mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 01:47:33 +00:00
feat: add WebAuthN support for passwordless login and 2fa (#966)
* at least registration prompt works * in memory test for login * buttons to start webauthn process * begin eventstore impl * begin eventstore impl * serialize into bytes * fix: u2f, passwordless types * fix for localhost * fix script * fix: u2f, passwordless types * fix: add u2f * fix: verify u2f * fix: session data in event store * fix: u2f credentials in eventstore * fix: webauthn pkg handles business models * feat: tests * feat: append events * fix: test * fix: check only ready webauthn creds * fix: move u2f methods to authrepo * frontend improvements * fix return * feat: add passwordless * feat: add passwordless * improve ui / error handling * separate call for login * fix login * js * feat: u2f login methods * feat: remove unused session id * feat: error handling * feat: error handling * feat: refactor user eventstore * feat: finish webauthn * feat: u2f and passwordlss in auth.proto * u2f step * passwordless step * cleanup js * EndpointPasswordLessLogin * migration * update mfaChecked test * next step test * token name * cleanup * attribute * passwordless as tokens * remove sms as otp type * add "user" to amr for webauthn * error handling * fixes * fix tests * naming * naming * fixes * session handler * i18n * error handling in login * Update internal/ui/login/static/i18n/de.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * improvements * merge fixes * fixes * fixes Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
This commit is contained in:
Livio Amstutz
@@ -13,6 +13,7 @@ func loginPolicyToModel(policy *admin.DefaultLoginPolicyRequest) *iam_model.Logi
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMFA: policy.ForceMfa,
|
||||
PasswordlessType: passwordlessTypeToModel(policy.PasswordlessType),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -28,6 +29,7 @@ func loginPolicyFromModel(policy *iam_model.LoginPolicy) *admin.DefaultLoginPoli
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
PasswordlessType: passwordlessTypeFromModel(policy.PasswordlessType),
|
||||
CreationDate: creationDate,
|
||||
ChangeDate: changeDate,
|
||||
}
|
||||
@@ -45,6 +47,7 @@ func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *admin.DefaultL
|
||||
AllowExternalIdp: policy.AllowExternalIDP,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
PasswordlessType: passwordlessTypeFromModel(policy.PasswordlessType),
|
||||
CreationDate: creationDate,
|
||||
ChangeDate: changeDate,
|
||||
}
|
||||
@@ -145,6 +148,24 @@ func secondFactorTypeToModel(mfaType *admin.SecondFactor) iam_model.SecondFactor
|
||||
}
|
||||
}
|
||||
|
||||
func passwordlessTypeFromModel(passwordlessType iam_model.PasswordlessType) admin.PasswordlessType {
|
||||
switch passwordlessType {
|
||||
case iam_model.PasswordlessTypeAllowed:
|
||||
return admin.PasswordlessType_PASSWORDLESSTYPE_ALLOWED
|
||||
default:
|
||||
return admin.PasswordlessType_PASSWORDLESSTYPE_NOT_ALLOWED
|
||||
}
|
||||
}
|
||||
|
||||
func passwordlessTypeToModel(passwordlessType admin.PasswordlessType) iam_model.PasswordlessType {
|
||||
switch passwordlessType {
|
||||
case admin.PasswordlessType_PASSWORDLESSTYPE_ALLOWED:
|
||||
return iam_model.PasswordlessTypeAllowed
|
||||
default:
|
||||
return iam_model.PasswordlessTypeNotAllowed
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *admin.MultiFactorsResult {
|
||||
converted := make([]admin.MultiFactorType, len(result.Result))
|
||||
for i, mfaType := range result.Result {
|
||||
|
||||
@@ -2,7 +2,6 @@ package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/golang/protobuf/ptypes/empty"
|
||||
|
||||
"github.com/caos/zitadel/pkg/grpc/auth"
|
||||
@@ -54,7 +53,7 @@ func (s *Server) GetMyUserAddress(ctx context.Context, _ *empty.Empty) (*auth.Us
|
||||
}
|
||||
|
||||
func (s *Server) GetMyMfas(ctx context.Context, _ *empty.Empty) (*auth.MultiFactors, error) {
|
||||
mfas, err := s.repo.MyUserMfas(ctx)
|
||||
mfas, err := s.repo.MyUserMFAs(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -144,7 +143,7 @@ func (s *Server) GetMyPasswordComplexityPolicy(ctx context.Context, _ *empty.Emp
|
||||
}
|
||||
|
||||
func (s *Server) AddMfaOTP(ctx context.Context, _ *empty.Empty) (_ *auth.MfaOtpResponse, err error) {
