feat: add WebAuthN support for passwordless login and 2fa (#966)

* at least registration prompt works * in memory test for login * buttons to start webauthn process * begin eventstore impl * begin eventstore impl * serialize into bytes * fix: u2f, passwordless types * fix for localhost * fix script * fix: u2f, passwordless types * fix: add u2f * fix: verify u2f * fix: session data in event store * fix: u2f credentials in eventstore * fix: webauthn pkg handles business models * feat: tests * feat: append events * fix: test * fix: check only ready webauthn creds * fix: move u2f methods to authrepo * frontend improvements * fix return * feat: add passwordless * feat: add passwordless * improve ui / error handling * separate call for login * fix login * js * feat: u2f login methods * feat: remove unused session id * feat: error handling * feat: error handling * feat: refactor user eventstore * feat: finish webauthn * feat: u2f and passwordlss in auth.proto * u2f step * passwordless step * cleanup js * EndpointPasswordLessLogin * migration * update mfaChecked test * next step test * token name * cleanup * attribute * passwordless as tokens * remove sms as otp type * add "user" to amr for webauthn * error handling * fixes * fix tests * naming * naming * fixes * session handler * i18n * error handling in login * Update internal/ui/login/static/i18n/de.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * improvements * merge fixes * fixes * fixes Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-11-13 22:33:41 +00:00 · 2020-12-02 17:00:04 +01:00
parent 184e79be97
commit 300ade66a7
115 changed files with 3383 additions and 740 deletions
--- a/pkg/grpc/auth/proto/auth.proto
+++ b/pkg/grpc/auth/proto/auth.proto
@@ -244,12 +244,12 @@ service AuthService {

  rpc GetMyPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicy) {
    option (google.api.http) = {
-            get: "/policies/passwords/complexity"
-        };
+      get: "/policies/passwords/complexity"
+    };

    option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "authenticated"
-        };
+      permission: "authenticated"
+    };
  }

  //ExternalIDP
@@ -306,6 +306,68 @@ service AuthService {
    };
  }

+  rpc AddMyMfaU2F(google.protobuf.Empty) returns (WebAuthNResponse) {
+    option (google.api.http) = {
+      post: "/users/me/mfas/u2f"
+      body: "*"
+    };
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc VerifyMyMfaU2F(VerifyWebAuthN) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      put: "/users/me/mfas/u2f/_verify"
+      body: "*"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc RemoveMyMfaU2F(WebAuthNTokenID) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/users/me/mfas/u2f/{id}"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc AddMyPasswordless(google.protobuf.Empty) returns (WebAuthNResponse) {
+    option (google.api.http) = {
+      post: "/users/me/passwordless"
+      body: "*"
+    };
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc VerifyMyPasswordless(VerifyWebAuthN) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      put: "/users/me/passwordless/_verify"
+      body: "*"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc RemoveMyPasswordless(WebAuthNTokenID) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/users/me/passwordless/{id}"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
  rpc SearchMyUserGrant(UserGrantSearchRequest) returns (UserGrantSearchResponse) {
    option (google.api.http) = {
      post: "/usergrants/me/_search"
@@ -578,8 +640,8 @@ message PasswordChange {

 enum MfaType {
  MFATYPE_UNSPECIFIED = 0;
-  MFATYPE_SMS = 1;
-  MFATYPE_OTP = 2;
+  MFATYPE_OTP = 1;
+  MFATYPE_U2F = 2;
 }

 message VerifyMfaOtp {
@@ -593,6 +655,7 @@ message MultiFactors {
 message MultiFactor {
  MfaType type = 1;
  MFAState state = 2;
+  string attribute = 3;
 }

 message MfaOtpResponse {
@@ -602,6 +665,21 @@ message MfaOtpResponse {
  MFAState state = 4;
 }

+message WebAuthNResponse {
+  string id = 1;
+  bytes public_key = 2;
+  MFAState state = 3;
+}
+
+message VerifyWebAuthN {
+  bytes public_key_credential = 1;
+  string token_name = 2;
+}
+
+message WebAuthNTokenID {
+  string id = 1;
+}
+
 enum MFAState {
  MFASTATE_UNSPECIFIED = 0;
  MFASTATE_NOT_READY = 1;
@@ -691,7 +769,7 @@ enum SearchMethod {
 }

 message ChangesRequest {
-  uint64 limit= 1;
+  uint64 limit = 1;
  uint64 sequence_offset = 2;
  bool asc = 3;
 }