{"id":13702933,"url":"https://github.com/line/line-fido2-server","last_synced_at":"2026-04-29T01:05:07.455Z","repository":{"id":41281750,"uuid":"388284349","full_name":"line/line-fido2-server","owner":"line","description":"FIDO2(WebAuthn) server officially certified by FIDO Alliance and Relying Party examples.","archived":false,"fork":false,"pushed_at":"2025-04-30T02:53:20.000Z","size":14398,"stargazers_count":545,"open_issues_count":10,"forks_count":101,"subscribers_count":19,"default_branch":"main","last_synced_at":"2025-04-30T03:34:28.560Z","etag":null,"topics":["example","fido2","java","passwordless","relying-party","security","spring-boot","webauthn"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/line.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-07-22T00:44:01.000Z","updated_at":"2025-04-30T02:53:24.000Z","dependencies_parsed_at":"2024-11-01T03:17:57.732Z","dependency_job_id":"ad3ad891-368a-41ac-b669-76deaa698bca","html_url":"https://github.com/line/line-fido2-server","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/line%2Fline-fido2-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/line%2Fline-fido2-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/line%2Fline-fido2-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/line%2Fline-fido2-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/line","download_url":"https://codeload.github.com/line/line-fido2-server/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252458316,"owners_count":21751014,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["example","fido2","java","passwordless","relying-party","security","spring-boot","webauthn"],"created_at":"2024-08-02T21:00:46.628Z","updated_at":"2025-10-08T12:02:48.513Z","avatar_url":"https://github.com/line.png","language":"Java","funding_links":[],"categories":["Server Libraries","Library","安全"],"sub_categories":[],"readme":"# LINE FIDO2 SERVER\n\n![Stars](https://img.shields.io/github/stars/line/line-fido2-server.svg?style=social)\n![Repo Size](https://img.shields.io/github/repo-size/line/line-fido2-server)\n![License Apache-2.0](https://img.shields.io/github/license/line/line-fido2-server)\n![Top Language](https://img.shields.io/github/languages/top/line/line-fido2-server)\n![Spring Boot](https://img.shields.io/badge/Spring%20Boot-2.7.12-green)\n![Java version](https://img.shields.io/badge/Java-11-green)\n![Data base](https://img.shields.io/badge/Storage-MySQL%2FH2%2FRedis-blue)\n![Last Commit](https://img.shields.io/github/last-commit/line/line-fido2-server)\n\n\u003e **FIDO2(WebAuthn) Server officially certified by FIDO Alliance**\n\n\u003cimg src=\"images/fido2_certificate.jpg\" height=\"500\" align=\"center\" alt=\"FIDO2 Certificate\"/\u003e\n\n## Overview\n\nFIDO (Fast IDentity Online) is an open standard for online authentication, aiming to eliminate the vulnerabilities of\npasswords. FIDO uses public-key cryptography instead of symmetric credentials like passwords or PINs.\n\nIn essence, the user's device generates a key pair, storing the private key securely and sharing the public key with the\nserver. During both registration and authentication, the server challenges the device, and the device responds with a\ndigital signature using the private key. The server then verifies this signature with the stored public key. This\nchallenge-response protocol helps prevent replay attacks.\n\n### What is FIDO2?\n\nFIDO2 is an enhancement of the FIDO standard for web and other platforms, supported by major web browsers and operating\nsystems. It encompasses two primary operations: Registration and Authentication.\n\n#### Registration\n\n- The user selects a FIDO authenticator that meets the service’s acceptance policy.\n- The user unlocks the authenticator via fingerprint, PIN, or another method.\n- A public/private key pair is generated; the public key is sent to the service and associated with the user’s account,\n  while the private key remains on the device.\n- The service challenges the device, which then creates a response using the private key to finish the registration\n  process.\n\n#### Authentication\n\n- The service challenges the user to log in with a previously registered device.\n- The user unlocks the authenticator using the same method as during registration.\n- The device signs the service’s challenge and sends it back to the service.\n- The service verifies the signature with the stored public key and grants access.\n\n### Challenge-Response Protocol\n\nBoth the registration and authentication processes utilize a challenge-response protocol to prevent replay attacks.\nDuring registration, a challenge is sent from the server to the device and the device responds using its private key.\nSimilarly, during authentication, another challenge is sent to verify the user's identity. This ensures that each\nattempt is unique and secure.