|
||||
otp, err := s.repo.AddMyMfaOTP(ctx)
|
||||
otp, err := s.repo.AddMyMFAOTP(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -152,12 +151,42 @@ func (s *Server) AddMfaOTP(ctx context.Context, _ *empty.Empty) (_ *auth.MfaOtpR
|
||||
}
|
||||
|
||||
func (s *Server) VerifyMfaOTP(ctx context.Context, request *auth.VerifyMfaOtp) (*empty.Empty, error) {
|
||||
err := s.repo.VerifyMyMfaOTPSetup(ctx, request.Code)
|
||||
err := s.repo.VerifyMyMFAOTPSetup(ctx, request.Code)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMfaOTP(ctx context.Context, _ *empty.Empty) (_ *empty.Empty, err error) {
|
||||
s.repo.RemoveMyMfaOTP(ctx)
|
||||
err = s.repo.RemoveMyMFAOTP(ctx)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) AddMyMfaU2F(ctx context.Context, _ *empty.Empty) (_ *auth.WebAuthNResponse, err error) {
|
||||
u2f, err := s.repo.AddMyMFAU2F(ctx)
|
||||
return verifyWebAuthNFromModel(u2f), err
|
||||
}
|
||||
|
||||
func (s *Server) VerifyMyMfaU2F(ctx context.Context, request *auth.VerifyWebAuthN) (*empty.Empty, error) {
|
||||
err := s.repo.VerifyMyMFAU2FSetup(ctx, request.TokenName, request.PublicKeyCredential)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMyMfaU2F(ctx context.Context, id *auth.WebAuthNTokenID) (*empty.Empty, error) {
|
||||
err := s.repo.RemoveMyMFAU2F(ctx, id.Id)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) AddMyPasswordless(ctx context.Context, _ *empty.Empty) (_ *auth.WebAuthNResponse, err error) {
|
||||
u2f, err := s.repo.AddMyPasswordless(ctx)
|
||||
return verifyWebAuthNFromModel(u2f), err
|
||||
}
|
||||
|
||||
func (s *Server) VerifyMyPasswordless(ctx context.Context, request *auth.VerifyWebAuthN) (*empty.Empty, error) {
|
||||
err := s.repo.VerifyMyPasswordlessSetup(ctx, request.TokenName, request.PublicKeyCredential)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMyPasswordless(ctx context.Context, id *auth.WebAuthNTokenID) (*empty.Empty, error) {
|
||||
err := s.repo.RemoveMyPasswordless(ctx, id.Id)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
|
||||
@@ -358,11 +358,11 @@ func genderToModel(gender auth.Gender) usr_model.Gender {
|
||||
}
|
||||
}
|
||||
|
||||
func mfaStateFromModel(state usr_model.MfaState) auth.MFAState {
|
||||
func mfaStateFromModel(state usr_model.MFAState) auth.MFAState {
|
||||
switch state {
|
||||
case usr_model.MfaStateReady:
|
||||
case usr_model.MFAStateReady:
|
||||
return auth.MFAState_MFASTATE_READY
|
||||
case usr_model.MfaStateNotReady:
|
||||
case usr_model.MFAStateNotReady:
|
||||
return auth.MFAState_MFASTATE_NOT_READY
|
||||
default:
|
||||
return auth.MFAState_MFASTATE_UNSPECIFIED
|
||||
@@ -379,17 +379,18 @@ func mfasFromModel(mfas []*usr_model.MultiFactor) []*auth.MultiFactor {
|
||||
|
||||
func mfaFromModel(mfa *usr_model.MultiFactor) *auth.MultiFactor {
|
||||
return &auth.MultiFactor{
|
||||
State: mfaStateFromModel(mfa.State),
|
||||
Type: mfaTypeFromModel(mfa.Type),
|
||||
State: mfaStateFromModel(mfa.State),
|
||||
Type: mfaTypeFromModel(mfa.Type),
|
||||
Attribute: mfa.Attribute,
|
||||
}
|
||||
}
|
||||
|
||||
func mfaTypeFromModel(mfatype usr_model.MfaType) auth.MfaType {
|
||||
switch mfatype {
|
||||
case usr_model.MfaTypeOTP:
|
||||
func mfaTypeFromModel(mfaType usr_model.MFAType) auth.MfaType {
|
||||
switch mfaType {
|
||||
case usr_model.MFATypeOTP:
|
||||
return auth.MfaType_MFATYPE_OTP
|
||||
case usr_model.MfaTypeSMS:
|
||||
return auth.MfaType_MFATYPE_SMS
|
||||
case usr_model.MFATypeU2F:
|
||||
return auth.MfaType_MFATYPE_U2F
|
||||
default:
|
||||
return auth.MfaType_MFATYPE_UNSPECIFIED
|
||||
}
|
||||
@@ -426,3 +427,11 @@ func userChangesToAPI(changes *usr_model.UserChanges) (_ []*auth.Change) {
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
func verifyWebAuthNFromModel(u2f *usr_model.WebAuthNToken) *auth.WebAuthNResponse {
|
||||
return &auth.WebAuthNResponse{
|
||||
Id: u2f.WebAuthNTokenID,
|
||||
PublicKey: u2f.PublicKey,
|
||||
State: mfaStateFromModel(u2f.State),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -13,6 +13,7 @@ func loginPolicyRequestToModel(policy *management.LoginPolicyRequest) *iam_model
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMFA: policy.ForceMfa,
|
||||
PasswordlessType: passwordlessTypeToModel(policy.PasswordlessType),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -30,6 +31,7 @@ func loginPolicyFromModel(policy *iam_model.LoginPolicy) *management.LoginPolicy
