WebAuthn
 | An XWiki authenticator that allow browsers to automatically authenticate on XWiki using the new WebAuthn standard |
| Type | JAR |
| Category | Authenticator |
| Developed by | |
| Active Installs | 0 |
| Rating | |
| License | GNU Lesser General Public License 2.1 |
Table of contents
Description
This project has the following goals:
- Allow XWiki to support the WebAuthn standard.
- To make it easier to authenticate on an xwiki instance by registering WebAuthn credentials for an existing standard XWiki user and using the same to authenticate them without the need for a password.
Please see the project forum post for updates about the project.
WebAuthn
The fact that a password is a shared secret makes it vulnerable. Public-key authentication doesn’t have that weakness, and the WebAuthn API enables servers to register and authenticate users using public-key cryptography instead of a password. The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows users to be authenticated using public-key cryptography. Web Authentication works in tandem with other industry standards such as Credential Management and FIDO 2.0 Client to Authenticator Protocol 2 (CTAP).
WebAuthn is one of the most secure and usable authentication methods on the web. Some key reasons for this are:
- It minimizes login friction. A simple and familiar gesture lets users authenticate.
- It's the only web authentication method that is phishing resistant.
- It's standard-based and implemented across browsers and operating systems.
License: GNU Lesser General Public License 2.1
Forum post: https://forum.xwiki.org/t/add-webauthn-support-to-xwiki-gsoc21-project/8812/
Sources: https://github.com/xwiki-contrib/authenticator-webauthn
Issue Tracker: https://jira.xwiki.org/browse/WEBAUTHN
Design page: https://design.xwiki.org/xwiki/bin/view/Proposal/AddWebAuthnsupporttoXWiki
This project uses the java-webauthn-server library for the implementation of the Relying Party operations required for a server to support Web Authentication. This includes registering authenticators and authenticating registered authenticators. This library has no concept of accounts, sessions, permissions, or identity federation, and it’s not an authentication framework; it only deals with executing the WebAuthn authentication mechanism. Sessions, account management, and other higher-level concepts can make use of this authentication mechanism, but the authentication mechanism alone does not make a security system.
Release Notes
Prerequisites & Installation Instructions
We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).
You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.
Dependencies
Dependencies for this extension (org.xwiki.contrib:authenticator-webauthn 1.0):
- org.xwiki.platform:xwiki-platform-oldcore 11.10
- com.yubico:webauthn-server-core 1.9.1
- com.yubico:webauthn-server-attestation 1.9.1
- com.yubico:yubico-util 1.9.1
- com.yubico:webauthn-server-core-minimal 1.9.1
- com.onelogin:java-saml 2.0.0
