{"id":20155875,"url":"https://github.com/bruj0/vault-plugin-auth-u2f","last_synced_at":"2025-04-09T22:20:48.963Z","repository":{"id":57555066,"uuid":"299957845","full_name":"bruj0/vault-plugin-auth-u2f","owner":"bruj0","description":"This is a nonofficial plugin for HashiCorp Vault that uses a FIDO U2F enabled device as a way to authenticate a human.By requiring something you know, a PIN with something you have, the physical token.","archived":false,"fork":false,"pushed_at":"2021-03-24T20:23:10.000Z","size":29287,"stargazers_count":48,"open_issues_count":1,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-24T00:13:45.266Z","etag":null,"topics":["fido-u2f","golang","hashicorp-vault","u2f","vault","yubikey"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bruj0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-09-30T15:05:14.000Z","updated_at":"2024-12-29T05:39:00.000Z","dependencies_parsed_at":"2022-09-26T18:51:35.005Z","dependency_job_id":null,"html_url":"https://github.com/bruj0/vault-plugin-auth-u2f","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bruj0%2Fvault-plugin-auth-u2f","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bruj0%2Fvault-plugin-auth-u2f/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bruj0%2Fvault-plugin-auth-u2f/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bruj0%2Fvault-plugin-auth-u2f/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bruj0","download_url":"https://codeload.github.com/bruj0/vault-plugin-auth-u2f/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248120057,"owners_count":21050885,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fido-u2f","golang","hashicorp-vault","u2f","vault","yubikey"],"created_at":"2024-11-13T23:36:26.949Z","updated_at":"2025-04-09T22:20:48.942Z","avatar_url":"https://github.com/bruj0.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault-plugin-auth-u2f\nThis is a non official plugin for HashiCorp Vault that uses a FIDO U2F enabled device as way to authenticate a human.\n\nBy requiring something you know, a PIN with something you have, the physical token.\n\nIt works by assigning a role to a device when an administrator registers it.\n\nIt currently support the web browser implementation of the U2F protocol from Google https://github.com/google/u2f-ref-code/blob/master/u2f-gae-demo/war/js/u2f-api.js\n\nIt uses the u2f for Go library by Ryan Kurte: https://github.com/ryankurte/go-u2f\n\nHave any questions or comments? Please use the [Discussions](https://github.com/bruj0/vault-plugin-auth-u2f/discussions) forums.\n\n# Roles\n\nRoles must be created to associate a set of policies to a token created for a device:\n\n```\n$ vault write auth/u2f/roles/my-role token_policies=\"polA,polB\"\n```\n# Registrations\n\nRegistration of new devices is done by a POST to the endpoint `auth/\u003cu2f\u003e/registerRequest/\u003cmydevice\u003e` with the payload of `role_name: \u003cmy-role\u003e` as json.\n\n`\u003cmydevice\u003e` Is meant to be the friendly name given to the physical token when an administrator \"registers\" it in Vault.\n\nInternally its the unique ID that will be used as a key to save all the data for future authentication.\n\nThere is no expected format, only that its in simple ascii and url safe.\n\nThis ID will have to be known by the person to be authenticated, could be an email or a PIN.\n\nFinishing with another POST to `auth/\u003cu2f\u003e/registerResponse` with a payload of the protocol data signed by the device when the user presses the physical button.\n\nSee the demo in the directory u2f-frontend.\n\nThese endpoints should be protected for writting and only given access to admistrators.\n\n# Authentication\nThis is done via the endpoints `auth/\u003cu2f\u003e/signRequest` and `auth/\u003cu2f\u003e/signResponse` with appropiate protocol data as payload.