Skip to content

Commit

Permalink
Upgrade Spring Boot 2.7.3,Java 11 and LINE Webauthn Client support (#56)
Browse files Browse the repository at this point in the history
  • Loading branch information
kj84park authored Nov 1, 2024
1 parent 98614b3 commit a2e93ef
Show file tree
Hide file tree
Showing 350 changed files with 2,235 additions and 3,405 deletions.
5 changes: 0 additions & 5 deletions Dockerfile

This file was deleted.

248 changes: 139 additions & 109 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,183 +4,213 @@
![Repo Size](https://img.shields.io/github/repo-size/line/line-fido2-server)
![License Apache-2.0](https://img.shields.io/github/license/line/line-fido2-server)
![Top Language](https://img.shields.io/github/languages/top/line/line-fido2-server)
![Spring Boot](https://img.shields.io/badge/Spring%20Boot-2.4.3-green)
![Java version](https://img.shields.io/badge/Java-1.8-green)
![Data base](https://img.shields.io/badge/DataBase-MySQL%2FH2%2FRedis-blue)
![Spring Boot](https://img.shields.io/badge/Spring%20Boot-2.7.12-green)
![Java version](https://img.shields.io/badge/Java-11-green)
![Data base](https://img.shields.io/badge/Storage-MySQL%2FH2%2FRedis-blue)
![Last Commit](https://img.shields.io/github/last-commit/line/line-fido2-server)

> **FIDO2(WebAuthn) Server officially certified by FIDO Alliance**
<img src="images/fido2_certificate.jpg" height="500" align="center" alt=""/>
<img src="images/fido2_certificate.jpg" height="500" align="center" alt="FIDO2 Certificate"/>

## Overview

FIDO (Fast IDentity Online) is an open standard for online authentication, aiming to eliminate the vulnerabilities of
passwords. FIDO uses public-key cryptography instead of symmetric credentials like passwords or PINs.

In essence, the user's device generates a key pair, storing the private key securely and sharing the public key with the
server. During both registration and authentication, the server challenges the device, and the device responds with a
digital signature using the private key. The server then verifies this signature with the stored public key. This
challenge-response protocol helps prevent replay attacks.

FIDO (Fast IDentity Online) is an open standard for online authentication. It is designed to solve the password problems stemming from a lot of security problems as we are suffering today.

Rather than relying on symmetric credentials (like passwords or PINs, typically which is a knowledge-based factor), FIDO is based on a public-key cryptography algorithm that is based on asymmetric credentials.
### What is FIDO2?

Simply, the device generates the key pair and stores the private key within the secure area, and sends the corresponding public key (as the name implies it is okay to be public) to the server.
FIDO2 is an enhancement of the FIDO standard for web and other platforms, supported by major web browsers and operating
systems. It encompasses two primary operations: Registration and Authentication.

Then, if the authentication is needed, the server sends challenges to the device and the device generates the digital signature with the private key and sends it to the server.

Finally, the server can validate the signature with the registered public key.
#### Registration

### What is FIDO2
FIDO2 is an improved standard for use on the web and other platforms as well as mobile. Various web browsers and OS platforms currently support the FIDO2 standard API.
- The user selects a FIDO authenticator that meets the service’s acceptance policy.
- The user unlocks the authenticator via fingerprint, PIN, or another method.
- A public/private key pair is generated; the public key is sent to the service and associated with the user’s account,
while the private key remains on the device.
- The service challenges the device, which then creates a response using the private key to finish the registration
process.

Basically, FIDO2 has the following operations - Registration, Authentication.
#### Authentication

#### Registration
- The user is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
- User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN, or other methods.
- The user’s device creates a new public/private key pair unique for the local device, online service, and user’s account.
- The public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.
- The service challenges the user to log in with a previously registered device.
- The user unlocks the authenticator using the same method as during registration.
- The device signs the service’s challenge and sends it back to the service.
- The service verifies the signature with the stored public key and grants access.

#### Authentication
- Online service challenges the user to log in with a previously registered device that matches the service’s acceptance policy.
- User unlocks the FIDO authenticator using the same method as at Registration time.
- The device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
- The client device sends the signed challenge back to the service, which verifies it with the stored public key and lets the user log in.
### Challenge-Response Protocol

Both the registration and authentication processes utilize a challenge-response protocol to prevent replay attacks.
During registration, a challenge is sent from the server to the device and the device responds using its private key.
Similarly, during authentication, another challenge is sent to verify the user's identity. This ensures that each
attempt is unique and secure.