|
||||
CreationDate: creationDate,
|
||||
ChangeDate: changeDate,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
PasswordlessType: passwordlessTypeFromModel(policy.PasswordlessType),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -48,6 +50,7 @@ func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *management.Log
|
||||
CreationDate: creationDate,
|
||||
ChangeDate: changeDate,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
PasswordlessType: passwordlessTypeFromModel(policy.PasswordlessType),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -215,3 +218,21 @@ func multiFactorTypeToModel(mfaType *management.MultiFactor) iam_model.MultiFact
|
||||
return iam_model.MultiFactorTypeUnspecified
|
||||
}
|
||||
}
|
||||
|
||||
func passwordlessTypeFromModel(passwordlessType iam_model.PasswordlessType) management.PasswordlessType {
|
||||
switch passwordlessType {
|
||||
case iam_model.PasswordlessTypeAllowed:
|
||||
return management.PasswordlessType_PASSWORDLESSTYPE_ALLOWED
|
||||
default:
|
||||
return management.PasswordlessType_PASSWORDLESSTYPE_NOT_ALLOWED
|
||||
}
|
||||
}
|
||||
|
||||
func passwordlessTypeToModel(passwordlessType management.PasswordlessType) iam_model.PasswordlessType {
|
||||
switch passwordlessType {
|
||||
case management.PasswordlessType_PASSWORDLESSTYPE_ALLOWED:
|
||||
return iam_model.PasswordlessTypeAllowed
|
||||
default:
|
||||
return iam_model.PasswordlessTypeNotAllowed
|
||||
}
|
||||
}
|
||||
|
||||
@@ -214,7 +214,7 @@ func (s *Server) RemoveExternalIDP(ctx context.Context, request *management.Exte
|
||||
}
|
||||
|
||||
func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.UserMultiFactors, error) {
|
||||
mfas, err := s.user.UserMfas(ctx, userID.Id)
|
||||
mfas, err := s.user.UserMFAs(ctx, userID.Id)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -572,22 +572,22 @@ func genderToModel(gender management.Gender) usr_model.Gender {
|
||||
}
|
||||
}
|
||||
|
||||
func mfaTypeFromModel(mfatype usr_model.MfaType) management.MfaType {
|
||||
func mfaTypeFromModel(mfatype usr_model.MFAType) management.MfaType {
|
||||
switch mfatype {
|
||||
case usr_model.MfaTypeOTP:
|
||||
case usr_model.MFATypeOTP:
|
||||
return management.MfaType_MFATYPE_OTP
|
||||
case usr_model.MfaTypeSMS:
|
||||
return management.MfaType_MFATYPE_SMS
|
||||
case usr_model.MFATypeU2F:
|
||||
return management.MfaType_MFATYPE_U2F
|
||||
default:
|
||||
return management.MfaType_MFATYPE_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
func mfaStateFromModel(state usr_model.MfaState) management.MFAState {
|
||||
func mfaStateFromModel(state usr_model.MFAState) management.MFAState {
|
||||
switch state {
|
||||
case usr_model.MfaStateReady:
|
||||
case usr_model.MFAStateReady:
|
||||
return management.MFAState_MFASTATE_READY
|
||||
case usr_model.MfaStateNotReady:
|
||||
case usr_model.MFAStateNotReady:
|
||||
return management.MFAState_MFASTATE_NOT_READY
|
||||
default:
|
||||
return management.MFAState_MFASTATE_UNSPECIFIED
|
||||
|
||||
@@ -15,9 +15,10 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
amrPassword = "password"
|
||||
amrMFA = "mfa"
|
||||
amrOTP = "otp"
|
||||
amrPassword = "password"
|
||||
amrMFA = "mfa"
|
||||
amrOTP = "otp"
|
||||
amrUserPresence = "user"
|
||||
)
|
||||
|
||||
type AuthRequest struct {
|
||||
@@ -38,11 +39,11 @@ func (a *AuthRequest) GetAMR() []string {
|
||||
if a.PasswordVerified {
|
||||
amr = append(amr, amrPassword)
|
||||
}
|
||||
if len(a.MfasVerified) > 0 {
|
||||
if len(a.MFAsVerified) > 0 {
|
||||
amr = append(amr, amrMFA)
|
||||
for _, mfa := range a.MfasVerified {
|
||||
if amrMfa := AMRFromMFAType(mfa); amrMfa != "" {
|
||||
amr = append(amr, amrMfa)
|
||||
for _, mfa := range a.MFAsVerified {
|
||||
if amrMFA := AMRFromMFAType(mfa); amrMFA != "" {
|
||||
amr = append(amr, amrMFA)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -247,6 +248,9 @@ func AMRFromMFAType(mfaType model.MFAType) string {
|
||||
switch mfaType {
|
||||
case model.MFATypeOTP:
|
||||
return amrOTP
|
||||
case model.MFATypeU2F,
|
||||
model.MFATypeU2FUserVerification:
|
||||
return amrUserPresence
|
||||
default:
|
||||
return ""
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user