\n\n# Demo\n\n* In the directory u2f-frontend you will find a shell script that will start Vault in dev mode and load the plugin:\n``` \n$ make \n$ cd u2f-frontend\n$ ./start_vault.sh\n+ set +e\n++ pidof vault\n+ kill -TERM 236661\n+ export VAULT_ADDR=http://127.0.0.1:8200\n+ VAULT_ADDR=http://127.0.0.1:8200\n+ unset VAULT_TOKEN\n+ sleep 3s\n+ /usr/local/bin/vault server -dev -dev-listen-address=0.0.0.0:8200 -dev-root-token-id=root -dev-plugin-dir=../plugins -log-level=trace\n+ vault auth enable u2f\nSuccess! Enabled u2f auth method at: u2f/\n+ sleep 1s\n+ vault write auth/u2f/roles/my-role token_policies=polA,polB\nSuccess! Data written to: auth/u2f/roles/my-role\n+ sleep 1s\n+ vault read auth/u2f/roles/my-role\nKey                        Value\n---                        -----\ntoken_bound_cidrs          []\ntoken_explicit_max_ttl     0s\ntoken_max_ttl              0s\ntoken_no_default_policy    false\ntoken_num_uses             0\ntoken_period               0s\ntoken_policies             [polA polB]\ntoken_ttl                  0s\ntoken_type                 default\n```\n\nThis creates a role that assigns two policies to any device that is registered with it.\n\n* Start the frontend UI\n\n```\n$ ./u2f-frontend\n2020/10/20 15:21:36 Running on https://localhost:3483\n\npostPasstrough data: { \"role_name\": \"my-role\"}\npostPasstrough returned: {\"appId\":\"https://lxc1:3483\",\"registerRequests\":[{\"version\":\"U2F_V2\",\"challenge\":\"ney1ncntfiOH6RR9L51Tg_YgnBQOc-4pGb6DvDK3sYM\",\"appId\":\"https://lxc1:3483\"}],\"registeredKeys\":null}\n2020/10/20 15:23:56 1 registerRequest: {\"appId\":\"https://lxc1:3483\",\"registerRequests\":[{\"version\":\"U2F_V2\",\"challenge\":\"ney1ncntfiOH6RR9L51Tg_YgnBQOc-4pGb6DvDK3sYM\",\"appId\":\"https://lxc1:3483\"}],\"registeredKeys\":null}\n2020/10/20 15:24:01 registerResponse regResp: {BQRB..WxzZX0}\npostPasstrough data: {\"clientData\":\"eyJ0eXAiO..JTxHP79SNhWc9JYtYT8U\",\"name\":\"mydevice\"}\npostPasstrough returned: {\"ok\"}\n2020/10/20 15:24:01 Registration success\n2020/10/20 15:25:49 1 signRequest: {\"appId\":\"https://lxc1:3483\",\"challenge\":\"vAgX_uthFHN56nUdt6PTkWg3XY1nsJds5aBJH2ZVBuQ\",\"registeredKeys\":[{\"version\":\"U2F_V2\",\"keyHandle\":\"jhHhu3cu2Km3QHLDrqY_ZoCPeGKMbAZXWs10vmzNkH-t_V5lVUEbxnzJHG8yOE4C83lrtz95s9XjB60L2dDvPw\"}]}\n2020/10/20 15:25:51 signResponse: {KeyHandle:jhHhu3cu..FiUGV4In0}\npostPasstrough data: {\"keyHandle\":\"jh..V4In0\",\"name\":\"mydevice\"}\npostPasstrough returned: {\"request_id\":\"90b6b928-4d50-cc78-474a-609e84f59b48\",\"lease_id\":\"\",\"renewable\":false,\"lease_duration\":0,\"data\":null,\"wrap_info\":null,\"warnings\":null,\"auth\":{\"client_token\":\"s.BkuppRwBgxIdy7hr4soFQC00\",\"accessor\":\"e5xVaunuBVdLHA7f5D3jr0us\",\"policies\":[\"default\",\"pola\",\"polb\"],\"token_policies\":[\"default\",\"pola\",\"polb\"],\"metadata\":{\"device_name\":\"mydevice\",\"role\":\"my-role\"},\"lease_duration\":2764800,\"renewable\":true,\"entity_id\":\"8977a412-c7ad-1e03-f654-b91bfd30a6b3\",\"token_type\":\"service\",\"orphan\":true}}\n2020/10/20 15:25:51 Authentication success\n```\n\n* Go to a browser to https://localhost:3483\n![](u2f-frontend/u2f-demo.png)\n\n* Click in Register token and press the button in your device\n* Click in Authenticate and press the button in your device\n\nThe token that you receive will have the policies attached that your role was assigned at the begining:\n\n```\n$ vault token lookup  s.BkuppRwBgxIdy7hr4soFQC00\nKey                 Value\n---                 -----\naccessor            e5xVaunuBVdLHA7f5D3jr0us\ncreation_time       1603200351\ncreation_ttl        768h\ndisplay_name        u2f-u2f_mydevice\nentity_id           8977a412-c7ad-1e03-f654-b91bfd30a6b3\nexpire_time         2020-11-21T14:25:51.27807041+01:00\nexplicit_max_ttl    0s\nid                  s.BkuppRwBgxIdy7hr4soFQC00\nissue_time          2020-10-20T15:25:51.278108041+02:00\nmeta                map[device_name:mydevice role:my-role]\nnum_uses            0\norphan              true\npath                auth/u2f/signResponse/mydevice\n*policies            [default pola polb]*\nrenewable           true\nttl                 767h59m34s\ntype                service\n```\n\n# License \nMozilla Public License Version 2.0\n\nCreated by Rodrigo A. Diaz Leven\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbruj0%2Fvault-plugin-auth-u2f","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbruj0%2Fvault-plugin-auth-u2f","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbruj0%2Fvault-plugin-auth-u2f/lists"}