Hello all,
I wanted to give a short heads-up concerning recent work on passkeys/WebAuthn
support in NaviServer/OpenACS.
This work builds directly on:
CBOR decoding support
COSE key handling
extended crypto support (e.g., EC keys, PEM generation from coordinates)
All of this is provided by current NaviServer versions and used from OpenACS
without external dependencies.
The focus of the current work is:
passkey (WebAuthn) registration and login
discoverable credentials (passkey-first login)
practical integration into an existing web framework and user model
collecting real-world experience before finalizing UX and policy decisions
For a more detailed introduction, background on standards (WebAuthn, FIDO2,
CBOR, COSE), design decisions, and a short FAQ, please see the OpenACS
developer forum thread:
https://openacs.org/forums/message-view?message_id=8740415
The implementation is available for testing on openacs.org, where passkeys can
be registered and managed via /pvt/home, and the login page offers a passkey
option when appropriate.
At this stage, the goal is to share experience, identify rough edges, and
discuss design trade-offs - not to present a finished feature.
Why is this not NaviServer only? The passkeys are bound with user-ids and
require a more or less standard user/login management which is available in
OpenACS. The OpenACS package (Tcl/JavaScript/ADP code) will be made available
soon (the separation of package concerns and OpenACS user management can be
improved).
All required NaviServer support (essentially crypto and CBOR related) is
included in the main branch of NaviServer.
Needless to say: feedback is always welcome.
Best regards,
-g
_______________________________________________
naviserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
