This is a sample application to experiment with passkeys and eventually be merged into Spring Security.

Using in your own project

Clone the repository and then publish to your local file system.

./gradlew publish
tree build/repo
build/repo
└── io
    └── github
        └── rwinch
            └── webauthn
                └── spring-security-webauthn
                    ├── 0.0.1-SNAPSHOT
                    │   ├── maven-metadata.xml
                    │   ├── spring-security-webauthn-0.0.1-20240510.034131-1.jar
                    │   ├── spring-security-webauthn-0.0.1-20240510.034131-1.pom
                    │   ├── ...
                    ├── ...
                    ├── maven-metadata.xml

Then you can add it as a dependency:

pom.xml

<dependencies>
    <dependency>
        <groupId>io.github.rwinch.webauthn</groupId>
        <artifactId>spring-security-webauthn</artifactId>
        <version>0.0.1-SNAPSHOT</version>
    </dependency>
    <!-- ... -->
</dependencies>
<repositories>
    <repository>
      <id>spring-webauthn</id>
      <!-- replace with the path to the build/repo on your file system -->
      <url>file:///home/rwinch/code/rwinch/spring-security-webauthn/main/build/repo/</url>
    </repository>
    <!-- ... -->
  </repositories>

build.gradle

dependencies {
    implementation 'io.github.rwinch.webauthn:spring-security-webauthn:0.0.1-SNAPSHOT'
    // ...
}
repositories {
    maven {
        // replace with the path to the build/repo on your file system
        url = 'file:///home/rwinch/code/rwinch/spring-security-webauthn/main/build/repo/'
    }
    // ...
}

Alternatively, you can publish to your Maven local cache:

./gradlew publishToMavenLocal

https://example.localhost.example:8443

Many Authenticators do will not work unless https is used & some will not work with localhost. This section discusses how to setup your workspace to use https://example.localhost:8443/ with a certificate that is signed by a trusted CA.

Using a Valid Domain

For security reasons, many Authenticators do not allow using localhost as the host for WebAuthn. The WebAuthn specification requires that the RP ID is a valid, effective domain. See w3c/webauthn#1204 for details.

https://datatracker.ietf.org/doc/html/rfc2606#section-2[RFC2606 states] that .localhost is a valid TLD that is typically mapped to `127.0.0.1`.
This means that we can use example.localhost as our host name.

NOTE: If this does not resolve to 127.0.0.1, you can https://docs.rackspace.com/docs/modify-your-hosts-file[edit your hosts file] to map passkeys.localhost to 127.0.0.1.

+

/etc/hosts

127.0.1.1	example.localhost

mkcert

Use mkcert

mkcert example.localhost

This repository is exploring multifactor authentication with webauthn. To follow along on the discussions see spring-projects/spring-security#6842

• Visit http://localhost:8080/

• Log in with user / password

• If you visit http://localhost:8080/ no additional authentication is required

• If you visit http://localhost:8080/secure you will be prompted for webauthn log in. The first time you will be required to register.

• Use http://localhost:8080/logout to log out