Created attachment 279408 [details] U2F request flow diagram. U2F is beginning to see more wide-spread deployment, with Github being one notable example site that utilizes it. Currently, Chrome integrates support, but lower-level integration in WebKit would broadly increase the potential user base. There exists a cross-platform (Windows, Linux, Mac OS X) C reference implementation, https://developers.yubico.com/libu2f-host/, supported by a manufacturer (Yubico) of U2F-compliant tokens. They also provide a test server for interactive experimentation (https://demo.yubico.com/u2f), reference server integration implementation, and cURL-able test endpoints. This client (device host) reference implementation depends on: pkg-config, JSON-C, and HIDAPI for USB communication. I very strongly desire U2F support both for my own site use, as well as for token-secured access to Github.

What is the difference from the Web Authentication[1,2]? [1]: https://github.com/w3c/webauthn [2]: https://w3c.github.io/webauthn/

(In reply to Yusuke Suzuki from comment #2) > What is the difference from the Web Authentication[1,2]? > > [1]: https://github.com/w3c/webauthn > [2]: https://w3c.github.io/webauthn/ WebAuthN is effectively FIDO 2.0. See Bug 181943 for status update regarding to WebAuthN.

Does the work on WebAuthN contain FIDO 1.0 support as well? If not, this ticket is probably still valid on it's own.

FWIW, Edge has no intention to support U2F and only support WebAuthn. The U2F JavaScript API unfortunately doesn't fully document how to get access to the objects needed to use the MessagePort and u2f interface API. U2F supports CTAP1 devices, while WebAuthn supports CTAP1 and CTAP2 devices. There is an extension for WebAuthn to work with existing U2F registrations (such as those created via another browser, or the Safari App Extension) with the new API, so that users can still authenticate when a site upgrades from using the U2F to WebAuthn javascript interfaces.

(In reply to john+webkit from comment #4) > Does the work on WebAuthN contain FIDO 1.0 support as well? If not, this > ticket is probably still valid on it's own. WebAuthN will support CTAP1/U2F devices.

(In reply to David Waite from comment #5) > FWIW, Edge has no intention to support U2F and only support WebAuthn. > > The U2F JavaScript API unfortunately doesn't fully document how to get > access to the objects needed to use the MessagePort and u2f interface API. > > U2F supports CTAP1 devices, while WebAuthn supports CTAP1 and CTAP2 devices. > > There is an extension for WebAuthn to work with existing U2F registrations > (such as those created via another browser, or the Safari App Extension) > with the new API, so that users can still authenticate when a site upgrades > from using the U2F to WebAuthn javascript interfaces. Same as WebKit. I will leave this bug alone and re-scope it as [WebAuthN] Implement FIDO U2F extension.

<rdar://problem/48298273>

Created attachment 365249 [details] Patch

Created attachment 365256 [details] Patch

Comment on attachment 365256 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=365256&action=review > Source/WebCore/ChangeLog:11 > + do in practice to avoid some unncessary steps of unnecessary > Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.h:65 > +WEBCORE_EXPORT Optional<Vector<uint8_t>> convertToU2fSignCommand(const Vector<uint8_t>& clientDataHash, const WebCore::PublicKeyCredentialRequestOptions&, const Vector<uint8_t>& keyHandle, bool isAppId = false); I should explain the change in the ChangeLog: the checkOnly flag is never used and therefore is deleted. > LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html:19 > + assert_not_exists(credential.getClientExtensionResults()); assert_not_exists(credential.getClientExtensionResults(), "appid"); > LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html:33 > + assert_not_exists(credential.getClientExtensionResults()); Ditto. > LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html:15 > + assert_not_exists(credential.getClientExtensionResults()); Ditto. > LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html:36 > + assert_not_exists(credential.getClientExtensionResults()); Ditto. > LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html:18 > + assert_not_exists(credential.getClientExtensionResults()); Ditto.

Comment on attachment 365256 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=365256&action=review > Source/WebCore/ChangeLog:15 > + Need to add the new IDL file to MakeLists.txt to make GTK+ happy.

Comment on attachment 365256 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=365256&action=review Nice work getting this together. r=me with the changes suggested, and assuming tests pass when you are done. >> Source/WebCore/Modules/webauthn/fido/U2fCommandConstructor.h:65 >> +WEBCORE_EXPORT Optional<Vector<uint8_t>> convertToU2fSignCommand(const Vector<uint8_t>& clientDataHash, const WebCore::PublicKeyCredentialRequestOptions&, const Vector<uint8_t>& keyHandle, bool isAppId = false); > > I should explain the change in the ChangeLog: the checkOnly flag is never used and therefore is deleted. Yes -- I got confused when I looked at the implementation, until I saw this note! :-) > Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp:214 > + response->appid = true; Could this be: response->appid = m_isAppId;

Comment on attachment 365256 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=365256&action=review Thanks Brent for r+ this patch. >> Source/WebKit/UIProcess/WebAuthentication/fido/U2fHidAuthenticator.cpp:214 >> + response->appid = true; > > Could this be: > > response->appid = m_isAppId; Sure. Fixed.

Created attachment 365306 [details] Patch for Landing

Comment on attachment 365306 [details] Patch for Landing cq+ since GTK+ bots are happy.

Comment on attachment 365306 [details] Patch for Landing Clearing flags on attachment: 365306 Committed r243193: <https://trac.webkit.org/changeset/243193>