I've already looked at WebAuthn4J Spring Security. I'm not asking "What library do I use to implement yubikey authentication" my question is "How do I perform 4 way authentication using the spring security framework?". Spring security seems to have the ideology that you can perform any type of authentication in a 2-way handshake, but this is not possible with yubikey authentication since the steps are
- client sends username
- server sends challenge for that username
- client signs that challenge
- server accepts or rejects the clients signature
The server cannot send the challenge before it's told the username, and the client has nothing to sign until it's sent a challenge. How do I instruct the spring security framework that I need 4 steps and not just 2?
I'm an author of WebAuthn4J Spring Security. WebAuthn4J Spring Security has two sample applications. Hopefully these code might help you.
https://github.com/webauthn4j/webauthn4j-spring-security/tree/master/samples
https://webauthn4j.github.io/webauthn4j-spring-security/en/#sample-application