\n\n## Screenshots\n\n### Chrome on Mac with Touch ID\n\n\u003cimg src=\"images/chrome_mac_touchid.gif\" width=\"600\" align=\"center\" alt=\"Registration Flow\"/\u003e\n\n## Modules\n\n- **rp-server**:\n    - RP Server Demo\n    - Depends on **common**\n- **common**:\n    - Message classes that are commonly referenced by both the FIDO2 Server and the RP Server\n- **core**:\n    - Contains the core domain logic of FIDO\n    - If the FIDO2 server being implemented does not interact with an RDB, this module alone should be used\n    - Depends on **common**\n- **base**:\n    - Contains classes that depend on Spring JPA\n        - Service Implement classes, Repository interfaces, Entity classes\n    - Depends on **core**\n- **demo**:\n    - FIDO2 server demo application\n    - Depends on **base**\n\n## Features\n\n- Supported attestation types:\n    - Basic\n    - Self\n    - Attestation CA (Privacy CA)\n    - None\n    - Anonymization CA\n- Supported attestation formats:\n    - Packed\n    - TPM\n    - Android Key Attestation\n    - Android SafetyNet\n    - FIDO U2F\n    - Apple Anonymous\n    - None\n- Metadata service integration:\n    - FIDO MDSv3\n\n## How to Run\n\n### Manual Run\n\nStart the RP Server and FIDO2 Server:\n\n```bash\n# Start RP Server\ncd rpserver\n./gradlew bootRun\n\n# Start FIDO2 Server\ncd fido2-demo/demo\n./gradlew bootRun\n```\n\n### Docker for demo\n\nIf you have Docker configured, you can use docker-compose.\n\n```bash\n# Start both RP Server and FIDO2 Server\ndocker-compose up\n```\n\nOnce the applications are running, access the test page at:\n\n- http://localhost:8080/\n\n### Local DB\n\nThe FIDO2 Server uses H2 as an embedded DB in a local environment, which should be replaced with a standalone DB (like\nMySQL) for staging, beta, or production environments. Access the H2 web console at:\n\n- http://localhost:8081/h2-console\n\n### Issues\n\n- If data.sql doesn't work well in an IntelliJ environment,\n  try commenting on this part in build.gradle.\n\n```groovy\njar {\n    processResources {\n        exclude(\"**/*.sql\")\n    }\n}\n```\n\n## API Guides\n\n### Spring REST Docs\n\nTo view the API documentation, follow these steps:\n\n1. Execute the following commands:\n   ```bash\n   cd fido2-demo/demo\n   ./gradlew makeRestDocs\n   ./gradlew bootRun\n    ```\n2. Access the API documentation at the following path:\n\n- server: http://localhost:8081/docs/api-guide.html\n\n### Swagger UI\n\nAfter running the applications, you can view API guide documents at the link below.\n\n- rpserver: http://localhost:8080/swagger-ui.html\n- server: http://localhost:8081/swagger-ui.html\n\n## LINE WebAuthn Android and iOS\n\nWe are also providing Client SDK for Android/iOS applications. Please see below.\n\n- [Introducing Fido2 Client SDK open source](https://techblog.lycorp.co.jp/ko/introducing-fido2-client-sdk-open-source)\n- [LINE Webauthn Demo Kotlin](https://github.com/line/webauthndemo-kotlin)\n- [LINE Webauthn Demo Swift](https://github.com/line/webauthndemo-swift)\n\n### checkOrigin Configuration\n\nThe `checkOrigin` method validates the origin of requests. It supports both:\n\n- App facet origins for LINE Android/iOS client SDKs (e.g., `android:...`, `ios:...`).\n- Web origins for passkeys or browser-based WebAuthn (e.g., `https://example.com`).\n\nHow to Configure\nDefine allowed origins in the `application.yml` file. When web origins (`https://` or `http://`) are listed, they are\ntreated as an allowlist for web-origin verification (multi-origin supported). If no web origins are configured, the\nserver falls back to strict equality between the request-provided origin and the `clientDataJSON.origin`.\n\n```yaml\napp:\n  origins:\n    - android:aaa-bbb\n    - ios:aaa-bbb\n    # Optional: add one or more web origins to enforce an allowlist for web/passkey flows\n    - https://example.com\n    - https://staging.example.com\n```\n\n**Note:** Replace `aaa-bbb` with the appropriate values for your application.\n\n**Important:**\n\n- Facet origins (`android:`, `ios:`) apply to native app flows using LINE’s client SDKs.\n    - https://github.com/line/webauthn-swift\n    - https://github.com/line/webauthn-kotlin\n- Web origins (`https://`, `http://`) apply to browser/passkey flows across platforms (iOS, Android, Windows, macOS).\n- If no web origins are configured, verification requires the request origin to exactly match `clientDataJSON.origin`.\n- Android native (FIDO2 API/Credential Manager): `clientDataJSON.origin` starts with `android:...` (app facet). See \"\n  Verify origin\" in Android Credential Manager\n  docs: https://developer.android.com/identity/sign-in/credential-manager#verify-origin\n- iOS native (AuthenticationServices, passkeys): `clientDataJSON.origin` is an `https` web origin (no `ios:` prefix),\n  e.g., `https://example.com`. For iOS/macOS passkeys, configure a web-origin allowlist.\n- When web origins are configured, the allowlist takes precedence: RP request fields like `VerifyCredential.origin` and\n  `RegisterCredential.origin` do not govern the check; the server validates against the configured web-origin allowlist.\n\n## References\n\n`LY Engineering Blogs`\n\n- [FIDO at LINE: A First Step to a World Without Passwords](https://engineering.linecorp.com/en/blog/fido-at-line/)\n- [FIDO at LINE: FIDO2 server as an open-source project](https://engineering.linecorp.com/en/blog/fido-at-line-fido2-server-opensource/)\n- [Introducing Fido2 Client SDK open source](https://techblog.lycorp.co.jp/ko/introducing-fido2-client-sdk-open-source)\n\n`LY Tech Videos`\n\n- [Open source contribution Starting with LINE FIDO2 Server](https://youtu.be/xKzXi5ic4Do)\n- [Strong customer authentication \u0026 biometrics using FIDO](https://youtu.be/S1y9wFh7_dc)\n- [Cross Platform Mobile Security At LINE](https://youtu.be/4288h-EamTU)\n- [Secure LINE login with biometric key replacing password](https://youtu.be/vCAu-y-iwyw)\n\n`Internal`\n\n- [Sequence Diagram](https://github.com/line/line-fido2-server/wiki/Sequence-diagrams)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fline%2Fline-fido2-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fline%2Fline-fido2-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fline%2Fline-fido2-server/lists"}