feat: passkey strategy with resident keys

[hperl]

TODO

• Two distinct strategies, how to prevent passkey + webauthn passkey with too high AAL
  • Passkey is currently always AAL1 and not a second factor.
  • We could disallow using the same authenticator ID (AAGUID) for both webauthn and passkey. However, this could hinder migration from webauthn+passwordless to passkey.
• PassKeys what happens to non-resident keys? For example when migrating WebAuthn passwordless credentials to passkey?
  • This work does not yet consider converting passwordless credentials to a passkey. I think the best way would be to do this with user interaction and insert a "nag screen" after login to prompt the user to create a passkey (and optionally delete/deactivate the webauth passwordless credential). The same technique could be used to onboard users to passkeys regardless of their primary login strategy.
• 2x PassKeys if submission fails
  • In some cases it can be that the passkey is created in the browser but not stored in the database. Ultimately, there is nothing that we can do to completely prevent this, but is should be uncommon, because we store and validate the traits first before we create the passkey.
• WebAuthn.js - use onload for autocomplete
  • Done
• How will the deprecation work of the webauthn strategy?
  • This will need further design and code.
• Clean up webauthnIdentifierNode

Related issue(s)

Docs PR: ory/docs#1626

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[codecov]

Codecov Report

Attention: 192 lines in your changes are missing coverage. Please review.

Comparison is base (21ab031) 79.47% compared to head (3c8fd05) 78.35%.
Report is 41 commits behind head on master.

❗ Current head 3c8fd05 differs from pull request most recent head 5f58a20. Consider uploading reports for the commit 5f58a20 to get more accurate results

Files	Patch %	Lines
selfservice/strategy/passkey/passkey_settings.go	68.83%	36 Missing and 31 partials ⚠️
selfservice/strategy/passkey/passkey_login.go	74.00%	32 Missing and 27 partials ⚠️
...lfservice/strategy/passkey/passkey_registration.go	73.44%	26 Missing and 21 partials ⚠️
selfservice/strategy/webauthn/registration.go	76.08%	9 Missing and 2 partials ⚠️
x/webauthnx/aaguid/aaguid.go	75.00%	2 Missing and 2 partials ⚠️
selfservice/strategy/webauthn/login.go	76.92%	0 Missing and 3 partials ⚠️
persistence/sql/identity/persister_identity.go	75.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3656      +/-   ##
==========================================
- Coverage   79.47%   78.35%   -1.13%     
==========================================
  Files         356      352       -4     
  Lines       25999    24312    -1687     
==========================================
- Hits        20662    19049    -1613     
+ Misses       3826     3794      -32     
+ Partials     1511     1469      -42     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[aeneasr]

Preliminary review - also pushing some code changes now. Can you please add e2e tests for the various flows?

[aeneasr]

Is it possible that Register is set to some value, but the method is actually not passkey but e.g. password, and then we use the wrong strategy here?

[hperl]

Not in a benign case, because the register param is set right before submission.

As for an attacker, what would the gain be?

[jonas-jonas]

I think the concern is, that params.Register == "values" but params.Method != "passkey".

Which would lead to this strategy being executed, even though the method specifies something else. IMO, we should always return ErrStrategyNotResponsible if params.Method != "passkey"

[hperl]

Requiring the method to be set will further complicate submitting the passkey, which is done through a form submit in JS, see:

kratos/x/webauthnx/js/webauthn.js

Line 121 in 96c2164

document.querySelector(triggerQuerySelector).closest("form").submit()

