Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/descope/virtualwebauthn

A set of helper tools for testing WebAuthn authentication flows
https://github.com/descope/virtualwebauthn

authentication automation biometric descope fido fido2 golang passkeys test-automation testing-tools webauthn

Last synced: 35 minutes ago
JSON representation

A set of helper tools for testing WebAuthn authentication flows

Awesome Lists containing this project

README 

        

# Virtual WebAuthn



The Go package `virtualwebauthn` provides a set of helper tools for testing full [WebAuthn](https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn) authentication flows in a [relying party](https://www.w3.org/TR/webauthn-2/#webauthn-relying-party) WebAuthn server implementation without requiring a browser or an actual authenticator.



Check the [test](test/webauthn_test.go) for a working example on how to use this library.



## Features



- Test both register/attestation and login/assertion flows

- Validate credential [creation](https://www.w3.org/TR/webauthn-2/#sctn-credentialcreationoptions-extension) and [request](https://www.w3.org/TR/webauthn-2/#sctn-credentialrequestoptions-extension) options

- Generate [attestation](https://www.w3.org/TR/webauthn-2/#authenticatorattestationresponse) and [assertion](https://www.w3.org/TR/webauthn-2/#authenticatorassertionresponse) responses

- Supports `EC2` and `RSA` keys with `SHA256`

- Supports `packed` attestation format



## Usage



### Setup



First we create mock entities to work with for running tests.



```go

// The relying party settings should mirror those on the actual WebAuthn server

rp := virtualwebauthn.RelyingParty{Name: "Example Corp", ID: "example.com", Origin: "https://example.com"}



// A mock authenticator that represents a security key or biometrics module

authenticator := virtualwebauthn.NewAuthenticator()



// Create a new credential that we'll try to register with the relying party

credential := virtualwebauthn.NewCredential(virtualwebauthn.KeyTypeEC2)

```



### Register



Start a register flow with the relying party and get an `attestationOptions` JSON string that contains the serialized [credential creation options](https://www.w3.org/TR/webauthn-2/#sctn-credentialcreationoptions-extension):



```go

// Ask the server to start a register flow for a user. The server and user here

// are placeholders for whatever the system being tested uses.

attestationOptions := server.registerStart(user)

```



Use the `ParseAttestationOptions` and `CreateAttestationResponse` functions to parse the `attestationOptions` string, ensure that it's valid, and generate an appropriate `attestationResponse` that should appear to have come from a browser's `navigator.credentials.create` call:



```go

// Parses the attestation options we got from the relying party to ensure they're valid

parsedAttestationOptions, err := virtualwebauthn.ParseAttestationOptions(attestationOptions)

if err != nil {

    ...

}



// Creates an attestation response that we can send to the relying party as if it came from

// an actual browser and authenticator.

attestationResponse := virtualwebauthn.CreateAttestationResponse(rp, authenticator, credential, *parsedAttestationOptions)

```



We can now go back to the relying party with the `attestationResponse` and finish the register flow:



```go

// Finish the register flow by sending the attestation response. Again the server and

// user here are placeholders for whatever the system being tested uses.

err := server.registerFinish(user, attestationResponse)

if err != nil {

    ...

}



// Add the EC2 credential to the mock authenticator

authenticator.AddCredential(credential)

```