## Screenshots
### Chrome on Mac with TouchId
<img src="images/chrome_mac_touchid.gif" width="600" align="center" alt="registration_flow"/>

### Chrome on Mac with Secret Key (2FA)
<img src="images/chrome_mac_secretkey.gif" width="600" align="center" alt="registration_flow"/>
### Chrome on Mac with Touch ID

### Chrome on Android with Fingerprint (Reg)
<img src="images/chrome_android_fingerprint_reg.GIF" height="500" align="center" alt="registration_flow"/>

### Chrome on Android with Fingerprint (Auth)
<img src="images/chrome_android_fingerprint_auth.GIF" height="500" align="center" alt="registration_flow"/>
<img src="images/chrome_mac_touchid.gif" width="600" align="center" alt="Registration Flow"/>

## Modules
- server: The FIDO2 server implementation conforming to the FIDO2 standard
- common: FIDO2 related common models
- rp-server: The sample application with a FIDO2 RP implementation
- spring-boot-stater: The spring-boot-starter version of the LINE FIDO2 server application that can be easily integrated into a Spring Boot environment

- **rp-server**:
- RP Server Demo
- Depends on **common**
- **common**:
- Message classes that are commonly referenced by both the FIDO2 Server and the RP Server
- **core**:
- Contains the core domain logic of FIDO
- If the FIDO2 server being implemented does not interact with an RDB, this module alone should be used
- Depends on **common**
- **base**:
- Contains classes that depend on Spring JPA
- Service Implement classes, Repository interfaces, Entity classes
- Depends on **core**
- **demo**:
- FIDO2 server demo application
- Depends on **base**

## Features
- Supported attestation types
- Basic
- Self
- Attestation CA (a.k.a Privacy CA)
- None
- Anonymization CA
- Supported attestation formats
- Packed (FIDO2)
- Tpm (Windows10 devices)
- Android key attestation
- Android SafetyNet (Any Android devices running 7+)
- FIDO U2F (Legacy U2F authenticators)
- Apple Anonymous
- None
- Metadata service integration
- FIDO MDSv2

## How to run
You need to run the FIDO2 server and RP Server first.

If you want to integrate your own RP Server, please implement APIs by referring to the sample codes. Regarding client sides, you may implement the web app for communicating with the RP server.

We also provide our server in the form of a spring boot starter.
Check out the spring-boot-starter directory.

### Manual

- Supported attestation types:
- Basic
- Self
- Attestation CA (Privacy CA)
- None
- Anonymization CA
- Supported attestation formats:
- Packed
- TPM
- Android Key Attestation
- Android SafetyNet
- FIDO U2F
- Apple Anonymous
- None
- Metadata service integration:
- FIDO MDSv3

## How to Run

### Manual Run

Start the RP Server and FIDO2 Server:

```bash
# Start RP Server
cd rpserver
./gradlew bootRun

# Start FIDO2 Server or Line-fido2-spring-boot Demo
cd server
./gradlew bootRun

cd spring-boot-starter/line-fido2-spring-boot-demo
# Start FIDO2 Server
cd fido2-demo/demo
./gradlew bootRun
```

### Docker for demo
If the [Docker environment is configured](https://docs.docker.com/get-started/), You can easily run applications with docker-compose.

If you have Docker configured, you can use docker-compose.

```bash
# Start both RP Server and FIDO2 Server
docker-compose up
```

After running the applications, you can open the test page at the link below.
Once the applications are running, access the test page at:

**http://localhost:8080/**
- http://localhost:8080/

### Local DB
FIDO2 Server running on local environments uses h2 as an embedded DB. This needs to be replaced with commercial standalone DB for other environments such as staging, beta or real.

In the case of the local environment, you can use the h2 console. Add the following path /h2-console to the fido server URL to access the h2 web console.

e.g., http://localhost:8081/h2-console
The FIDO2 Server uses H2 as an embedded DB in a local environment, which should be replaced with a standalone DB (like
MySQL) for staging, beta, or production environments. Access the H2 web console at:


If the below error occurs while logging in to h2-console,
```
No suitable driver found for 08001/0
```
try to remove or comment out *logbook-spring-boot-starter* from build.gradle.

```
implementation('org.zalando:logbook-spring-boot-starter:1.8.1')
```

### Lombok
This project utilizes Lombok to reduce implementing getter/setter/constructors. You need the Lombok plugin to build with IntelliJ and Eclipse.
See the following web pages to get information.

https://projectlombok.org/
- http://localhost:8081/h2-console

### Issues

- If data.sql doesn't work well in an IntelliJ environment,
try commenting on this part in build.gradle.

```groovy
jar {
processResources {
exclude("**/*.sql")
}
}
```
- If Fido2StarterDemoApplication doesn't work well, try commenting on this part in build.gradle.
```groovy
task dockerBuild() {
jar.enabled = false
dependsOn(bootJar)
processResources {
exclude("**/*.sql")
}
}
```

## API Guides
After running the applications, you can view API guide documents at the link below.

### Spring REST Docs

To view the API documentation, follow these steps:

1. Execute the following commands:
```bash
cd fido2-demo/demo
./gradlew makeRestDocs
./gradlew bootRun
```
2. Access the API documentation at the following path:

- server: http://localhost:8081/docs/api-guide.html

### Swagger UI

After running the applications, you can view API guide documents at the link below.

