`+ {`
`161`	`161`	`if (key != null && value != null)`
`162`	`162`	`{`
`163`	`163`	`String encValue = value;`
`@@ -169,13 +169,13 @@ void sendRequestAsync(String endpoint, Map<String, String> params, Map<String, S`
`169`	`169`	`}`
`170`	`170`	`formBodyBuilder.add(key, encValue);`
`171`	`171`	`}`
`172`		`- });`
	`172`	`+ });`
`173`	`173`	`// This switches okhttp to make a post request`
`174`	`174`	`requestBuilder.post(formBodyBuilder.build());`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`Request request = requestBuilder.build();`
`178`		`- //privacyIDEA.log("HEADERS:\n" + request.headers().toString());`
	`178`	`+ //privacyIDEA.log("HEADERS:\n" + request.headers());`
`179`	`179`	`client.newCall(request).enqueue(callback);`
`180`	`180`	`}`
`181`	`181`	`}`