11# webauthn-rs caBLE tunnel server
22
3+ ** Important:** it is only necessary for an * authenticator vendor* to run a caBLE
4+ tunnel service for their devices. Initiators (such as browsers and client
5+ applications) connect to a tunnel service of the * authenticator's* choosing.
6+
37** Warning:** this is still a work in progress, and not yet fully implemented.
48
59However, you can run a single-task tunnel service with the ` backend ` alone:
610[ see ` ./backend/README.md ` for instructions] [ 0 ] .
711
8- ** Important:** it is only necessary for an * authenticator vendor* to run a caBLE
9- tunnel server for their devices. Initiators (such as browsers and client
10- applications) connect to a tunnel server of the authenticator's choosing.
11-
1212[ 0 ] : ./backend/README.md
1313
1414## Background
@@ -27,14 +27,14 @@ As far as the tunnel server is concerned, what happens is:
2727
28282 . The authenticator connects to a tunnel server of its choosing, using HTTPS.
2929
30- 3 . The authenticator makes a WebSocket request to ` /cable/new/${TUNNEL_ID} ` .
30+ 3 . The authenticator makes a WebSocket request to ` /cable/new/${TUNNEL_ID} ` [ ^ new ] .
3131
32324 . The tunnel server responds with a WebSocket handshake, and includes a 3 byte
3333 routing ID in the HTTP response headers to indicate which task is serving
3434 the request.
3535
36- 5 . The authenticator transmits the tunnel server ID and routing ID as as an
37- encrypted Bluetooth Low Energy advertisement to the initiator .
36+ 5 . The authenticator transmits the tunnel server ID and routing ID to the
37+ initiator using an encrypted Bluetooth Low Energy advertisement.
3838
39396 . The initiator decrypts the advertisement, and connects to the tunnel server
4040 using HTTPS.
@@ -44,8 +44,8 @@ As far as the tunnel server is concerned, what happens is:
4444
45458 . The tunnel server responds with a WebSocket handshake.
4646
47- 9 . The tunnel server relays WebSocket messages between the authenticator and
48- initiator.
47+ 9 . The tunnel server relays binary WebSocket messages between the authenticator
48+ and initiator.
4949
5050The initiator starts a Noise channel with the authenticator for further
5151communication such that the tunnel server cannot read their communications, and
@@ -56,6 +56,13 @@ limits, the tunnel server implementations are very simple. The tunnel server
5656itself does not need to concern itself with the minutae of the Noise protocol -
5757it only needs to pass binary messages across the tunnel verbatim.
5858
59+ [ ^ new ] :
60+ This [ follows Google's caBLE URL convention] [ 2 ] . The URL used to establish a
61+ new channel [ is not part of the FIDO 2.2 specification] [ 3 ] .
62+
63+ [ 2 ] : https://source.chromium.org/chromium/chromium/src/+/main:device/fido/cable/v2_handshake.cc?q=symbol%3A%5Cbdevice%3A%3Acablev2%3A%3Atunnelserver%3A%3AGetNewTunnelURL%5Cb%20case%3Ayes
64+ [ 3 ] : https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html#ref-for-client-platform①⓪
65+
5966## Design
6067
6168` webauthn-rs ` ' caBLE tunnel server consists of three parts:
8592### Frontend
8693
8794** Warning:** The ` frontend ` is not yet fully implemented, and does not yet do
88- everything described here. This would be necessary for a larger scale deployment
89- of a caBLE tunnel server .
95+ everything described here. This would be necessary to operate a
96+ high-availability caBLE tunnel service .
9097
9198** Source:** [ ` ./frontend/ ` ] [ frontend ]
9299
0 commit comments