From d77317adab575849db7dda99455e66dc14f5eede Mon Sep 17 00:00:00 2001 From: Dusan Jakub Date: Wed, 11 Oct 2023 18:32:52 +0200 Subject: [PATCH] options to Passwordless, more texts --- src/main/resources/application.properties | 5 +++- .../OAuthResource/loginPasswordless.html | 28 +++++++++++++++---- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 86cae33..c7086c9 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -4,4 +4,7 @@ quarkus.package.type=uber-jar smallrye.jwt.sign.key.location=key.jwk quarkus.webauthn.relying-party.id=oauth-playground.online %dev.quarkus.webauthn.relying-party.id=localhost -quarkus.webauthn.relying-party.name=OAuth Playground by YSoft \ No newline at end of file +quarkus.webauthn.relying-party.name=OAuth Playground by YSoft +quarkus.webauthn.require-resident-key=false +quarkus.webauthn.user-verification=preferred +quarkus.webauthn.timeout=5m \ No newline at end of file diff --git a/src/main/resources/templates/OAuthResource/loginPasswordless.html b/src/main/resources/templates/OAuthResource/loginPasswordless.html index c6e2946..2e0f902 100644 --- a/src/main/resources/templates/OAuthResource/loginPasswordless.html +++ b/src/main/resources/templates/OAuthResource/loginPasswordless.html @@ -101,16 +101,17 @@

pubKeyCredParams

A list of public key credential types and cryptographic algorithm combinations supported by the relying party. + Constants of -7 and -257 denote ES256 and RS256, respectively.

  • authenticatorSelection

    Criteria for the authenticator:

    - requireResidentKey: This indicates if the credential should be stored on the authenticator (like a hardware token or platform). Here, it's set to "false", meaning resident keys aren't mandatory. + requireResidentKey: A resident (private) key, is a key that cannot leave your authenticator device, this means that you cannot reuse the authenticator to log into a second computer. Here, it is not required.

    - userVerification: This describes the desired user verification method. "discouraged" means the relying party does not want user verification employed during the creation process. + userVerification: User verification is the technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations. User verification MAY be instigated through various authorization gesture modalities; for example, through a touch plus pin code, password entry, or biometric recognition (e.g., presenting a fingerprint). It can be "required", "preferred" or "discouraged".

  • @@ -274,7 +275,15 @@

    • -

    We finish the interaction by...

    +

    We are now ready to submit data to the server.

    +

    The server will validate the request:

    + +

    If everything matches, the new credential is stored with the user.

    @@ -286,7 +295,7 @@
    -
    5. Attestation
    +
    5. Assertion

    Which responds:

    Let's break it down...

    @@ -356,7 +365,14 @@

    -

    We finish the interaction by...

    +

    We are now ready to submit data to the server.

    +

    The server will validate the request:

    +
      +
    • Correct format
      • +
    • Correct type, challenge and origin
      • +
    • Validate the signature with the public key stored on the server
      • +
    +

    If everything matches, the user is logged in.

    @@ -516,7 +532,7 @@ } function init() { - $(".step").hide() + //$(".step").hide() $("#init").showInViewport(); }