spring security 4 way authentication with fido e.g. yubikey

932 views Asked by At

I've already looked at WebAuthn4J Spring Security. I'm not asking "What library do I use to implement yubikey authentication" my question is "How do I perform 4 way authentication using the spring security framework?". Spring security seems to have the ideology that you can perform any type of authentication in a 2-way handshake, but this is not possible with yubikey authentication since the steps are

  1. client sends username
  2. server sends challenge for that username
  3. client signs that challenge
  4. server accepts or rejects the clients signature

The server cannot send the challenge before it's told the username, and the client has nothing to sign until it's sent a challenge. How do I instruct the spring security framework that I need 4 steps and not just 2?

1

There are 1 answers

1
ynojima On

I'm an author of WebAuthn4J Spring Security. WebAuthn4J Spring Security has two sample applications. Hopefully these code might help you.

  • WebAuthn4J Spring Security SPA
  • WebAuthn4J Spring Security MPA

https://github.com/webauthn4j/webauthn4j-spring-security/tree/master/samples

https://webauthn4j.github.io/webauthn4j-spring-security/en/#sample-application