- rpserver: http://localhost:8080/swagger-ui.html
- server: http://localhost:8081/swagger-ui.html

## LINE WebAuthn Android and iOS

We are also providing Client SDK for Android/iOS applications. Please see below.

- [Introducing Fido2 Client SDK open source](https://techblog.lycorp.co.jp/ko/introducing-fido2-client-sdk-open-source)
- [LINE Webauthn Demo Kotlin](https://github.com/line/webauthndemo-kotlin)
- [LINE Webauthn Demo Swift](https://github.com/line/webauthndemo-swift)

### checkOrigin Configuration

The `checkOrigin` method validates the origin of requests from LINE's Android and iOS applications. It ensures security
by checking that the request's origin matches a pre-configured list of allowed origins.

How to Configure
To use the `checkOrigin` method, set up the allowed origins in the `application.yml` file. Here is an example
configuration:

```yaml
app:
origins:
- android:aaa-bbb
- ios:aaa-bbb
```

**Note:** Replace `aaa-bbb` with the appropriate values for your application.

**Important:** This configuration is optional and only necessary when integrating with LINE WebAuthn for Android and iOS
applications.

## References
`LINE Engineering Blogs`

`LY Engineering Blogs`

- [FIDO at LINE: A First Step to a World Without Passwords](https://engineering.linecorp.com/en/blog/fido-at-line/)
- [FIDO at LINE: FIDO2 server as an open-source project](https://engineering.linecorp.com/en/blog/fido-at-line-fido2-server-opensource/)
- [Introducing Fido2 Client SDK open source](https://techblog.lycorp.co.jp/ko/introducing-fido2-client-sdk-open-source)

`LY Tech Videos`

`LINE DevDay Videos`
- [Open source contribution Starting with LINE FIDO2 Server](https://youtu.be/xKzXi5ic4Do)
- [Strong customer authentication & biometrics using FIDO](https://youtu.be/S1y9wFh7_dc)
- [Cross Platform Mobile Security At LINE](https://youtu.be/4288h-EamTU)
- [Secure LINE login with biometric key replacing password](https://youtu.be/vCAu-y-iwyw)

`Internal`
- [Sequence Diagram](https://github.com/line/line-fido2-server/wiki/Sequence-diagrams)

`External`
- [FIDO2: WebAuthn & CTAP](https://fidoalliance.org/fido2/)
- [WebAuthn Level 2](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/)
- [CTAP v2.1](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html)
- [Sequence Diagram](https://github.com/line/line-fido2-server/wiki/Sequence-diagrams)
24 changes: 20 additions & 4 deletions build.gradle
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* Copyright 2022 LINE Corporation
* Copyright 2024 LY Corporation
*
* LINE Corporation licenses this file to you under the Apache License,
* LY Corporation licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
Expand All @@ -14,5 +14,21 @@
* under the License.
*/

group 'com.linecorp.line.auth.fido.fido2'
version '1.0-SNAPSHOT'
subprojects {
apply plugin: 'java'
apply plugin: 'maven-publish'

sourceCompatibility = '11'
targetCompatibility = '11'

group = 'com.linecorp.line.auth.fido.fido2'
version = '1.0.0-SNAPSHOT'

repositories {
mavenCentral()
maven {
url "https://plugins.gradle.org/m2/"
}
google()
}
}
18 changes: 2 additions & 16 deletions common/build.gradle
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* Copyright 2022 LINE Corporation
* Copyright 2024 LY Corporation
*
* LINE Corporation licenses this file to you under the Apache License,
* LY Corporation licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
Expand All @@ -14,20 +14,6 @@
* under the License.
*/

plugins {
id 'java'
}

apply plugin: 'maven'
group 'com.linecorp.line.auth.fido.fido2'
version '1.1.1-SNAPSHOT'

sourceCompatibility = 1.8

repositories {
mavenCentral()
}

test {
useJUnitPlatform()
}
Expand Down
Loading

0 comments on commit a2e93ef

Please sign in to comment.