chir.rs/api
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Wiki Activity

actually define other 2fa methods

Browse source
This commit is contained in:
Charlotte 🦝 Delenk 2022-02-24 16:04:30 +01:00
parent 54b4035926
commit 6a653410c3
Signed by: darkkirb
GPG key ID: AB2BD8DAF2E37122
1 changed files with 41 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
docs/auth-design.md
View file

@ -249,7 +249,47 @@ The footer contains the following claim:
|-|-|
| `kid` | PASERK k4.pid public key id |
####
#### WebAuthn
We support support for P-256 and Ed25519 curves. If the authenticator supports Ed25519, the application **MUST** use Ed25519. [^12]
As per the webauthn spec, a challenge, along with other data, is signed by the authenticator.
The challenge signed is a json object with the following properties:
| Name | Description |
|-|-|
| `wpt` | The Authentication claim |
| `jti` | `b64_urlsafe(blake3_derive_key(b"auth.chir.rs-2fa-webauthn-v0", session_key, 32))` |
The data uploaded to the server is a json dictionary containing the following properties:
| Name | Description |
|-|-|
| `tid` | Token id, prepended with `webauthn-` |
| `authenticatorData` | Authenticator Data, encoded as urlsafe b64 |
| `clientDataJson` | The client Data JSON, encoded as a string |
| `signature` | The signature, encoded as urlsafe b64 |
The key is identified like the tid property above.
[^12]: Depending on standardization, future versions may accept additional Edwards-Curve based signature algorithms.
#### Android Keystore
Android unfortunately only supports P-256, however luckily this is guaranteed to be supported by the strongbox implementation.
The challenge to be signed is a json document containing the following properties:
| Name | Description |
|-|-|
| `wpt` | The authentication claim |
| `jti` | `b64_urlsafe(blake3_derive_key(b"auth.chir.rs-2fa-android-v0", session_key, 32))` |
| `kid` | `keystore-b64_urlsafe(blake3(pubkey.get_encoded()))` |
The key is identified like the kid property above.
Applications **MUST** use the android keystore system for generating and storing the keypair. They **SHALL** also use the strongbox implementation the device has and **SHALL** warn the user if that is not available.
If a future version of the API supports Ed25519 that is also supported by strongbox, applications **SHOULD** prefer the “Plain Ed25519” variant over this.
### 6: Returning the authentication code
The authentication code is generated like this and is returned to the requesting application like in oauth2