Skip to content

Scoped WebAuthn: MFA extension flow#36667

Merged
Joerger merged 12 commits intomasterfrom
joerger/scoped-webauthn-extension-flow
Jan 20, 2024
Merged

Scoped WebAuthn: MFA extension flow#36667
Joerger merged 12 commits intomasterfrom
joerger/scoped-webauthn-extension-flow

Conversation

@Joerger
Copy link
Copy Markdown
Contributor

@Joerger Joerger commented Jan 13, 2024
edited
Loading

Propagate and enforce MFA challenge extensions in the WebAuthn login flow.

Part of the implementation for RFD 155

Based off #36666

@Joerger Joerger requested a review from codingllama January 13, 2024 02:20
@Joerger Joerger added the no-changelog Indicates that a PR does not require a changelog entry label Jan 13, 2024
@Joerger Joerger requested a review from rosstimothy January 13, 2024 02:20
@github-actions github-actions Bot requested a review from justinas January 13, 2024 02:20
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from 32a648f to 4f4aae9 Compare January 13, 2024 02:30
codingllama
codingllama reviewed Jan 15, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few design-related comments.

Let's avoid ext param/variable names, as there are already "extensions" in WebAuthn (and it means something else).

Comment thread lib/auth/webauthn/login_mfa.go Outdated
Comment thread lib/auth/webauthn/login_mfa.go Outdated
Comment thread lib/auth/webauthn/login_mfa.go Outdated
Comment thread lib/auth/webauthn/login_mfa.go Outdated
Comment thread lib/auth/webauthn/login_passwordless.go Outdated
Comment thread lib/auth/webauthn/login_passwordless.go Outdated
Comment thread lib/auth/auth.go Outdated
Comment thread lib/auth/auth.go Outdated
Comment thread lib/auth/webauthn/login.go Outdated
@Joerger Joerger force-pushed the joerger/scoped-webauthn-session-data branch from bfefc29 to 837f078 Compare January 16, 2024 20:41
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from 4f4aae9 to 66295be Compare January 16, 2024 21:13
@Joerger Joerger force-pushed the joerger/scoped-webauthn-session-data branch from 837f078 to adeba02 Compare January 16, 2024 21:17
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from 66295be to cbe1586 Compare January 16, 2024 21:23
@Joerger Joerger requested a review from codingllama January 16, 2024 21:57
@Joerger Joerger changed the title Joerger/scoped webauthn extension flow Scoped WebAuthn: MFA extension flow Jan 17, 2024
@Joerger Joerger force-pushed the joerger/scoped-webauthn-session-data branch from adeba02 to 745a86d Compare January 17, 2024 02:25
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from cfffb4e to 1f38429 Compare January 17, 2024 02:38
@Joerger Joerger mentioned this pull request Jan 17, 2024
Merged
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from b4dcbd5 to fde16ef Compare January 17, 2024 04:26
codingllama
codingllama reviewed Jan 17, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good.

Comment thread lib/auth/webauthn/login_mfa.go Outdated
Comment thread lib/auth/webauthn/login_test.go Outdated
Comment thread lib/auth/webauthn/login_test.go Outdated
Comment thread lib/auth/webauthn/login.go Outdated
Comment thread lib/auth/webauthn/login.go Outdated
Comment thread lib/auth/webauthn/login.go Outdated
@Joerger Joerger force-pushed the joerger/scoped-webauthn-session-data branch from 745a86d to 8e3a094 Compare January 17, 2024 18:28
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from fde16ef to 0d2d119 Compare January 17, 2024 18:51
@Joerger Joerger requested a review from codingllama January 17, 2024 18:51
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch 2 times, most recently from 4040b97 to f1ee37c Compare January 17, 2024 21:36
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from justinas January 18, 2024 18:22
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from f1ee37c to c6a557b Compare January 18, 2024 19:26
@Joerger Joerger force-pushed the joerger/scoped-webauthn-session-data branch from 25caa59 to 3211003 Compare January 18, 2024 20:32
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from c6a557b to 2a8cd1f Compare January 18, 2024 20:33
@Joerger Joerger force-pushed the joerger/scoped-webauthn-session-data branch 2 times, most recently from 7587f2f to a092a54 Compare January 19, 2024 19:52
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from 2a8cd1f to 37e2768 Compare January 19, 2024 19:53
Base automatically changed from joerger/scoped-webauthn-session-data to master January 19, 2024 21:40
@Joerger Joerger force-pushed the joerger/scoped-webauthn-extension-flow branch from 37e2768 to 1608482 Compare January 19, 2024 22:07
@Joerger Joerger enabled auto-merge January 19, 2024 22:07
@Joerger Joerger added this pull request to the merge queue Jan 20, 2024
Merged via the queue into master with commit 6e1955a Jan 20, 2024
@Joerger Joerger deleted the joerger/scoped-webauthn-extension-flow branch January 20, 2024 00:26
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Jan 20, 2024

@Joerger See the table below for backport results.

Branch Result
branch/v15 Failed

@Joerger Joerger mentioned this pull request Jan 20, 2024
Merged
Joerger added a commit that referenced this pull request Jan 21, 2024
@Joerger
Scoped WebAuthn: MFA extension flow (#36667)
8e28173 
* Use SessionData with extensions in Webauthn flow.

* Pass MFAChallengeExtensions through webauthn flow.

* Opportunistically enforce Webauthn challenge scope.

* Don't delete webauthn session data when reuse is allowed.

* Return more login data from webauthn flow.

* Enforce reuse when provided by the caller.

* Address comments.

* Fix test.

* Add unit test for scope and reuse.

* use pointer for challenge extension parameters.

* Address comments.
github-merge-queue Bot pushed a commit that referenced this pull request Jan 22, 2024
@Joerger
Scoped WebAuthn: MFA extension flow (#36667) (#36973)
581c480 
* Use SessionData with extensions in Webauthn flow.

* Pass MFAChallengeExtensions through webauthn flow.

* Opportunistically enforce Webauthn challenge scope.

* Don't delete webauthn session data when reuse is allowed.

* Return more login data from webauthn flow.

* Enforce reuse when provided by the caller.

* Address comments.

* Fix test.

* Add unit test for scope and reuse.

* use pointer for challenge extension parameters.

* Address comments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codingllama codingllama codingllama approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

no-changelog Indicates that a PR does not require a changelog entry size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Joerger @codingllama @rosstimothy