-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WinAPI
does not implement extensions
#185
Comments
Yes, the WinAPI implementation currently does not support any extensions. This would be a nice addition to the library, but I do |
@dainnilsson presumably you mean "do not know"? |
Yes, thanks for catching that! 😄 |
Version 1.2 has now been released, with support for extensions in the WinAPI client. |
@dainnilsson For my use-case, this presents some weird UI. It seems to work, but it implies that it's going to make a resident key every time I do an HMAC secret. Is this worth reporting a bug about? |
Hmm, it's very explicit in the code: https://github.com/Yubico/python-fido2/blob/main/fido2/win_api.py#L1046 |
I did some more testing and it does seem that Windows (at least the version I'm running) requires the use of ResidentKey when creating the credential to pass the You can test this out directly by using https://demo.yubico.com/webauthn-developers on Windows. If you create a new credential and enable |
@dainnilsson I… think I understand this, but it seems like this is a bug on Microsoft's end, and it should be reported & addressed? I didn't realize I was creating resident keys for this so I've probably used up half the capacity on my primary YubiKey by testing out the new no-admin-required code path here :) |
I can't really say if it's a bug or if it's intentional, so it might be worth reporting to at least get some answers on that. I do think the current python-fido2 behavior should probably change though. Instead of silently setting requireKey=True so that PRF can be used, I believe it should probably just pass the request as-is, and whatever Windows does with that, so be it. |
Since you are considerably closer to this space than I, do you know where the appropriate feedback form and/or (ideally) repo is to do that? |
For example, microsoft defines
WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET
here:https://github.com/microsoft/webauthn/blob/9fb38aa2775e286f504fc087efc62e5557bee881/webauthn.h#L386
but it is not exposed via
python-fido2
The text was updated successfully, but these errors were encountered: