This repository is for sample WebAuthn Relying Party (RP) web application based on the Spring Boot Framework. This application does rely on the SK Telecom's Passkey Platform Server to implement WebAuthn (FIDO2) and Passkey features. By design, most of the features are implemented in the SK Telecom's Passkey Platform Server and RPs simply introduce the features by integrating it.
We have designed and implemented this application so that any RP developers can understand the way how to integrate with SK Telecom's Passkey Server easily.
Learn more about how to integrate passkey features into your services with SK Telecom's Passkey Platform.
IMPORTANT: You need to carefully design and implement WebAuthn and Passkey integration if you plan to introduce them to your real products. Again, this sample is for demonstration and testing purpose. By doing so, most of the registration, authentication options are populated in the client side, which is originally intended for backend server's job. You need to define your own registration, authentication policy for your cases and choose appropriate options for that policy.
For the simplicity, this application des not have any persistent storage to manage users' WebAuthn credentials and there is no authenticated session management as well.
The RESTful APIs for this sample application is developed based on the FIDO Alliance Conformance Test Tools.
In addition to the APIs, this application also contains FIDO Alliance Interop Web App.
You can load interop web app with following path on your root directory: index.html. If you run this sample application locally, you can load the web app here: http://localhost:8081/index.html.
If you would like to test the interop web app by yourself, of course, you need to set properties properly such as WebAuthn server information and OAuth2 Client configurations.
You don't have to modify any codes for this interop web app. All you need to do it is to set such properties correctly.
WebAuthn APIs are also available for native applications running on iOS, Android etc. The RP web application MUST declare that it owns and controls the native applications by including such associations.
In this sample application, the website contains the such association for SK Telecom's sample Android application.
If you have your own Android application, you could simply replace values in package_name and sha256_cert_fingerprints with your own.
This sample application uses Gradle-based build system.
JDK11 and above.
$ ./gradlew build$ ./gradlew bootRunIf you would like to load your own profile, you could additionally define your profile such as application-dev.yml.
For example, you can run the application with active dev profile with a following command.
$ ./gradlew bootRun --args='--spring.profiles.active=dev'There are couples of controller tests.
$ ./gradlew testDiscover more commands with ./graldew tasks.
| Name | Description | Default Value |
|---|---|---|
| conformance.base-url | Your (sample) web application base URL, for interop web app. | http://localhost:8081 |
| conformance.vendor-name | Display vendor name for the WebAuthn server, for interop web app. | SK Telecom |
| webauthn.rp.id | Relying Party (RP) ID | localhost |
| webauthn.server.api-version | WebAuthn Server API version. | v1 |
| webauthn.server.base-url | WebAuthn Server Base URL, please refer target server url. | http://localhost:8080 |
| webauthn.server.url-path.registration-request | Registration request endpoint. | /${webauthn.server.api-version}/registration/request |
| webauthn.server.url-path.registration-response | Registration response endpoint. | /${webauthn.server.api-version}/registration/response |
| webauthn.server.url-path.authentication-request | Authentication request endpoint. | /${webauthn.server.api-version}/authentication/request |
| webauthn.server.url-path.authentication-response | Authentication response endpoint. | /${webauthn.server.api-version}/authentication/response |
| webauthn.server.url-path.user | User endpoint. | /${webauthn.server.api-version}/users/{userId} |
| webauthn.server.url-path.user-credential | User credential endpoint. | /${webauthn.server.api-version}/users/{userId}/credentials/{credentialId} |
| webauthn.server.url-path.user-credentials | Credentials associated to the user endpoint. | /${webauthn.server.api-version}/users/{userId}/credentials |
| webauthn.server.oauth2-protected | Whether the WebAuthn server API protected with OAuth2 | false |
If WebAuthn server APIs (Passkey Platform Server) are protected with OAuth2 (webauthn.server.oauth2-protected property is true), you need to configure the OAuth2 Client information.
This sample application leverages Spring Security OAuth2.0 Client for the simplicity.
For more details, please refer the Spring OAuth 2.0 Client.
Followings are the example OAuth2 Client configuration with Spring Security OAuth2.0 feature.
spring:
security:
oauth2:
client:
registration:
passkey-rp-scope:
provider: sktelecom
authorization-grant-type: client_credentials
scope: passkey:rp
client-id: your-client-id # replace here
client-secret: your-client-secret # replace here
provider:
sktelecom:
token-uri: https:/example.com/oauth2/token # set real oauth2 server token endpoint uriNote that you MUST register your application to get client_id and client_secret for WebAuthn server API authorization.
For SK telecom Passkey Platform, the client_id MUST be identical to your RP ID.
You would implement your own OAuth2 Client features instead of using Spring Security OAuth2 Client, and it's up to your choice.
Passkey Sample Relying Party Application is Open Source software released under the Apache 2.0 license.
If you hae any other questions or concerns, please contact [email protected].