Is there an example C/C++ FIDO2 server using libfido2?

[jpenstrom]

I'm trying to get a proof of concept of WebAuthn client (browser) registration/authentication to a FIDO2 server written in C/C++ using the libfido2 library. We have a commercial C++ application that implements its own web server and is written in C++.

I'd like to explore adding authentication to our server via WebAuthn/FIDO2 and am looking for a simple example FIDO2 server to get started. If that's not available, then any documentation on setting our C++ server up as an RP and then handling the registration and authentication ceremonies via calls to the libfido2 library would also be helpful.

[LDVG]

A WebAuthn server needs to implement four functions: Start registration, finish registration, start authentication, and finish authentication. On the server side of things, libfido2 implements functionality that is useful for the finish registration and finish authentication steps, when the relying party needs to verify the attestation signature of a FIDO2 credential and the signature of a FIDO2 assertion statement respectively.

While we have no server examples per se, we do have several examples that perform some of these steps (see e.g. our cred.c and assert.c example) that might help you get started. You may also find the manual pages for fido_cred_verify() and fido_assert_verify() useful.

Finally, you'll want to familiarize yourself with the WebAuthn Relying Party Operations, including the registration ceremory and authentication ceremony. A conceptual overview of these operations is also available on Yubico's website.

Does that help?

[jpenstrom]

Thanks LDVG - that was helpful. I've been digging through documentation and looking at the fido2-cred and fido2-assert examples in the build/tools directory.

We got the fido2-cred and fido2-assert examples working on Linux without a problem using the /dev/hidraw0 device. One of our platforms is MacOS and there doesn't seem to be a /dev entry created for the YubiKey 5Ci on MacOS. Is there a different way to specify the device on MacOS for the fido2-cred and fido2-assert examples? I realize that the FIDO2 server won't have to worry about talking to the YubiKey device - that will be handled by the browser javascript - but just to start fleshing things out it would be nice if we could work on both Linux and MacOS.

Thanks for any help you could provide.

[LDVG]

One of our platforms is MacOS and there doesn't seem to be a /dev entry created for the YubiKey 5Ci on MacOS. Is there a different way to specify the device on MacOS for the fido2-cred and fido2-assert examples?

Yes, run the manifest example or fido2-token -L (tools/) to list the device paths for the currently connected devices. 🙂

[jpenstrom]

LDVG - thanks very much. That was what I was looking for! Now we have the fido2-assert and fido2-cred working (and registering and verifying) the YubiKey credentials on Linux and MacOS.