We don't require the method to be set for webauthn register requests either, btw:

kratos/selfservice/strategy/webauthn/registration.go

Lines 94 to 114 in 96c2164

	func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, regFlow *registration.Flow, i *identity.Identity) (err error) {
	ctx := r.Context()
	if regFlow.Type != flow.TypeBrowser || !s.d.Config().WebAuthnForPasswordless(r.Context()) {
	return flow.ErrStrategyNotResponsible
	}
	var p updateRegistrationFlowWithWebAuthnMethod
	if err := s.decode(&p, r); err != nil {
	return s.handleRegistrationError(w, r, regFlow, &p, err)
	}
	regFlow.TransientPayload = p.TransientPayload
	if err := flow.EnsureCSRF(s.d, r, regFlow.Type, s.d.Config().DisableAPIFlowEnforcement(ctx), s.d.GenerateCSRFToken, p.CSRFToken); err != nil {
	return s.handleRegistrationError(w, r, regFlow, &p, err)
	}
	if len(p.Register) == 0 {
	return flow.ErrStrategyNotResponsible
	}

[hperl]

Specifically, I could add a hidden input with name=method and value=passkey in JS. Is it worth it?

[jonas-jonas]

I'd say it's worth the effort also submitting the method, since we do have the (sometimes loose) convention to submit the method as well. Since this would just be another edge case, potentially causing issues down the road.

But, in the interest of velocity, I'll leave the decision up to you.

[aeneasr]

What about the display name? Do we not need it because it is a PassKey?

[hperl]

The display name of the key will be derived from the AAGUID, see here:

kratos/identity/credentials_webauthn.go

Lines 36 to 39 in 60a1817

	id := aaguid.Lookup(credential.Authenticator.AAGUID)
	if id != nil {
	cred.DisplayName = id.Name
	}

[aeneasr]

I think we should return an easy to understand error if webAuthnSess.UserID is empty. If it is empty, the current validation will pass it as valid

	c := i.GetCredentialsOr(identity.CredentialsTypePasskey, &identity.Credentials{})
	if len(c.Identifiers) == 0 {
		return schema.NewMissingIdentifierError()
	}

and will lead to an empty string identifier. We had this problem once before in the WebAuthn code.

[hperl]

In this case, webAuthnSess.UserID is not user-supplied. It comes from the internal context, which is set here:

kratos/selfservice/strategy/passkey/passkey_registration.go

Lines 295 to 303 in 60a1817

	user := &webauthnx.User{
	Name: identifier,
	ID: []byte(randx.MustString(64, randx.AlphaNum)),
	Config: s.d.Config().PasskeyConfig(ctx),
	}
	option, sessionData, err := webAuthn.BeginRegistration(user)
	if err != nil {
	return errors.WithStack(err)
	}

I can add another check to make sure it really is not empty, but it would be an internal server error, as the user can't do anything against it.

[jonas-jonas]

LGTM, just a few minor remarks.

[jonas-jonas]

I think the concern is, that params.Register == "values" but params.Method != "passkey".

Which would lead to this strategy being executed, even though the method specifies something else. IMO, we should always return ErrStrategyNotResponsible if params.Method != "passkey"

[aeneasr]

@jonas-jonas are you good with the current state?

[jonas-jonas]

@aeneasr I'll re-review now.

[jonas-jonas]

Except for #3656 (comment) this LGTM.

[hperl]

@jonas-jonas, @aeneasr, two points remain open:

• As I started writing docs, I stumbled over the fact that users need to modify the identity schema to add a passkey: { identifier: true } to their schema, most likely to the same identifier as used for webauthn. Do you think there is even a use case for using different identifiers for webauthn and passkey?
  • Resolved, I now also accept webauthn: { identifier: true }, which makes the whole thing backwards-compatible. Thanks @zepatrik for the discussion.
• I can't get the coverage up further. Some errors only trigger when the database misbehaves, which would require extensive mocking. How should I proceed? The remaining tests would look more and more artifical.
  • Resolved, we'll merge anyways.

[hperl]

I'd like to have one more pair of eyes on the security side of this before merging. @zepatrik maybe?

[aeneasr]

I found a few bugs when enabling both webauthn and passkey strategies, probably the triggers get confused. Wrote those things in Slack - would be good to get those fixed in my view :)

[hperl]

included in #3748