Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WinAPI does not implement extensions #185

Closed
glyph opened this issue Apr 11, 2023 · 10 comments
Closed

WinAPI does not implement extensions #185

glyph opened this issue Apr 11, 2023 · 10 comments
Labels
enhancement New feature or request

Comments

@glyph
Copy link

glyph commented Apr 11, 2023

For example, microsoft defines WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET here:

https://github.com/microsoft/webauthn/blob/9fb38aa2775e286f504fc087efc62e5557bee881/webauthn.h#L386

but it is not exposed via python-fido2

@dainnilsson
Copy link
Member

dainnilsson commented Apr 17, 2023

Yes, the WinAPI implementation currently does not support any extensions. This would be a nice addition to the library, but I do now not know when we'll be able to implement it.

@dainnilsson dainnilsson added the enhancement New feature or request label Apr 17, 2023
@glyph
Copy link
Author

glyph commented May 3, 2023

@dainnilsson presumably you mean "do not know"?

@dainnilsson
Copy link
Member

@dainnilsson presumably you mean "do not know"?

Yes, thanks for catching that! 😄

@dainnilsson
Copy link
Member

Version 1.2 has now been released, with support for extensions in the WinAPI client.

@glyph
Copy link
Author

glyph commented Dec 4, 2024

@dainnilsson For my use-case, this presents some weird UI. It seems to work, but it implies that it's going to make a resident key every time I do an HMAC secret. Is this worth reporting a bug about?

@dainnilsson
Copy link
Member

Hmm, it's very explicit in the code: https://github.com/Yubico/python-fido2/blob/main/fido2/win_api.py#L1046
I just don't remember now what led me to conclude that it was required... I did a quick test now and it doesn't seem that WinAPI actually needs this, so I must have gotten something mixed up. Maybe I confused it with userVerification. I'll make sure we address this for the next version!

@dainnilsson
Copy link
Member

I did some more testing and it does seem that Windows (at least the version I'm running) requires the use of ResidentKey when creating the credential to pass the hmac-secret extension to the authenticator. However, YubiKeys at least will allow you to use hmac-secret in GetAssertion even without specifying it in MakeCredential.

You can test this out directly by using https://demo.yubico.com/webauthn-developers on Windows. If you create a new credential and enable prf, the result will show prf.enabled = false if it's not a resident key.

@glyph
Copy link
Author

glyph commented Dec 16, 2024

You can test this out directly by using https://demo.yubico.com/webauthn-developers on Windows. If you create a new credential and enable prf, the result will show prf.enabled = false if it's not a resident key.

@dainnilsson I… think I understand this, but it seems like this is a bug on Microsoft's end, and it should be reported & addressed? I didn't realize I was creating resident keys for this so I've probably used up half the capacity on my primary YubiKey by testing out the new no-admin-required code path here :)

@dainnilsson
Copy link
Member

I can't really say if it's a bug or if it's intentional, so it might be worth reporting to at least get some answers on that.

I do think the current python-fido2 behavior should probably change though. Instead of silently setting requireKey=True so that PRF can be used, I believe it should probably just pass the request as-is, and whatever Windows does with that, so be it.

@glyph
Copy link
Author

glyph commented Dec 20, 2024

I can't really say if it's a bug or if it's intentional, so it might be worth reporting to at least get some answers on that.

Since you are considerably closer to this space than I, do you know where the appropriate feedback form and/or (ideally) repo is to do that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Development

No branches or pull requests

2 participants